Remove PodSecurityPolicy
PodSecurityPolicy has been removed in Kubernetes v1.25 [1]. To allow Magnum to support Kubernetes v1.25 and above, PodSecurityPolicy Admission Controller has has been removed. [1] https://kubernetes.io/docs/concepts/security/pod-security-policy/ Change-Id: I0fb0c372b484275b0677114193289469ee788b84
This commit is contained in:
parent
b7092d312a
commit
1b1c2122f0
@ -14,62 +14,11 @@ if [ "$NETWORK_DRIVER" = "flannel" ]; then
|
|||||||
set +x
|
set +x
|
||||||
cat << EOF > ${FLANNEL_DEPLOY}
|
cat << EOF > ${FLANNEL_DEPLOY}
|
||||||
---
|
---
|
||||||
apiVersion: policy/v1beta1
|
|
||||||
kind: PodSecurityPolicy
|
|
||||||
metadata:
|
|
||||||
name: psp.flannel.unprivileged
|
|
||||||
annotations:
|
|
||||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
|
|
||||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
|
|
||||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
|
|
||||||
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
|
|
||||||
spec:
|
|
||||||
privileged: false
|
|
||||||
volumes:
|
|
||||||
- configMap
|
|
||||||
- secret
|
|
||||||
- emptyDir
|
|
||||||
- hostPath
|
|
||||||
allowedHostPaths:
|
|
||||||
- pathPrefix: "/etc/cni/net.d"
|
|
||||||
- pathPrefix: "/etc/kube-flannel"
|
|
||||||
- pathPrefix: "/run/flannel"
|
|
||||||
readOnlyRootFilesystem: false
|
|
||||||
# Users and groups
|
|
||||||
runAsUser:
|
|
||||||
rule: RunAsAny
|
|
||||||
supplementalGroups:
|
|
||||||
rule: RunAsAny
|
|
||||||
fsGroup:
|
|
||||||
rule: RunAsAny
|
|
||||||
# Privilege Escalation
|
|
||||||
allowPrivilegeEscalation: false
|
|
||||||
defaultAllowPrivilegeEscalation: false
|
|
||||||
# Capabilities
|
|
||||||
allowedCapabilities: ['NET_ADMIN']
|
|
||||||
defaultAddCapabilities: []
|
|
||||||
requiredDropCapabilities: []
|
|
||||||
# Host namespaces
|
|
||||||
hostPID: false
|
|
||||||
hostIPC: false
|
|
||||||
hostNetwork: true
|
|
||||||
hostPorts:
|
|
||||||
- min: 0
|
|
||||||
max: 65535
|
|
||||||
# SELinux
|
|
||||||
seLinux:
|
|
||||||
# SELinux is unsed in CaaSP
|
|
||||||
rule: 'RunAsAny'
|
|
||||||
---
|
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
metadata:
|
metadata:
|
||||||
name: flannel
|
name: flannel
|
||||||
rules:
|
rules:
|
||||||
- apiGroups: ['extensions']
|
|
||||||
resources: ['podsecuritypolicies']
|
|
||||||
verbs: ['use']
|
|
||||||
resourceNames: ['psp.flannel.unprivileged']
|
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- ""
|
- ""
|
||||||
resources:
|
resources:
|
||||||
|
@ -78,67 +78,6 @@ EOF
|
|||||||
}
|
}
|
||||||
kubectl apply --validate=false -f ${ADMIN_RBAC}
|
kubectl apply --validate=false -f ${ADMIN_RBAC}
|
||||||
|
|
||||||
POD_SECURITY_POLICIES=/srv/magnum/kubernetes/podsecuritypolicies.yaml
|
|
||||||
# Pod Security Policies
|
|
||||||
[ -f ${POD_SECURITY_POLICIES} ] || {
|
|
||||||
echo "Writing File: $POD_SECURITY_POLICIES"
|
|
||||||
mkdir -p $(dirname ${POD_SECURITY_POLICIES})
|
|
||||||
cat > ${POD_SECURITY_POLICIES} <<EOF
|
|
||||||
---
|
|
||||||
apiVersion: policy/v1beta1
|
|
||||||
kind: PodSecurityPolicy
|
|
||||||
metadata:
|
|
||||||
name: magnum.privileged
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/description: 'privileged allows full unrestricted access to
|
|
||||||
pod features, as if the PodSecurityPolicy controller was not enabled.'
