Carmen Rata
eef577f13d
This commit updates the per-mode version of Pod Security Admission
labels to "latest" for application namespaces such as cert-manager.
Pod Security Admission labels on namespaces are needed for pod
security admission controller to know how restrictive each
namespace is.
Pinning to a specific Kubernetes version, for example v1.23, allows
the behavior to remain consistent as policy changes happen over
Kubernetes releases. Keeping the version "latest" as the default,
allows more flexibility when supporting multiple kubernetes
versions.
This commit also updates the application namespaces label default
levels to "privileged" from "baseline". This will cause no-harm
if users do not wish to use "beta" PSA feature enabled by default
in Kubernetes v1.23+.
Test Plan:
PASS: In an installed system verify that the pod security admission
labels of the cert-manager namespace has been updated with the
per-mode version "latest".
PASS: Created namespaces where policies are applied via labels.
Privileged pods fail to get created in namespaces that are not
configured with privileged policy level.
PASS: Privileged pods get created in namespaces with no security
policy labels.
Story: 2009833
Task: 45632
Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Change-Id: I76d44873ac447bbc0e2d90643fedf38bef8ebd1a
86 lines
2.9 KiB
Python
86 lines
2.9 KiB
Python
#!/usr/bin/python
|
|
# Copyright (c) 2022 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
# This script adds pod security admission controller labels to a system
|
|
# after upgrades. These are applied by ansible and sysinv when a new
|
|
# namespace is created during application deployment. Upgrades needs
|
|
# to apply these labels to existing namespaces
|
|
|
|
import subprocess
|
|
import sys
|
|
from controllerconfig.common import log
|
|
from sysinv.helm import common
|
|
LOG = log.get_logger(__name__)
|
|
|
|
|
|
def main():
|
|
action = None
|
|
from_release = None
|
|
to_release = None
|
|
arg = 1
|
|
while arg < len(sys.argv):
|
|
if arg == 1:
|
|
from_release = sys.argv[arg]
|
|
elif arg == 2:
|
|
to_release = sys.argv[arg]
|
|
elif arg == 3:
|
|
action = sys.argv[arg]
|
|
else:
|
|
print("Invalid option %s." % sys.argv[arg])
|
|
return 1
|
|
arg += 1
|
|
log.configure()
|
|
if from_release == '21.12' and action == 'activate':
|
|
LOG.info("%s invoked from_release = %s to_release = %s action = %s"
|
|
% (sys.argv[0], from_release, to_release, action))
|
|
add_pod_security_admission_controller_labels()
|
|
|
|
|
|
def add_pod_security_admission_controller_labels():
|
|
try:
|
|
cmd = ["kubectl", "--kubeconfig=/etc/kubernetes/admin.conf",
|
|
"get", "namespaces", "-o=name"]
|
|
|
|
namespaces_output = subprocess.check_output(cmd)
|
|
|
|
except Exception as exc:
|
|
LOG.error('Command failed:\n %s' % (cmd))
|
|
raise Exception('Cannot get namespaces for pod security labels')
|
|
|
|
for line in namespaces_output.splitlines():
|
|
# we add pod security admission controller labels to namespaces that
|
|
# we create
|
|
namespace = line.replace("namespace/", "")
|
|
if namespace not in common.PRIVILEGED_NS:
|
|
continue
|
|
|
|
security_version = 'latest'
|
|
if namespace in common.PRIVILEGED_NS:
|
|
security_level = 'privileged'
|
|
|
|
try:
|
|
cmd = ["kubectl", "--kubeconfig=/etc/kubernetes/admin.conf",
|
|
"label", "--overwrite", "namespaces", namespace,
|
|
"pod-security.kubernetes.io/enforce=%s"
|
|
% (security_level),
|
|
"pod-security.kubernetes.io/warn=%s"
|
|
% (security_level),
|
|
"pod-security.kubernetes.io/audit=%s"
|
|
% (security_level),
|
|
"pod-security.kubernetes.io/enforce-version=%s"
|
|
% (security_version),
|
|
"pod-security.kubernetes.io/warn-version=%s"
|
|
% (security_version),
|
|
"pod-security.kubernetes.io/audit-version=%s"
|
|
% (security_version)]
|
|
subprocess.call(cmd)
|
|
except Exception as exc:
|
|
LOG.error('Command failed:\n %s\n%s' % (cmd, exc))
|
|
raise Exception('Cannot assign pod security label')
|
|
|
|
|
|
if __name__ == "__main__":
|
|
sys.exit(main())
|