mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-09 16:00:22 +00:00
Added PodSecurityPolicy support
This commit is contained in:
parent
7ec8e68b67
commit
aadce54b2f
@ -167,7 +167,7 @@ spec:
|
||||
type: DirectoryOrCreate
|
||||
- name: registration-dir
|
||||
hostPath:
|
||||
path: /var/lib/kubelet/plugins_registry/
|
||||
path: {{ .Values.registrationDir }}
|
||||
type: Directory
|
||||
- name: mountpoint-dir
|
||||
hostPath:
|
||||
|
49
charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml
Normal file
49
charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml
Normal file
@ -0,0 +1,49 @@
|
||||
{{- if .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "ceph-csi-cephfs.fullname" . }}
|
||||
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
||||
component: {{ .Values.nodeplugin.name }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- 'SYS_ADMIN'
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
privileged: true
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
- pathPrefix: '/var/lib/kubelet/pods'
|
||||
readOnly: false
|
||||
- pathPrefix: '{{ .Values.socketDir }}'
|
||||
readOnly: false
|
||||
- pathPrefix: '{{ .Values.registrationDir }}'
|
||||
readOnly: false
|
||||
- pathPrefix: '{{ .Values.pluginDir }}'
|
||||
readOnly: false
|
||||
{{- end }}
|
18
charts/ceph-csi-cephfs/templates/nodeplugin-role.yaml
Normal file
18
charts/ceph-csi-cephfs/templates/nodeplugin-role.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ include "ceph-csi-cephfs.fullname" . }}
|
||||
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
||||
component: {{ .Values.nodeplugin.name }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['{{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}']
|
||||
{{- end -}}
|
21
charts/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml
Normal file
21
charts/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml
Normal file
@ -0,0 +1,21 @@
|
||||
{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ include "ceph-csi-cephfs.fullname" . }}
|
||||
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
||||
component: {{ .Values.nodeplugin.name }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "ceph-csi-cephfs.serviceAccountName.nodeplugin" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end -}}
|
39
charts/ceph-csi-cephfs/templates/provisioner-psp.yaml
Normal file
39
charts/ceph-csi-cephfs/templates/provisioner-psp.yaml
Normal file
@ -0,0 +1,39 @@
|
||||
{{- if .Values.provisioner.podSecurityPolicy.enabled -}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "ceph-csi-cephfs.name" . }}
|
||||
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
||||
component: {{ .Values.provisioner.name }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- 'SYS_ADMIN'
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
privileged: true
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
{{- end }}
|
@ -20,4 +20,10 @@ rules:
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
||||
{{- if .Values.provisioner.podSecurityPolicy.enabled }}
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['{{ include "ceph-csi-cephfs.provisioner.fullname" . }}']
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
@ -114,6 +114,11 @@ nodeplugin:
|
||||
|
||||
affinity: {}
|
||||
|
||||
# If true, create & use Pod Security Policy resources
|
||||
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
|
||||
podSecurityPolicy:
|
||||
enabled: false
|
||||
|
||||
provisioner:
|
||||
name: provisioner
|
||||
replicaCount: 3
|
||||
@ -213,6 +218,11 @@ provisioner:
|
||||
|
||||
affinity: {}
|
||||
|
||||
# If true, create & use Pod Security Policy resources
|
||||
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
|
||||
podSecurityPolicy:
|
||||
enabled: false
|
||||
|
||||
#########################################################
|
||||
# Variables for 'internal' use please use with caution! #
|
||||
#########################################################
|
||||
|
49
charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml
Normal file
49
charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml
Normal file
@ -0,0 +1,49 @@
|
||||
{{- if .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "ceph-csi-rbd.name" . }}
|
||||
chart: {{ include "ceph-csi-rbd.chart" . }}
|
||||