|
|
||||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
|
|
||||||
labels:
|
|
||||||
kubernetes.io/cluster-service: "true"
|
|
||||||
addonmanager.kubernetes.io/mode: Reconcile
|
|
||||||
spec:
|
|
||||||
privileged: true
|
|
||||||
allowPrivilegeEscalation: true
|
|
||||||
allowedCapabilities:
|
|
||||||
- '*'
|
|
||||||
volumes:
|
|
||||||
- '*'
|
|
||||||
hostNetwork: true
|
|
||||||
hostPorts:
|
|
||||||
- min: 0
|
|
||||||
max: 65535
|
|
||||||
hostIPC: true
|
|
||||||
hostPID: true
|
|
||||||
runAsUser:
|
|
||||||
rule: 'RunAsAny'
|
|
||||||
seLinux:
|
|
||||||
rule: 'RunAsAny'
|
|
||||||
supplementalGroups:
|
|
||||||
rule: 'RunAsAny'
|
|
||||||
fsGroup:
|
|
||||||
rule: 'RunAsAny'
|
|
||||||
readOnlyRootFilesystem: false
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
name: magnum:podsecuritypolicy:privileged
|
|
||||||
labels:
|
|
||||||
kubernetes.io/cluster-service: "true"
|
|
||||||
addonmanager.kubernetes.io/mode: Reconcile
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- policy
|
|
||||||
resourceNames:
|
|
||||||
- magnum.privileged
|
|
||||||
resources:
|
|
||||||
- podsecuritypolicies
|
|
||||||
verbs:
|
|
||||||
- use
|
|
||||||
EOF
|
|
||||||
}
|
|
||||||
kubectl apply -f ${POD_SECURITY_POLICIES}
|
|
||||||
|
|
||||||
# Add the openstack trustee as a secret under kube-system
|
# Add the openstack trustee as a secret under kube-system
|
||||||
kubectl -n kube-system create secret generic os-trustee \
|
kubectl -n kube-system create secret generic os-trustee \
|
||||||
--from-literal=os-authURL=${AUTH_URL} \
|
--from-literal=os-authURL=${AUTH_URL} \
|
||||||
|
@ -226,7 +226,7 @@ parameters:
|
|||||||
type: string
|
type: string
|
||||||
description: >
|
description: >
|
||||||
List of admission control plugins to activate
|
List of admission control plugins to activate
|
||||||
default: "PodSecurityPolicy,NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,StorageObjectInUseProtection,PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,RuntimeClass"
|
default: "NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,StorageObjectInUseProtection,PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,RuntimeClass"
|
||||||
|
|
||||||
kube_allow_priv:
|
kube_allow_priv:
|
||||||
type: string
|
type: string
|
||||||
|
@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
PodSecurityPolicy has been removed in Kubernetes v1.25 [1]. To allow Magnum
|
||||||
|
to support Kubernetes v1.25 and above, PodSecurityPolicy Admission
|
||||||
|
Controller has has been removed.
|
||||||
|
|
||||||
|
This means that there is a behaviour change in Cluster Templates created
|
||||||
|
after this change, where new Clusters with such Cluster Templates will not
|
||||||
|
have PodSecurityPolicy. Please be aware of the subsequent impact on Helm
|
||||||
|
Charts, etc.
|
||||||
|
|
||||||
|
[1] https://kubernetes.io/docs/concepts/security/pod-security-policy/
|
Loading…
Reference in New Issue
Block a user