k8s_fedora_atomic: Add PodSecurityPolicy

For moving to 1.15.x and beyond we need to have PSP for privileged pods.
flannel, calico and node-problem-detector need it.

PSP
story: 2006515
task: 36513

Allow-priv
story: 2006252
task: 35867

Change-Id: I306a249afb275fdbd71354ed75043ffc4d466304
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
(cherry picked from commit 7267c1ea43)
(cherry picked from commit 6762a97439)

magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh

@@ -87,6 +87,7 @@ sed -i '
 ' /etc/kubernetes/config
 
 KUBE_API_ARGS="--runtime-config=api/all=true"
+KUBE_API_ARGS="$KUBE_API_ARGS --allow-privileged=$KUBE_ALLOW_PRIV"
 KUBE_API_ARGS="$KUBE_API_ARGS --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP"
 KUBE_API_ARGS="$KUBE_API_ARGS $KUBEAPI_OPTIONS"
 if [ "$TLS_DISABLED" == "True" ]; then

magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh

@@ -3,8 +3,8 @@
 step="kube-apiserver-to-kubelet-role"
 printf "Starting to run ${step}\n"
 
+set +x
 . /etc/sysconfig/heat-params
-
 set -x
 
 echo "Waiting for Kubernetes API..."
@@ -81,6 +81,76 @@ EOF
 
 kubectl apply --validate=false -f ${ADMIN_RBAC}
 
+POD_SECURITY_POLICIES=/srv/magnum/kubernetes/podsecuritypolicies.yaml
+# Pod Security Policies
+[ -f ${POD_SECURITY_POLICIES} ] || {
+    echo "Writing File: $POD_SECURITY_POLICIES"
+    mkdir -p $(dirname ${POD_SECURITY_POLICIES})
+    cat > ${POD_SECURITY_POLICIES} <<EOF
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: magnum.privileged
+  annotations:
+    kubernetes.io/description: 'privileged allows full unrestricted access to
+      pod features, as if the PodSecurityPolicy controller was not enabled.'
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+spec:
+  privileged: true
+  allowPrivilegeEscalation: true
+  allowedCapabilities:
+  - '*'
+  volumes:
+  - '*'
+  hostNetwork: true
+  hostPorts:
+  - min: 0
+    max: 65535
+  hostIPC: true
+  hostPID: true
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: magnum:podsecuritypolicy:privileged
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - policy
+  resourceNames:
+  - magnum.privileged
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+EOF
+}
+kubectl apply -f ${POD_SECURITY_POLICIES}
+
+# Add the openstack trustee as a secret under kube-system
+kubectl -n kube-system create secret generic os-trustee \
+    --from-literal=os-authURL=${AUTH_URL} \
+    --from-literal=os-trustID=${TRUST_ID} \
+    --from-literal=os-trusteeID=${TRUSTEE_USER_ID} \
+    --from-literal=os-trusteePassword=${TRUSTEE_PASSWORD} \
+    --from-literal=os-region=${REGION_NAME} \
+    --from-file=os-certAuthority=/etc/kubernetes/ca-bundle.crt
+
 if [ -z "${TRUST_ID}" ] || [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" != "true" ]; then
     exit 0
 fi

releasenotes/notes/podsecuritypolicy-2400063d73524e06.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    k8s_fedora_atomic_v1 Add PodSecurityPolicy for privileged pods. Use
+    privileged PSP for calico and node-problem-detector. Add PSP for flannel
+    from upstream.