component: {{ .Values.nodeplugin.name }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- 'SYS_ADMIN'
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
privileged: true
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
- pathPrefix: '/var/lib/kubelet/pods'
|
||||
readOnly: false
|
||||
- pathPrefix: '{{ .Values.socketDir }}'
|
||||
readOnly: false
|
||||
- pathPrefix: '{{ .Values.registrationDir }}'
|
||||
readOnly: false
|
||||
- pathPrefix: '{{ .Values.pluginDir }}'
|
||||
readOnly: false
|
||||
{{- end }}
|
18
charts/ceph-csi-rbd/templates/nodeplugin-role.yaml
Normal file
18
charts/ceph-csi-rbd/templates/nodeplugin-role.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ include "ceph-csi-rbd.name" . }}
|
||||
chart: {{ include "ceph-csi-rbd.chart" . }}
|
||||
component: {{ .Values.nodeplugin.name }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['{{ include "ceph-csi-rbd.nodeplugin.fullname" . }}']
|
||||
{{- end -}}
|
21
charts/ceph-csi-rbd/templates/nodeplugin-rolebinding.yaml
Normal file
21
charts/ceph-csi-rbd/templates/nodeplugin-rolebinding.yaml
Normal file
@ -0,0 +1,21 @@
|
||||
{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ include "ceph-csi-rbd.name" . }}
|
||||
chart: {{ include "ceph-csi-rbd.chart" . }}
|
||||
component: {{ .Values.nodeplugin.name }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "ceph-csi-rbd.serviceAccountName.nodeplugin" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end -}}
|
39
charts/ceph-csi-rbd/templates/provisioner-psp.yaml
Normal file
39
charts/ceph-csi-rbd/templates/provisioner-psp.yaml
Normal file
@ -0,0 +1,39 @@
|
||||
{{- if .Values.provisioner.podSecurityPolicy.enabled -}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ include "ceph-csi-rbd.provisioner.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "ceph-csi-rbd.name" . }}
|
||||
chart: {{ include "ceph-csi-rbd.chart" . }}
|
||||
component: {{ .Values.provisioner.name }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- 'SYS_ADMIN'
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
privileged: true
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
{{- end }}
|
@ -17,4 +17,10 @@ rules:
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
||||
{{- if .Values.provisioner.podSecurityPolicy.enabled }}
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['{{ include "ceph-csi-rbd.provisioner.fullname" . }}']
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
@ -114,6 +114,11 @@ nodeplugin:
|
||||
|
||||
affinity: {}
|
||||
|
||||
# If true, create & use Pod Security Policy resources
|
||||
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
|
||||
podSecurityPolicy:
|
||||
enabled: false
|
||||
|
||||
provisioner:
|
||||
name: provisioner
|
||||
replicaCount: 3
|
||||
@ -220,6 +225,11 @@ provisioner:
|
||||
|
||||
affinity: {}
|
||||
|
||||
# If true, create & use Pod Security Policy resources
|
||||
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
|
||||
podSecurityPolicy:
|
||||
enabled: false
|
||||
|
||||
#########################################################
|
||||
# Variables for 'internal' use please use with caution! #
|
||||
#########################################################
|
||||
|
72
deploy/cephfs/kubernetes/csi-nodeplugin-psp.yaml
Normal file
72
deploy/cephfs/kubernetes/csi-nodeplugin-psp.yaml
Normal file
@ -0,0 +1,72 @@
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: cephfs-csi-nodeplugin-psp
|
||||
spec:
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- 'SYS_ADMIN'
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
privileged: true
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
- pathPrefix: '/var/lib/kubelet/pods'
|
||||
readOnly: false
|
||||
- pathPrefix: '/var/lib/kubelet/plugins/cephfs.csi.ceph.com'
|
||||
readOnly: false
|
||||
- pathPrefix: '/var/lib/kubelet/plugins_registry'
|
||||
readOnly: false
|
||||
- pathPrefix: '/var/lib/kubelet/plugins'
|
||||
readOnly: false
|
||||
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: cephfs-csi-nodeplugin-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['cephfs-csi-nodeplugin-psp']
|
||||
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: cephfs-csi-nodeplugin-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cephfs-csi-nodeplugin
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: cephfs-csi-nodeplugin-psp
