Browse Source

Merge "k8s_fedora_atomic: Add PodSecurityPolicy"

changes/82/673782/3
Zuul 1 week ago
parent
commit
df3d5a3150

+ 17
- 0
magnum/drivers/common/templates/kubernetes/fragments/calico-service.sh View File

@@ -14,6 +14,23 @@ if [ "$NETWORK_DRIVER" = "calico" ]; then
14 14
     mkdir -p $(dirname ${CALICO_DEPLOY})
15 15
     cat << EOF > ${CALICO_DEPLOY}
16 16
 ---
17
+apiVersion: rbac.authorization.k8s.io/v1
18
+kind: RoleBinding
19
+metadata:
20
+  name: magnum:podsecuritypolicy:calico
21
+  namespace: kube-system
22
+  labels:
23
+    addonmanager.kubernetes.io/mode: Reconcile
24
+    kubernetes.io/cluster-service: "true"
25
+roleRef:
26
+  apiGroup: rbac.authorization.k8s.io
27
+  kind: ClusterRole
28
+  name: magnum:podsecuritypolicy:privileged
29
+subjects:
30
+- kind: ServiceAccount
31
+  name: calico-node
32
+  namespace: kube-system
33
+---
17 34
 # Calico Version v3.3.6
18 35
 # https://docs.projectcalico.org/v3.3/releases#v3.3.6
19 36
 kind: ClusterRole

+ 1
- 0
magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh View File

@@ -97,6 +97,7 @@ sed -i '
97 97
 ' /etc/kubernetes/config
98 98
 
99 99
 KUBE_API_ARGS="--runtime-config=api/all=true"
100
+KUBE_API_ARGS="$KUBE_API_ARGS --allow-privileged=$KUBE_ALLOW_PRIV"
100 101
 KUBE_API_ARGS="$KUBE_API_ARGS --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP"
101 102
 KUBE_API_ARGS="$KUBE_API_ARGS $KUBEAPI_OPTIONS"
102 103
 if [ "$TLS_DISABLED" == "True" ]; then

+ 17
- 0
magnum/drivers/common/templates/kubernetes/fragments/enable-auto-healing.sh View File

@@ -27,6 +27,23 @@ metadata:
27 27
     addonmanager.kubernetes.io/mode: Reconcile
28 28
 ---
29 29
 apiVersion: rbac.authorization.k8s.io/v1
30
+kind: RoleBinding
31
+metadata:
32
+  name: magnum:podsecuritypolicy:node-problem-detector
33
+  namespace: kube-system
34
+  labels:
35
+    addonmanager.kubernetes.io/mode: Reconcile
36
+    kubernetes.io/cluster-service: "true"
37
+roleRef:
38
+  apiGroup: rbac.authorization.k8s.io
39
+  kind: ClusterRole
40
+  name: magnum:podsecuritypolicy:privileged
41
+subjects:
42
+- kind: ServiceAccount
43
+  name: node-problem-detector
44
+  namespace: kube-system
45
+---
46
+apiVersion: rbac.authorization.k8s.io/v1
30 47
 kind: ClusterRoleBinding
31 48
 metadata:
32 49
   name: npd-binding

+ 68
- 14
magnum/drivers/common/templates/kubernetes/fragments/flannel-service.sh View File

