From 52ace69c837acc7e3aff8a2d584968297afd70fe Mon Sep 17 00:00:00 2001 From: Carmen Rata Date: Fri, 17 Jun 2022 09:48:14 -0400 Subject: [PATCH] Amend kube-apiserver 1.23 configuration to use PSP Enabling PodSecurityPolicy using service parameter "admission_plugins" in k8s 1.22+ versions of kube-apiserver configuration, results in kube-apiserver pod not able to restart. Starting with k8s 1.22 version, kube-apiserver configuration includes seccompProfile field as part of securityContext in the container spec. SecurityContext configuration prevents the kube-apiserver pod to restart. SeccompDefault feature gate is not being enabled currently and seccompProfile setting is impacting PSP configuration. In order to be able to use PSP functionality in the transitioning K8s 1.23 release, seccompProfile configuration requires to be removed from kube-apiserver configuration. Test Plan: PASS: Verify "enable PodSecurityPolicy(PSP)" using "admission_plugins" service parameter, is successful. PASS: Verify that pod "kube-apiserver-controller-0" runs successfully PASS: Verify kube-apiserver is up and running with the PSP enabled. Story: 2009833 Task: 45645 Signed-off-by: Carmen Rata Change-Id: I269c23352bf790d423add2a1e3c05f63c6e1a6cc --- .../modules/platform/templates/kube-apiserver-change-params.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet-manifests/src/modules/platform/templates/kube-apiserver-change-params.erb b/puppet-manifests/src/modules/platform/templates/kube-apiserver-change-params.erb index 0433ee782..f88444ccc 100644 --- a/puppet-manifests/src/modules/platform/templates/kube-apiserver-change-params.erb +++ b/puppet-manifests/src/modules/platform/templates/kube-apiserver-change-params.erb @@ -48,5 +48,6 @@ kubectl --kubeconfig=/etc/kubernetes/admin.conf get cm -n kube-system kubeadm-co kubeadm init phase control-plane apiserver --config <%= @configmap_temp_file %> DEFAULT_NETWORK_INTERFACE=$(grep 'advertise-address=' /etc/kubernetes/manifests/kube-apiserver.yaml | cut -d "=" -f2) sed -i "/oidc-issuer-url/! s/$DEFAULT_NETWORK_INTERFACE/$APISERVER_ADVERTISE_ADDRESS/g" /etc/kubernetes/manifests/kube-apiserver.yaml +sed -i '/securityContext:/,/type: RuntimeDefault/d' /etc/kubernetes/manifests/kube-apiserver.yaml rm <%= @configmap_temp_file %> rm <%= @configview_temp_file %>