|
||||
apiGroup: rbac.authorization.k8s.io
|
62
deploy/cephfs/kubernetes/csi-provisioner-psp.yaml
Normal file
62
deploy/cephfs/kubernetes/csi-provisioner-psp.yaml
Normal file
@ -0,0 +1,62 @@
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: cephfs-csi-provisioner-psp
|
||||
spec:
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- 'SYS_ADMIN'
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
privileged: true
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: cephfs-csi-provisioner-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['cephfs-csi-provisioner-psp']
|
||||
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: cephfs-csi-provisioner-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cephfs-csi-provisioner
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: cephfs-csi-provisioner-psp
|
||||
apiGroup: rbac.authorization.k8s.io
|
72
deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml
Normal file
72
deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml
Normal file
@ -0,0 +1,72 @@
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: rbd-csi-nodeplugin-psp
|
||||
spec:
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- 'SYS_ADMIN'
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
privileged: true
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
- pathPrefix: '/var/lib/kubelet/pods'
|
||||
readOnly: false
|
||||
- pathPrefix: '/var/lib/kubelet/plugins/rbd.csi.ceph.com'
|
||||
readOnly: false
|
||||
- pathPrefix: '/var/lib/kubelet/plugins_registry'
|
||||
readOnly: false
|
||||
- pathPrefix: '/var/lib/kubelet/plugins'
|
||||
readOnly: false
|
||||
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: rbd-csi-nodeplugin-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['rbd-csi-nodeplugin-psp']
|
||||
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: rbd-csi-nodeplugin-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: rbd-csi-nodeplugin
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: rbd-csi-nodeplugin-psp
|
||||
apiGroup: rbac.authorization.k8s.io
|
62
deploy/rbd/kubernetes/csi-provisioner-psp.yaml
Normal file
62
deploy/rbd/kubernetes/csi-provisioner-psp.yaml
Normal file
@ -0,0 +1,62 @@
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: rbd-csi-provisioner-psp
|
||||
spec:
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- 'SYS_ADMIN'
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
privileged: true
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
name: rbd-csi-provisioner-psp
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['rbd-csi-provisioner-psp']
|
||||
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: rbd-csi-provisioner-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: rbd-csi-provisioner
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: rbd-csi-provisioner-psp
|
||||
apiGroup: rbac.authorization.k8s.io
|
@ -138,6 +138,16 @@ Those manifests deploy service accounts, cluster roles and cluster role
|
||||
bindings. These are shared for both RBD and CephFS CSI plugins, as they require
|
||||
the same permissions.
|
||||
|
||||
**Deploy PodSecurityPolicy resources for sidecar containers and node plugins:**
|
||||
|
||||
**NOTE:** These manifests are required only if [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy)
|
||||
admission controller is active on your cluster.
|
||||
|
||||
```bash
|
||||
kubectl create -f csi-provisioner-psp.yaml
|
||||
kubectl create -f csi-nodeplugin-psp.yaml
|
||||
```
|
||||
|
||||
**Deploy ConfigMap for CSI plugins:**
|
||||
|
||||
```bash
|
||||
|
@ -94,6 +94,16 @@ Those manifests deploy service accounts, cluster roles and cluster role
|
||||
bindings. These are shared for both RBD and CephFS CSI plugins, as they require
|
||||
the same permissions.
|
||||
|
||||
**Deploy PodSecurityPolicy resources for sidecar containers and node plugins:**
|
||||
|
||||
**NOTE:** These manifests are required only if [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy)
|
||||
admission controller is active on your cluster.
|
||||
|
||||
```bash
|
||||
kubectl create -f csi-provisioner-psp.yaml
|
||||
kubectl create -f csi-nodeplugin-psp.yaml
|
||||
```
|
||||
|
||||
**Deploy ConfigMap for CSI plugins:**
|
||||
|
||||
```bash
|
||||
|
@ -13,8 +13,10 @@ import (
|
||||
var (
|
