Remove PodSecurityPolicy

PodSecurityPolicy has been removed in Kubernetes v1.25 [1]. To allow Magnum
to support Kubernetes v1.25 and above, PodSecurityPolicy Admission
Controller has has been removed.

[1] https://kubernetes.io/docs/concepts/security/pod-security-policy/

Change-Id: I0fb0c372b484275b0677114193289469ee788b84
This commit is contained in:
Jake Yip 2023-02-10 00:33:52 +11:00
parent b7092d312a
commit 1b1c2122f0
4 changed files with 14 additions and 113 deletions

View File

@ -14,62 +14,11 @@ if [ "$NETWORK_DRIVER" = "flannel" ]; then
set +x set +x
cat << EOF > ${FLANNEL_DEPLOY} cat << EOF > ${FLANNEL_DEPLOY}
--- ---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: psp.flannel.unprivileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
spec:
privileged: false
volumes:
- configMap
- secret
- emptyDir
- hostPath
allowedHostPaths:
- pathPrefix: "/etc/cni/net.d"
- pathPrefix: "/etc/kube-flannel"
- pathPrefix: "/run/flannel"
readOnlyRootFilesystem: false
# Users and groups
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
fsGroup:
rule: RunAsAny
# Privilege Escalation
allowPrivilegeEscalation: false
defaultAllowPrivilegeEscalation: false
# Capabilities
allowedCapabilities: ['NET_ADMIN']
defaultAddCapabilities: []
requiredDropCapabilities: []
# Host namespaces
hostPID: false
hostIPC: false
hostNetwork: true
hostPorts:
- min: 0
max: 65535
# SELinux
seLinux:
# SELinux is unsed in CaaSP
rule: 'RunAsAny'
---
kind: ClusterRole kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: flannel name: flannel
rules: rules:
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['psp.flannel.unprivileged']
- apiGroups: - apiGroups:
- "" - ""
resources: resources:

View File

@ -78,67 +78,6 @@ EOF
} }
kubectl apply --validate=false -f ${ADMIN_RBAC} kubectl apply --validate=false -f ${ADMIN_RBAC}
POD_SECURITY_POLICIES=/srv/magnum/kubernetes/podsecuritypolicies.yaml
# Pod Security Policies
[ -f ${POD_SECURITY_POLICIES} ] || {
echo "Writing File: $POD_SECURITY_POLICIES"
mkdir -p $(dirname ${POD_SECURITY_POLICIES})
cat > ${POD_SECURITY_POLICIES} <<EOF
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: magnum.privileged
annotations:
kubernetes.io/description: 'privileged allows full unrestricted access to
pod features, as if the PodSecurityPolicy controller was not enabled.'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: magnum:podsecuritypolicy:privileged
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups:
- policy
resourceNames:
- magnum.privileged
resources:
- podsecuritypolicies
verbs:
- use
EOF
}
kubectl apply -f ${POD_SECURITY_POLICIES}
# Add the openstack trustee as a secret under kube-system # Add the openstack trustee as a secret under kube-system
kubectl -n kube-system create secret generic os-trustee \ kubectl -n kube-system create secret generic os-trustee \
--from-literal=os-authURL=${AUTH_URL} \ --from-literal=os-authURL=${AUTH_URL} \

View File

@ -226,7 +226,7 @@ parameters:
type: string type: string
description: > description: >
List of admission control plugins to activate List of admission control plugins to activate
default: "PodSecurityPolicy,NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,StorageObjectInUseProtection,PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,RuntimeClass" default: "NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,StorageObjectInUseProtection,PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,RuntimeClass"
kube_allow_priv: kube_allow_priv:
type: string type: string

View File

@ -0,0 +1,13 @@
---
deprecations:
- |
PodSecurityPolicy has been removed in Kubernetes v1.25 [1]. To allow Magnum
to support Kubernetes v1.25 and above, PodSecurityPolicy Admission
Controller has has been removed.
This means that there is a behaviour change in Cluster Templates created
after this change, where new Clusters with such Cluster Templates will not
have PodSecurityPolicy. Please be aware of the subsequent impact on Helm
Charts, etc.
[1] https://kubernetes.io/docs/concepts/security/pod-security-policy/