@@ -1,9 +1,11 @@
1
-#!/bin/sh
1
+#!/bin/bash
2 2
 
3
+set -e
4
+set +x
3 5
 . /etc/sysconfig/heat-params
4
-
5 6
 set -x
6 7
 
8
+
7 9
 if [ "$NETWORK_DRIVER" = "flannel" ]; then
8 10
     _prefix=${CONTAINER_INFRA_PREFIX:-quay.io/coreos/}
9 11
     FLANNEL_DEPLOY=/srv/magnum/kubernetes/manifests/flannel-deploy.yaml
@@ -11,13 +13,65 @@ if [ "$NETWORK_DRIVER" = "flannel" ]; then
11 13
     [ -f ${FLANNEL_DEPLOY} ] || {
12 14
     echo "Writing File: $FLANNEL_DEPLOY"
13 15
     mkdir -p "$(dirname ${FLANNEL_DEPLOY})"
16
+    set +x
14 17
     cat << EOF > ${FLANNEL_DEPLOY}
15 18
 ---
19
+apiVersion: policy/v1beta1
20
+kind: PodSecurityPolicy
21
+metadata:
22
+  name: psp.flannel.unprivileged
23
+  annotations:
24
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
25
+    seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
26
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
27
+    apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
28
+spec:
29
+  privileged: false
30
+  volumes:
31
+    - configMap
32
+    - secret
33
+    - emptyDir
34
+    - hostPath
35
+  allowedHostPaths:
36
+    - pathPrefix: "/etc/cni/net.d"
37
+    - pathPrefix: "/etc/kube-flannel"
38
+    - pathPrefix: "/run/flannel"
39
+  readOnlyRootFilesystem: false
40
+  # Users and groups
41
+  runAsUser:
42
+    rule: RunAsAny
43
+  supplementalGroups:
44
+    rule: RunAsAny
45
+  fsGroup:
46
+    rule: RunAsAny
47
+  # Privilege Escalation
48
+  allowPrivilegeEscalation: false
49
+  defaultAllowPrivilegeEscalation: false
50
+  # Capabilities
51
+  allowedCapabilities: ['NET_ADMIN']
52
+  defaultAddCapabilities: []
53
+  requiredDropCapabilities: []
54
+  # Host namespaces
55
+  hostPID: false
56
+  hostIPC: false
57
+  hostNetwork: true
58
+  hostPorts:
59
+  - min: 0
60
+    max: 65535
61
+  # SELinux
62
+  seLinux:
63
+    # SELinux is unsed in CaaSP
64
+    rule: 'RunAsAny'
65
+---
16 66
 kind: ClusterRole
17 67
 apiVersion: rbac.authorization.k8s.io/v1beta1
18 68
 metadata:
19 69
   name: flannel
20 70
 rules:
71
+  - apiGroups: ['extensions']
72
+    resources: ['podsecuritypolicies']
73
+    verbs: ['use']
74
+    resourceNames: ['psp.flannel.unprivileged']
21 75
   - apiGroups:
22 76
       - ""
23 77
     resources:
@@ -101,7 +155,7 @@ data:
101 155
       echo "Wrote CNI binaries to /host/opt/cni/bin/";
102 156
     fi;
103 157
 ---
104
-apiVersion: extensions/v1beta1
158
+apiVersion: apps/v1
105 159
 kind: DaemonSet
106 160
 metadata:
107 161
   name: kube-flannel-ds-amd64
@@ -110,6 +164,9 @@ metadata:
110 164
     tier: node
111 165
     app: flannel
112 166
 spec:
167
+  selector:
168
+    matchLabels:
169
+      app: flannel
113 170
   template:
114 171
     metadata:
115 172
       labels:
@@ -120,14 +177,8 @@ spec:
120 177
       nodeSelector:
121 178
         beta.kubernetes.io/arch: amd64
122 179
       tolerations:
123
-        # Make sure flannel gets scheduled on all nodes.
124
-        - effect: NoSchedule
125
-          operator: Exists
126
-        # Mark the pod as a critical add-on for rescheduling.
127
-        - key: CriticalAddonsOnly
128
-          operator: Exists
129
-        - effect: NoExecute
130
-          operator: Exists
180
+      - operator: Exists
181
+        effect: NoSchedule
131 182
       serviceAccountName: flannel
132 183
       initContainers:
133 184
       - name: install-cni-plugins
@@ -170,7 +221,9 @@ spec:
170 221
             cpu: "100m"
171 222
             memory: "50Mi"
172 223
         securityContext:
173
-          privileged: true
224
+          privileged: false
225
+          capabilities:
226
+             add: ["NET_ADMIN"]
174 227
         env:
175 228
         - name: POD_NAME
176 229
           valueFrom:
@@ -182,7 +235,7 @@ spec:
182 235
               fieldPath: metadata.namespace
183 236
         volumeMounts:
184 237
         - name: run
185
-          mountPath: /run
238
+          mountPath: /run/flannel
186 239
         - name: flannel-cfg
187 240
           mountPath: /etc/kube-flannel/
188 241
       volumes:
@@ -191,7 +244,7 @@ spec:
191 244
             path: /opt/cni/bin
192 245
         - name: run
193 246
           hostPath:
194
-            path: /run
247
+            path: /run/flannel
195 248
         - name: cni
196 249
           hostPath:
197 250
             path: /etc/cni/net.d
@@ -200,6 +253,7 @@ spec:
200 253
             name: kube-flannel-cfg
201 254
 EOF
202 255
     }
256
+    set -x
203 257
 
