Merge "Remove PodSecurityPolicy"
This commit is contained in:
Zuul
Gerrit Code Review
commit
392120ab13
|
|
@ -14,62 +14,11 @@ if [ "$NETWORK_DRIVER" = "flannel" ]; then
|
|||
set +x
|
||||
cat << EOF > ${FLANNEL_DEPLOY}
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: psp.flannel.unprivileged
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
|
||||
spec:
|
||||
privileged: false
|
||||
volumes:
|
||||
- configMap
|
||||
- secret
|
||||
- emptyDir
|
||||
- hostPath
|
||||
allowedHostPaths:
|
||||
- pathPrefix: "/etc/cni/net.d"
|
||||
- pathPrefix: "/etc/kube-flannel"
|
||||
- pathPrefix: "/run/flannel"
|
||||
readOnlyRootFilesystem: false
|
||||
# Users and groups
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
# Privilege Escalation
|
||||
allowPrivilegeEscalation: false
|
||||
defaultAllowPrivilegeEscalation: false
|
||||
# Capabilities
|
||||
allowedCapabilities: ['NET_ADMIN']
|
||||
defaultAddCapabilities: []
|
||||
requiredDropCapabilities: []
|
||||
# Host namespaces
|
||||
hostPID: false
|
||||
hostIPC: false
|
||||
hostNetwork: true
|
||||
hostPorts:
|
||||
- min: 0
|
||||
max: 65535
|
||||
# SELinux
|
||||
seLinux:
|
||||
# SELinux is unsed in CaaSP
|
||||
rule: 'RunAsAny'
|
||||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: flannel
|
||||
rules:
|
||||
- apiGroups: ['extensions']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['psp.flannel.unprivileged']
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
|
|
|
|||
|
|
@ -78,67 +78,6 @@ EOF
|
|||
}
|
||||
kubectl apply --validate=false -f ${ADMIN_RBAC}
|
||||
|
||||
POD_SECURITY_POLICIES=/srv/magnum/kubernetes/podsecuritypolicies.yaml
|
||||
# Pod Security Policies
|
||||
[ -f ${POD_SECURITY_POLICIES} ] || {
|
||||
echo "Writing File: $POD_SECURITY_POLICIES"
|
||||
mkdir -p $(dirname ${POD_SECURITY_POLICIES})
|
||||
cat > ${POD_SECURITY_POLICIES} <<EOF
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: magnum.privileged
|
||||
annotations:
|
||||
kubernetes.io/description: 'privileged allows full unrestricted access to
|
||||
pod features, as if the PodSecurityPolicy controller was not enabled.'
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
spec:
|
||||
privileged: true
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- '*'
|
||||
volumes:
|
||||
- '*'
|
||||
hostNetwork: true
|
||||
hostPorts:
|
||||
- min: 0
|
||||
max: 65535
|
||||
hostIPC: true
|
||||
hostPID: true
|
||||
runAsUser:
|
||||
rule: 'RunAsAny'
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'RunAsAny'
|
||||
fsGroup:
|
||||
rule: 'RunAsAny'
|
||||
readOnlyRootFilesystem: false
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: magnum:podsecuritypolicy:privileged
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
rules:
|
||||
- apiGroups:
|
||||
- policy
|
||||
resourceNames:
|
||||
- magnum.privileged
|
||||
resources:
|
||||
- podsecuritypolicies
|
||||
verbs:
|
||||
- use
|
||||
EOF
|
||||
}
|
||||
kubectl apply -f ${POD_SECURITY_POLICIES}
|
||||
|
||||
# Add the openstack trustee as a secret under kube-system
|
||||
kubectl -n kube-system create secret generic os-trustee \
|
||||
--from-literal=os-authURL=${AUTH_URL} \
|
||||
|
|
|
|||
|
|
@ -226,7 +226,7 @@ parameters:
|
|||
type: string
|
||||
description: >
|
||||
List of admission control plugins to activate
|
||||
default: "PodSecurityPolicy,NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,StorageObjectInUseProtection,PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,RuntimeClass"
|
||||
default: "NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,StorageObjectInUseProtection,PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,RuntimeClass"
|
||||
|
||||
kube_allow_priv:
|
||||
type: string
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
deprecations:
|
||||
- |
|
||||
PodSecurityPolicy has been removed in Kubernetes v1.25 [1]. To allow Magnum
|
||||
to support Kubernetes v1.25 and above, PodSecurityPolicy Admission
|
||||
Controller has has been removed.
|
||||
|
||||
This means that there is a behaviour change in Cluster Templates created
|
||||
after this change, where new Clusters with such Cluster Templates will not
|
||||
have PodSecurityPolicy. Please be aware of the subsequent impact on Helm
|
||||
Charts, etc.
|
||||
|
||||
[1] https://kubernetes.io/docs/concepts/security/pod-security-policy/
|
||||
Loading…
Reference in New Issue