From 925628b627a8c86f259519ea7dc3b0742eb3226f Mon Sep 17 00:00:00 2001
From: Spyros Trigazis <spyridon.trigazis@cern.ch>
Date: Mon, 9 Sep 2019 13:47:23 +0000
Subject: [PATCH] k8s_fedora_atomic: Add PodSecurityPolicy

For moving to 1.15.x and beyond we need to have PSP for privileged pods.
flannel, calico and node-problem-detector need it.

PSP
story: 2006515
task: 36513

Allow-priv
story: 2006252
task: 35867

Change-Id: I306a249afb275fdbd71354ed75043ffc4d466304
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
(cherry picked from commit 7267c1ea43b72849ece0bedb0a18bfc438829354)
(cherry picked from commit 6762a97439ac8feeac05db5b49ac26498c1f0e95)
---
 .../fragments/configure-kubernetes-master.sh  |  1 +
 .../kube-apiserver-to-kubelet-role.sh         | 72 ++++++++++++++++++-
 .../podsecuritypolicy-2400063d73524e06.yaml   |  6 ++
 3 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/podsecuritypolicy-2400063d73524e06.yaml

diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
index bdf7b232fa..b7b8da6e10 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
@@ -87,6 +87,7 @@ sed -i '
 ' /etc/kubernetes/config
 
 KUBE_API_ARGS="--runtime-config=api/all=true"
+KUBE_API_ARGS="$KUBE_API_ARGS --allow-privileged=$KUBE_ALLOW_PRIV"
 KUBE_API_ARGS="$KUBE_API_ARGS --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP"
 KUBE_API_ARGS="$KUBE_API_ARGS $KUBEAPI_OPTIONS"
 if [ "$TLS_DISABLED" == "True" ]; then
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh b/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh
index 449acaf8ef..784bea45fe 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh
@@ -3,8 +3,8 @@
 step="kube-apiserver-to-kubelet-role"
 printf "Starting to run ${step}\n"
 
+set +x
 . /etc/sysconfig/heat-params
-
 set -x
 
 echo "Waiting for Kubernetes API..."
@@ -81,6 +81,76 @@ EOF
 
 kubectl apply --validate=false -f ${ADMIN_RBAC}
 
+POD_SECURITY_POLICIES=/srv/magnum/kubernetes/podsecuritypolicies.yaml
+# Pod Security Policies
+[ -f ${POD_SECURITY_POLICIES} ] || {
+    echo "Writing File: $POD_SECURITY_POLICIES"
+    mkdir -p $(dirname ${POD_SECURITY_POLICIES})
+    cat > ${POD_SECURITY_POLICIES} <<EOF
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: magnum.privileged
+  annotations:
+    kubernetes.io/description: 'privileged allows full unrestricted access to
+      pod features, as if the PodSecurityPolicy controller was not enabled.'
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+spec:
+  privileged: true
+  allowPrivilegeEscalation: true
+  allowedCapabilities:
+  - '*'
+  volumes:
+  - '*'
+  hostNetwork: true
+  hostPorts:
+  - min: 0
+    max: 65535
+  hostIPC: true
+  hostPID: true
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: magnum:podsecuritypolicy:privileged
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - policy
+  resourceNames:
+  - magnum.privileged
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+EOF
+}
+kubectl apply -f ${POD_SECURITY_POLICIES}
+
+# Add the openstack trustee as a secret under kube-system
+kubectl -n kube-system create secret generic os-trustee \
+    --from-literal=os-authURL=${AUTH_URL} \
+    --from-literal=os-trustID=${TRUST_ID} \
+    --from-literal=os-trusteeID=${TRUSTEE_USER_ID} \
+    --from-literal=os-trusteePassword=${TRUSTEE_PASSWORD} \
+    --from-literal=os-region=${REGION_NAME} \
+    --from-file=os-certAuthority=/etc/kubernetes/ca-bundle.crt
+
 if [ -z "${TRUST_ID}" ] || [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" != "true" ]; then
     exit 0
 fi
diff --git a/releasenotes/notes/podsecuritypolicy-2400063d73524e06.yaml b/releasenotes/notes/podsecuritypolicy-2400063d73524e06.yaml
new file mode 100644
index 0000000000..d8778cd827
--- /dev/null
+++ b/releasenotes/notes/podsecuritypolicy-2400063d73524e06.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    k8s_fedora_atomic_v1 Add PodSecurityPolicy for privileged pods. Use
+    privileged PSP for calico and node-problem-detector. Add PSP for flannel
+    from upstream.