204 258
     if [ "$MASTER_INDEX" = "0" ]; then
205 259
 

+ 62
- 1
magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh View File

@@ -3,8 +3,8 @@
3 3
 step="kube-apiserver-to-kubelet-role"
4 4
 printf "Starting to run ${step}\n"
5 5
 
6
+set +x
6 7
 . /etc/sysconfig/heat-params
7
-
8 8
 set -x
9 9
 
10 10
 echo "Waiting for Kubernetes API..."
@@ -80,6 +80,67 @@ EOF
80 80
 }
81 81
 kubectl apply --validate=false -f ${ADMIN_RBAC}
82 82
 
83
+POD_SECURITY_POLICIES=/srv/magnum/kubernetes/podsecuritypolicies.yaml
84
+# Pod Security Policies
85
+[ -f ${POD_SECURITY_POLICIES} ] || {
86
+    echo "Writing File: $POD_SECURITY_POLICIES"
87
+    mkdir -p $(dirname ${POD_SECURITY_POLICIES})
88
+    cat > ${POD_SECURITY_POLICIES} <<EOF
89
+---
90
+apiVersion: policy/v1beta1
91
+kind: PodSecurityPolicy
92
+metadata:
93
+  name: magnum.privileged
94
+  annotations:
95
+    kubernetes.io/description: 'privileged allows full unrestricted access to
96
+      pod features, as if the PodSecurityPolicy controller was not enabled.'
97
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
98
+  labels:
99
+    kubernetes.io/cluster-service: "true"
100
+    addonmanager.kubernetes.io/mode: Reconcile
101
+spec:
102
+  privileged: true
103
+  allowPrivilegeEscalation: true
104
+  allowedCapabilities:
105
+  - '*'
106
+  volumes:
107
+  - '*'
108
+  hostNetwork: true
109
+  hostPorts:
110
+  - min: 0
111
+    max: 65535
112
+  hostIPC: true
113
+  hostPID: true
114
+  runAsUser:
115
+    rule: 'RunAsAny'
116
+  seLinux:
117
+    rule: 'RunAsAny'
118
+  supplementalGroups:
119
+    rule: 'RunAsAny'
120
+  fsGroup:
121
+    rule: 'RunAsAny'
122
+  readOnlyRootFilesystem: false
123
+---
124
+apiVersion: rbac.authorization.k8s.io/v1
125
+kind: ClusterRole
126
+metadata:
127
+  name: magnum:podsecuritypolicy:privileged
128
+  labels:
129
+    kubernetes.io/cluster-service: "true"
130
+    addonmanager.kubernetes.io/mode: Reconcile
131
+rules:
132
+- apiGroups:
133
+  - policy
134
+  resourceNames:
135
+  - magnum.privileged
136
+  resources:
137
+  - podsecuritypolicies
138
+  verbs:
139
+  - use
140
+EOF
141
+}
142
+kubectl apply -f ${POD_SECURITY_POLICIES}
143
+
83 144
 # Add the openstack trustee as a secret under kube-system
84 145
 kubectl -n kube-system create secret generic os-trustee \
85 146
     --from-literal=os-authURL=${AUTH_URL} \

+ 1
- 1
magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml View File

@@ -382,7 +382,7 @@ parameters:
382 382
   flannel_tag:
383 383
     type: string
384 384
     description: tag of the flannel container
385
-    default: v0.10.0-amd64
385
+    default: v0.11.0-amd64
386 386
 
387 387
   flannel_cni_tag:
388 388
     type: string

+ 6
- 0
releasenotes/notes/podsecuritypolicy-2400063d73524e06.yaml View File

@@ -0,0 +1,6 @@
1
+---
2
+features:
3
+  - |
4
+    k8s_fedora_atomic_v1 Add PodSecurityPolicy for privileged pods. Use
5
+    privileged PSP for calico and node-problem-detector. Add PSP for flannel
6
+    from upstream.

Loading…
Cancel
Save