mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-11-22 14:20:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added PodSecurityPolicy support

Browse Source
This commit is contained in:
Oguz Kilcan 2020-01-21 09:22:43 +01:00 committed by mergify[bot]
parent 7ec8e68b67
commit aadce54b2f
23 changed files with 748 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml
View File

@ -167,7 +167,7 @@ spec:
type: DirectoryOrCreate type: DirectoryOrCreate
- name: registration-dir - name: registration-dir
hostPath: hostPath:
path: /var/lib/kubelet/plugins_registry/ path: {{ .Values.registrationDir }}
type: Directory type: Directory
- name: mountpoint-dir - name: mountpoint-dir
hostPath: hostPath:

49
charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml Normal file
View File

@ -0,0 +1,49 @@
{{- if .Values.nodeplugin.podSecurityPolicy.enabled -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
labels:
app: {{ include "ceph-csi-cephfs.fullname" . }}
chart: {{ include "ceph-csi-cephfs.chart" . }}
component: {{ .Values.nodeplugin.name }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
allowPrivilegeEscalation: true
allowedCapabilities:
- 'SYS_ADMIN'
fsGroup:
rule: RunAsAny
privileged: true
hostNetwork: true
hostPID: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'hostPath'
allowedHostPaths:
- pathPrefix: '/dev'
readOnly: false
- pathPrefix: '/sys'
readOnly: false
- pathPrefix: '/lib/modules'
readOnly: true
- pathPrefix: '/var/lib/kubelet/pods'
readOnly: false
- pathPrefix: '{{ .Values.socketDir }}'
readOnly: false
- pathPrefix: '{{ .Values.registrationDir }}'
readOnly: false
- pathPrefix: '{{ .Values.pluginDir }}'
readOnly: false
{{- end }}

18
charts/ceph-csi-cephfs/templates/nodeplugin-role.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ include "ceph-csi-cephfs.fullname" . }}
chart: {{ include "ceph-csi-cephfs.chart" . }}
component: {{ .Values.nodeplugin.name }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['{{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}']
{{- end -}}

21
charts/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ include "ceph-csi-cephfs.fullname" . }}
chart: {{ include "ceph-csi-cephfs.chart" . }}
component: {{ .Values.nodeplugin.name }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
subjects:
- kind: ServiceAccount
name: {{ include "ceph-csi-cephfs.serviceAccountName.nodeplugin" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
apiGroup: rbac.authorization.k8s.io
{{- end -}}

39
charts/ceph-csi-cephfs/templates/provisioner-psp.yaml Normal file
View File

@ -0,0 +1,39 @@
{{- if .Values.provisioner.podSecurityPolicy.enabled -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }}
labels:
app: {{ include "ceph-csi-cephfs.name" . }}
chart: {{ include "ceph-csi-cephfs.chart" . }}
component: {{ .Values.provisioner.name }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
allowPrivilegeEscalation: true
allowedCapabilities:
- 'SYS_ADMIN'
fsGroup:
rule: RunAsAny
privileged: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'hostPath'
allowedHostPaths:
- pathPrefix: '/dev'
readOnly: false
- pathPrefix: '/sys'
readOnly: false
- pathPrefix: '/lib/modules'
readOnly: true
{{- end }}

6
charts/ceph-csi-cephfs/templates/provisioner-role.yaml
View File

@ -20,4 +20,10 @@ rules:
- apiGroups: ["coordination.k8s.io"] - apiGroups: ["coordination.k8s.io"]
resources: ["leases"] resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"] verbs: ["get", "watch", "list", "delete", "update", "create"]
{{- if .Values.provisioner.podSecurityPolicy.enabled }}
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['{{ include "ceph-csi-cephfs.provisioner.fullname" . }}']
{{- end -}}
{{- end -}} {{- end -}}

10
charts/ceph-csi-cephfs/values.yaml
View File

@ -114,6 +114,11 @@ nodeplugin:
affinity: {} affinity: {}
# If true, create & use Pod Security Policy resources
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
podSecurityPolicy:
enabled: false
provisioner: provisioner:
name: provisioner name: provisioner
replicaCount: 3 replicaCount: 3
@ -213,6 +218,11 @@ provisioner:
affinity: {} affinity: {}
# If true, create & use Pod Security Policy resources
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
podSecurityPolicy:
enabled: false
######################################################### #########################################################
# Variables for 'internal' use please use with caution! # # Variables for 'internal' use please use with caution! #
######################################################### #########################################################

49
charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml Normal file
View File

