k8s_fedora_atomic: Add PodSecurityPolicy
For moving to 1.15.x and beyond we need to have PSP for privileged pods. flannel, calico and node-problem-detector need it. PSP story: 2006515 task: 36513 Allow-priv story: 2006252 task: 35867 Change-Id: I306a249afb275fdbd71354ed75043ffc4d466304 Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch> (cherry picked from commit7267c1ea43
) (cherry picked from commit6762a97439
)
This commit is contained in:
parent
dbe2abd258
commit
925628b627
|
@ -87,6 +87,7 @@ sed -i '
|
||||||
' /etc/kubernetes/config
|
' /etc/kubernetes/config
|
||||||
|
|
||||||
KUBE_API_ARGS="--runtime-config=api/all=true"
|
KUBE_API_ARGS="--runtime-config=api/all=true"
|
||||||
|
KUBE_API_ARGS="$KUBE_API_ARGS --allow-privileged=$KUBE_ALLOW_PRIV"
|
||||||
KUBE_API_ARGS="$KUBE_API_ARGS --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP"
|
KUBE_API_ARGS="$KUBE_API_ARGS --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP"
|
||||||
KUBE_API_ARGS="$KUBE_API_ARGS $KUBEAPI_OPTIONS"
|
KUBE_API_ARGS="$KUBE_API_ARGS $KUBEAPI_OPTIONS"
|
||||||
if [ "$TLS_DISABLED" == "True" ]; then
|
if [ "$TLS_DISABLED" == "True" ]; then
|
||||||
|
|
|
@ -3,8 +3,8 @@
|
||||||
step="kube-apiserver-to-kubelet-role"
|
step="kube-apiserver-to-kubelet-role"
|
||||||
printf "Starting to run ${step}\n"
|
printf "Starting to run ${step}\n"
|
||||||
|
|
||||||
|
set +x
|
||||||
. /etc/sysconfig/heat-params
|
. /etc/sysconfig/heat-params
|
||||||
|
|
||||||
set -x
|
set -x
|
||||||
|
|
||||||
echo "Waiting for Kubernetes API..."
|
echo "Waiting for Kubernetes API..."
|
||||||
|
@ -81,6 +81,76 @@ EOF
|
||||||
|
|
||||||
kubectl apply --validate=false -f ${ADMIN_RBAC}
|
kubectl apply --validate=false -f ${ADMIN_RBAC}
|
||||||
|
|
||||||
|
POD_SECURITY_POLICIES=/srv/magnum/kubernetes/podsecuritypolicies.yaml
|
||||||
|
# Pod Security Policies
|
||||||
|
[ -f ${POD_SECURITY_POLICIES} ] || {
|
||||||
|
echo "Writing File: $POD_SECURITY_POLICIES"
|
||||||
|
mkdir -p $(dirname ${POD_SECURITY_POLICIES})
|
||||||
|
cat > ${POD_SECURITY_POLICIES} <<EOF
|
||||||
|
---
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: magnum.privileged
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/description: 'privileged allows full unrestricted access to
|
||||||
|
pod features, as if the PodSecurityPolicy controller was not enabled.'
|
||||||
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
|
||||||
|
labels:
|
||||||
|
kubernetes.io/cluster-service: "true"
|
||||||
|
addonmanager.kubernetes.io/mode: Reconcile
|
||||||
|
spec:
|
||||||
|
privileged: true
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
|
allowedCapabilities:
|
||||||
|
- '*'
|
||||||
|
volumes:
|
||||||
|
- '*'
|
||||||
|
hostNetwork: true
|
||||||
|
hostPorts:
|
||||||
|
- min: 0
|
||||||
|
max: 65535
|
||||||
|
hostIPC: true
|
||||||
|
hostPID: true
|
||||||
|
runAsUser:
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
seLinux:
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
supplementalGroups:
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
fsGroup:
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: magnum:podsecuritypolicy:privileged
|
||||||
|
labels:
|
||||||
|
kubernetes.io/cluster-service: "true"
|
||||||
|
addonmanager.kubernetes.io/mode: Reconcile
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- policy
|
||||||
|
resourceNames:
|
||||||
|
- magnum.privileged
|
||||||
|
resources:
|
||||||
|
- podsecuritypolicies
|
||||||
|
verbs:
|
||||||
|
- use
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
kubectl apply -f ${POD_SECURITY_POLICIES}
|
||||||
|
|
||||||
|
# Add the openstack trustee as a secret under kube-system
|
||||||
|
kubectl -n kube-system create secret generic os-trustee \
|
||||||
|
--from-literal=os-authURL=${AUTH_URL} \
|
||||||
|
--from-literal=os-trustID=${TRUST_ID} \
|
||||||
|
--from-literal=os-trusteeID=${TRUSTEE_USER_ID} \
|
||||||
|
--from-literal=os-trusteePassword=${TRUSTEE_PASSWORD} \
|
||||||
|
--from-literal=os-region=${REGION_NAME} \
|
||||||
|
--from-file=os-certAuthority=/etc/kubernetes/ca-bundle.crt
|
||||||
|
|
||||||
if [ -z "${TRUST_ID}" ] || [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" != "true" ]; then
|
if [ -z "${TRUST_ID}" ] || [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" != "true" ]; then
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
k8s_fedora_atomic_v1 Add PodSecurityPolicy for privileged pods. Use
|
||||||
|
privileged PSP for calico and node-problem-detector. Add PSP for flannel
|
||||||
|
from upstream.
|
Loading…
Reference in New Issue