||||
cephfsProvisioner = "csi-cephfsplugin-provisioner.yaml"
|
||||
cephfsProvisionerRBAC = "csi-provisioner-rbac.yaml"
|
||||
cephfsProvisionerPSP = "csi-provisioner-psp.yaml"
|
||||
cephfsNodePlugin = "csi-cephfsplugin.yaml"
|
||||
cephfsNodePluginRBAC = "csi-nodeplugin-rbac.yaml"
|
||||
cephfsNodePluginPSP = "csi-nodeplugin-psp.yaml"
|
||||
cephfsDeploymentName = "csi-cephfsplugin-provisioner"
|
||||
cephfsDeamonSetName = "csi-cephfsplugin"
|
||||
cephfsDirPath = "../deploy/cephfs/kubernetes/"
|
||||
@ -28,9 +30,11 @@ func deployCephfsPlugin() {
|
||||
// deploy provisioner
|
||||
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsProvisioner)
|
||||
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsProvisionerRBAC)
|
||||
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsProvisionerPSP)
|
||||
// deploy nodeplugin
|
||||
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsNodePlugin)
|
||||
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsNodePluginRBAC)
|
||||
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsNodePluginPSP)
|
||||
}
|
||||
|
||||
func deleteCephfsPlugin() {
|
||||
@ -42,6 +46,10 @@ func deleteCephfsPlugin() {
|
||||
if err != nil {
|
||||
e2elog.Logf("failed to delete cephfs provisioner rbac %v", err)
|
||||
}
|
||||
_, err = framework.RunKubectl("delete", "-f", cephfsDirPath+cephfsProvisionerPSP)
|
||||
if err != nil {
|
||||
e2elog.Logf("failed to delete cephfs provisioner psp %v", err)
|
||||
}
|
||||
_, err = framework.RunKubectl("delete", "-f", cephfsDirPath+cephfsNodePlugin)
|
||||
if err != nil {
|
||||
e2elog.Logf("failed to delete cephfs nodeplugin %v", err)
|
||||
@ -50,6 +58,10 @@ func deleteCephfsPlugin() {
|
||||
if err != nil {
|
||||
e2elog.Logf("failed to delete cephfs nodeplugin rbac %v", err)
|
||||
}
|
||||
_, err = framework.RunKubectl("delete", "-f", cephfsDirPath+cephfsNodePluginPSP)
|
||||
if err != nil {
|
||||
e2elog.Logf("failed to delete cephfs nodeplugin psp %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
var _ = Describe("cephfs", func() {
|
||||
|
12
e2e/rbd.go
12
e2e/rbd.go
@ -13,8 +13,10 @@ import (
|
||||
var (
|
||||
rbdProvisioner = "csi-rbdplugin-provisioner.yaml"
|
||||
rbdProvisionerRBAC = "csi-provisioner-rbac.yaml"
|
||||
rbdProvisionerPSP = "csi-provisioner-psp.yaml"
|
||||
rbdNodePlugin = "csi-rbdplugin.yaml"
|
||||
rbdNodePluginRBAC = "csi-nodeplugin-rbac.yaml"
|
||||
rbdNodePluginPSP = "csi-nodeplugin-psp.yaml"
|
||||
configMap = "csi-config-map.yaml"
|
||||
rbdDirPath = "../deploy/rbd/kubernetes/"
|
||||
rbdExamplePath = "../examples/rbd/"
|
||||
@ -30,9 +32,11 @@ func deployRBDPlugin() {
|
||||
// deploy provisioner
|
||||
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdProvisioner)
|
||||
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdProvisionerRBAC)
|
||||
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdProvisionerPSP)
|
||||
// deploy nodeplugin
|
||||
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdNodePlugin)
|
||||
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdNodePluginRBAC)
|
||||
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdNodePluginPSP)
|
||||
}
|
||||
|
||||
func deleteRBDPlugin() {
|
||||
@ -44,6 +48,10 @@ func deleteRBDPlugin() {
|
||||
if err != nil {
|
||||
e2elog.Logf("failed to delete provisioner rbac %v", err)
|
||||
}
|
||||
_, err = framework.RunKubectl("delete", "-f", rbdDirPath+rbdProvisionerPSP)
|
||||
if err != nil {
|
||||
e2elog.Logf("failed to delete provisioner psp %v", err)
|
||||
}
|
||||
_, err = framework.RunKubectl("delete", "-f", rbdDirPath+rbdNodePlugin)
|
||||
if err != nil {
|
||||
e2elog.Logf("failed to delete nodeplugin %v", err)
|
||||
@ -52,6 +60,10 @@ func deleteRBDPlugin() {
|
||||
if err != nil {
|
||||
e2elog.Logf("failed to delete nodeplugin rbac %v", err)
|
||||
}
|
||||
_, err = framework.RunKubectl("delete", "-f", rbdDirPath+rbdNodePluginPSP)
|
||||
if err != nil {
|
||||
e2elog.Logf("failed to delete nodeplugin psp %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
var _ = Describe("RBD", func() {
|
||||
|
@ -53,6 +53,13 @@ function install_kubectl() {
|
||||
curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/"${KUBE_VERSION}"/bin/linux/"${MINIKUBE_ARCH}"/kubectl && chmod +x kubectl && mv kubectl /usr/local/bin/
|
||||
}
|
||||
|
||||