@ -0,0 +1,49 @@
{{- if .Values.nodeplugin.podSecurityPolicy.enabled -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
labels:
app: {{ include "ceph-csi-rbd.name" . }}
chart: {{ include "ceph-csi-rbd.chart" . }}
component: {{ .Values.nodeplugin.name }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
allowPrivilegeEscalation: true
allowedCapabilities:
- 'SYS_ADMIN'
fsGroup:
rule: RunAsAny
privileged: true
hostNetwork: true
hostPID: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'hostPath'
allowedHostPaths:
- pathPrefix: '/dev'
readOnly: false
- pathPrefix: '/sys'
readOnly: false
- pathPrefix: '/lib/modules'
readOnly: true
- pathPrefix: '/var/lib/kubelet/pods'
readOnly: false
- pathPrefix: '{{ .Values.socketDir }}'
readOnly: false
- pathPrefix: '{{ .Values.registrationDir }}'
readOnly: false
- pathPrefix: '{{ .Values.pluginDir }}'
readOnly: false
{{- end }}

18
charts/ceph-csi-rbd/templates/nodeplugin-role.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ include "ceph-csi-rbd.name" . }}
chart: {{ include "ceph-csi-rbd.chart" . }}
component: {{ .Values.nodeplugin.name }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['{{ include "ceph-csi-rbd.nodeplugin.fullname" . }}']
{{- end -}}

21
charts/ceph-csi-rbd/templates/nodeplugin-rolebinding.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ include "ceph-csi-rbd.name" . }}
chart: {{ include "ceph-csi-rbd.chart" . }}
component: {{ .Values.nodeplugin.name }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
subjects:
- kind: ServiceAccount
name: {{ include "ceph-csi-rbd.serviceAccountName.nodeplugin" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
apiGroup: rbac.authorization.k8s.io
{{- end -}}

39
charts/ceph-csi-rbd/templates/provisioner-psp.yaml Normal file
View File

@ -0,0 +1,39 @@
{{- if .Values.provisioner.podSecurityPolicy.enabled -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "ceph-csi-rbd.provisioner.fullname" . }}
labels:
app: {{ include "ceph-csi-rbd.name" . }}
chart: {{ include "ceph-csi-rbd.chart" . }}
component: {{ .Values.provisioner.name }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
allowPrivilegeEscalation: true
allowedCapabilities:
- 'SYS_ADMIN'
fsGroup:
rule: RunAsAny
privileged: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'hostPath'
allowedHostPaths:
- pathPrefix: '/dev'
readOnly: false
- pathPrefix: '/sys'
readOnly: false
- pathPrefix: '/lib/modules'
readOnly: true
{{- end }}

6
charts/ceph-csi-rbd/templates/provisioner-role.yaml
View File

@ -17,4 +17,10 @@ rules:
- apiGroups: ["coordination.k8s.io"] - apiGroups: ["coordination.k8s.io"]
resources: ["leases"] resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"] verbs: ["get", "watch", "list", "delete", "update", "create"]
{{- if .Values.provisioner.podSecurityPolicy.enabled }}
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['{{ include "ceph-csi-rbd.provisioner.fullname" . }}']
{{- end -}}
{{- end -}} {{- end -}}

10
charts/ceph-csi-rbd/values.yaml
View File

@ -114,6 +114,11 @@ nodeplugin:
affinity: {} affinity: {}
# If true, create & use Pod Security Policy resources
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
podSecurityPolicy:
enabled: false
provisioner: provisioner:
name: provisioner name: provisioner
replicaCount: 3 replicaCount: 3
@ -220,6 +225,11 @@ provisioner:
affinity: {} affinity: {}
# If true, create & use Pod Security Policy resources
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
podSecurityPolicy:
enabled: false
######################################################### #########################################################
# Variables for 'internal' use please use with caution! # # Variables for 'internal' use please use with caution! #
######################################################### #########################################################

72
deploy/cephfs/kubernetes/csi-nodeplugin-psp.yaml Normal file
View File

@ -0,0 +1,72 @@
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: cephfs-csi-nodeplugin-psp
spec:
allowPrivilegeEscalation: true
allowedCapabilities:
- 'SYS_ADMIN'
fsGroup:
rule: RunAsAny
privileged: true
hostNetwork: true
hostPID: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'hostPath'
allowedHostPaths:
- pathPrefix: '/dev'
readOnly: false
- pathPrefix: '/sys'
readOnly: false
- pathPrefix: '/lib/modules'
readOnly: true
- pathPrefix: '/var/lib/kubelet/pods'
readOnly: false
- pathPrefix: '/var/lib/kubelet/plugins/cephfs.csi.ceph.com'
readOnly: false
- pathPrefix: '/var/lib/kubelet/plugins_registry'
readOnly: false
- pathPrefix: '/var/lib/kubelet/plugins'
readOnly: false
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cephfs-csi-nodeplugin-psp
# replace with non-default namespace name
namespace: default
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['cephfs-csi-nodeplugin-psp']
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cephfs-csi-nodeplugin-psp
# replace with non-default namespace name
namespace: default
subjects:
- kind: ServiceAccount
name: cephfs-csi-nodeplugin
# replace with non-default namespace name
namespace: default
roleRef:
kind: Role
name: cephfs-csi-nodeplugin-psp
apiGroup: rbac.authorization.k8s.io

