Browse Source

k8s_fedora_atomic: Add PodSecurityPolicy

For moving to 1.15.x and beyond we need to have PSP for privileged pods.
flannel, calico and node-problem-detector need it.

PSP
story: 2006515
task: 36513

Allow-priv
story: 2006252
task: 35867

Change-Id: I306a249afb275fdbd71354ed75043ffc4d466304
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
(cherry picked from commit 7267c1ea43b72849ece0bedb0a18bfc438829354)
(cherry picked from commit 6762a97439ac8feeac05db5b49ac26498c1f0e95)
tags/7.2.0
Spyros Trigazis Bharat Kunwar 5 months ago
parent
commit
925628b627
3 changed files with 78 additions and 1 deletions
  1. +1
    -0
      magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
  2. +71
    -1
      magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh
  3. +6
    -0
      releasenotes/notes/podsecuritypolicy-2400063d73524e06.yaml

+ 1
- 0
magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh View File

@@ -87,6 +87,7 @@ sed -i '
' /etc/kubernetes/config

KUBE_API_ARGS="--runtime-config=api/all=true"
KUBE_API_ARGS="$KUBE_API_ARGS --allow-privileged=$KUBE_ALLOW_PRIV"
KUBE_API_ARGS="$KUBE_API_ARGS --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP"
KUBE_API_ARGS="$KUBE_API_ARGS $KUBEAPI_OPTIONS"
if [ "$TLS_DISABLED" == "True" ]; then


+ 71
- 1
magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh View File

@@ -3,8 +3,8 @@
step="kube-apiserver-to-kubelet-role"
printf "Starting to run ${step}\n"

set +x
. /etc/sysconfig/heat-params

set -x

echo "Waiting for Kubernetes API..."
@@ -81,6 +81,76 @@ EOF

kubectl apply --validate=false -f ${ADMIN_RBAC}

POD_SECURITY_POLICIES=/srv/magnum/kubernetes/podsecuritypolicies.yaml
# Pod Security Policies
[ -f ${POD_SECURITY_POLICIES} ] || {
echo "Writing File: $POD_SECURITY_POLICIES"
mkdir -p $(dirname ${POD_SECURITY_POLICIES})
cat > ${POD_SECURITY_POLICIES} <<EOF
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: magnum.privileged
annotations:
kubernetes.io/description: 'privileged allows full unrestricted access to
pod features, as if the PodSecurityPolicy controller was not enabled.'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: magnum:podsecuritypolicy:privileged
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups:
- policy
resourceNames:
- magnum.privileged
resources:
- podsecuritypolicies
verbs:
- use
EOF
}
kubectl apply -f ${POD_SECURITY_POLICIES}

# Add the openstack trustee as a secret under kube-system
kubectl -n kube-system create secret generic os-trustee \
--from-literal=os-authURL=${AUTH_URL} \
--from-literal=os-trustID=${TRUST_ID} \
--from-literal=os-trusteeID=${TRUSTEE_USER_ID} \
--from-literal=os-trusteePassword=${TRUSTEE_PASSWORD} \
--from-literal=os-region=${REGION_NAME} \
--from-file=os-certAuthority=/etc/kubernetes/ca-bundle.crt

if [ -z "${TRUST_ID}" ] || [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" != "true" ]; then
exit 0
fi


+ 6
- 0
releasenotes/notes/podsecuritypolicy-2400063d73524e06.yaml View File

@@ -0,0 +1,6 @@
---
features:
- |
k8s_fedora_atomic_v1 Add PodSecurityPolicy for privileged pods. Use
privileged PSP for calico and node-problem-detector. Add PSP for flannel
from upstream.

Loading…
Cancel
Save