function enable_psp() {
|
||||
echo "prepare minikube to support pod security policies"
|
||||
mkdir -p "$HOME"/.minikube/files/etc/kubernetes/addons
|
||||
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
|
||||
cp "$DIR"/psp.yaml "$HOME"/.minikube/files/etc/kubernetes/addons/psp.yaml
|
||||
}
|
||||
|
||||
# configure minikube
|
||||
MINIKUBE_ARCH=${MINIKUBE_ARCH:-"amd64"}
|
||||
MINIKUBE_VERSION=${MINIKUBE_VERSION:-"latest"}
|
||||
@ -71,6 +78,9 @@ fi
|
||||
#feature-gates for kube
|
||||
K8S_FEATURE_GATES=${K8S_FEATURE_GATES:-"BlockVolume=true,CSIBlockVolume=true,VolumeSnapshotDataSource=true,ExpandCSIVolumes=true"}
|
||||
|
||||
#extra-config for kube https://minikube.sigs.k8s.io/docs/reference/configuration/kubernetes/
|
||||
EXTRA_CONFIG=${EXTRA_CONFIG:-"--extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy"}
|
||||
|
||||
case "${1:-}" in
|
||||
up)
|
||||
install_minikube
|
||||
@ -80,8 +90,11 @@ up)
|
||||
install_kubectl
|
||||
fi
|
||||
|
||||
enable_psp
|
||||
|
||||
echo "starting minikube with kubeadm bootstrapper"
|
||||
minikube start --memory="${MEMORY}" -b kubeadm --kubernetes-version="${KUBE_VERSION}" --vm-driver="${VM_DRIVER}" --feature-gates="${K8S_FEATURE_GATES}"
|
||||
# shellcheck disable=SC2086
|
||||
minikube start --memory="${MEMORY}" -b kubeadm --kubernetes-version="${KUBE_VERSION}" --vm-driver="${VM_DRIVER}" --feature-gates="${K8S_FEATURE_GATES}" ${EXTRA_CONFIG}
|
||||
|
||||
# create a link so the default dataDirHostPath will work for this
|
||||
# environment
|
||||
|
135
scripts/psp.yaml
Normal file
135
scripts/psp.yaml
Normal file
@ -0,0 +1,135 @@
|
||||
# Required PodSecurityPolicies, Roles and RoleBindings
|
||||
# for minikube to bootstrap when PSPs are enabled
|
||||
# https://minikube.sigs.k8s.io/docs/tutorials/using_psp/
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: privileged
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
|
||||
labels:
|
||||
addonmanager.kubernetes.io/mode: EnsureExists
|
||||
spec:
|
||||
privileged: true
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- "*"
|
||||
volumes:
|
||||
- "*"
|
||||
hostNetwork: true
|
||||
hostPorts:
|
||||
- min: 0
|
||||
max: 65535
|
||||
hostIPC: true
|
||||
hostPID: true
|
||||
runAsUser:
|
||||
rule: 'RunAsAny'
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'RunAsAny'
|
||||
fsGroup:
|
||||
rule: 'RunAsAny'
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: restricted
|
||||
labels:
|
||||
addonmanager.kubernetes.io/mode: EnsureExists
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
requiredDropCapabilities:
|
||||
- ALL
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
- 'persistentVolumeClaim'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAsNonRoot'
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
# Forbid adding the root group.
|
||||
- min: 1
|
||||
max: 65535
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
# Forbid adding the root group.
|
||||
- min: 1
|
||||
max: 65535
|
||||
readOnlyRootFilesystem: false
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: psp:privileged
|
||||
labels:
|
||||
addonmanager.kubernetes.io/mode: EnsureExists
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- privileged
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: psp:restricted
|
||||
labels:
|
||||
addonmanager.kubernetes.io/mode: EnsureExists
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- restricted
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: default:restricted
|
||||
labels:
|
||||
addonmanager.kubernetes.io/mode: EnsureExists
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: psp:restricted
|
||||
subjects:
|
||||
- kind: Group
|
||||
name: system:authenticated
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: default:privileged
|
||||
namespace: kube-system
|
||||
labels:
|
||||
addonmanager.kubernetes.io/mode: EnsureExists
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: psp:privileged
|
||||
subjects:
|
||||
- kind: Group
|
||||
name: system:masters
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
- kind: Group
|
||||
name: system:nodes
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
- kind: Group
|
||||
name: system:serviceaccounts:kube-system
|
||||
apiGroup: rbac.authorization.k8s.io
|
Loading…
Reference in New Issue
Block a user