62
deploy/cephfs/kubernetes/csi-provisioner-psp.yaml Normal file
View File

@ -0,0 +1,62 @@
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: cephfs-csi-provisioner-psp
spec:
allowPrivilegeEscalation: true
allowedCapabilities:
- 'SYS_ADMIN'
fsGroup:
rule: RunAsAny
privileged: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'hostPath'
allowedHostPaths:
- pathPrefix: '/dev'
readOnly: false
- pathPrefix: '/sys'
readOnly: false
- pathPrefix: '/lib/modules'
readOnly: true
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cephfs-csi-provisioner-psp
# replace with non-default namespace name
namespace: default
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['cephfs-csi-provisioner-psp']
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cephfs-csi-provisioner-psp
# replace with non-default namespace name
namespace: default
subjects:
- kind: ServiceAccount
name: cephfs-csi-provisioner
# replace with non-default namespace name
namespace: default
roleRef:
kind: Role
name: cephfs-csi-provisioner-psp
apiGroup: rbac.authorization.k8s.io

72
deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml Normal file
View File

@ -0,0 +1,72 @@
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: rbd-csi-nodeplugin-psp
spec:
allowPrivilegeEscalation: true
allowedCapabilities:
- 'SYS_ADMIN'
fsGroup:
rule: RunAsAny
privileged: true
hostNetwork: true
hostPID: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'hostPath'
allowedHostPaths:
- pathPrefix: '/dev'
readOnly: false
- pathPrefix: '/sys'
readOnly: false
- pathPrefix: '/lib/modules'
readOnly: true
- pathPrefix: '/var/lib/kubelet/pods'
readOnly: false
- pathPrefix: '/var/lib/kubelet/plugins/rbd.csi.ceph.com'
readOnly: false
- pathPrefix: '/var/lib/kubelet/plugins_registry'
readOnly: false
- pathPrefix: '/var/lib/kubelet/plugins'
readOnly: false
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-csi-nodeplugin-psp
# replace with non-default namespace name
namespace: default
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['rbd-csi-nodeplugin-psp']
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-csi-nodeplugin-psp
# replace with non-default namespace name
namespace: default
subjects:
- kind: ServiceAccount
name: rbd-csi-nodeplugin
# replace with non-default namespace name
namespace: default
roleRef:
kind: Role
name: rbd-csi-nodeplugin-psp
apiGroup: rbac.authorization.k8s.io

62
deploy/rbd/kubernetes/csi-provisioner-psp.yaml Normal file
View File

@ -0,0 +1,62 @@
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: rbd-csi-provisioner-psp
spec:
allowPrivilegeEscalation: true
allowedCapabilities:
- 'SYS_ADMIN'
fsGroup:
rule: RunAsAny
privileged: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'hostPath'
allowedHostPaths:
- pathPrefix: '/dev'
readOnly: false
- pathPrefix: '/sys'
readOnly: false
- pathPrefix: '/lib/modules'
readOnly: true
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# replace with non-default namespace name
namespace: default
name: rbd-csi-provisioner-psp
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['rbd-csi-provisioner-psp']
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-csi-provisioner-psp
# replace with non-default namespace name
namespace: default
subjects:
- kind: ServiceAccount
name: rbd-csi-provisioner
# replace with non-default namespace name
namespace: default
roleRef:
kind: Role
name: rbd-csi-provisioner-psp
apiGroup: rbac.authorization.k8s.io

10
docs/deploy-cephfs.md
View File

@ -138,6 +138,16 @@ Those manifests deploy service accounts, cluster roles and cluster role
bindings. These are shared for both RBD and CephFS CSI plugins, as they require bindings. These are shared for both RBD and CephFS CSI plugins, as they require
the same permissions. the same permissions.
**Deploy PodSecurityPolicy resources for sidecar containers and node plugins:**
**NOTE:** These manifests are required only if [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy)
admission controller is active on your cluster.
```bash
kubectl create -f csi-provisioner-psp.yaml
kubectl create -f csi-nodeplugin-psp.yaml
```
**Deploy ConfigMap for CSI plugins:** **Deploy ConfigMap for CSI plugins:**
```bash ```bash

10
docs/deploy-rbd.md
View File

@ -94,6 +94,16 @@ Those manifests deploy service accounts, cluster roles and cluster role
bindings. These are shared for both RBD and CephFS CSI plugins, as they require bindings. These are shared for both RBD and CephFS CSI plugins, as they require
the same permissions. the same permissions.
**Deploy PodSecurityPolicy resources for sidecar containers and node plugins:**
**NOTE:** These manifests are required only if [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy)
admission controller is active on your cluster.
```bash
kubectl create -f csi-provisioner-psp.yaml
kubectl create -f csi-nodeplugin-psp.yaml
```
**Deploy ConfigMap for CSI plugins:** **Deploy ConfigMap for CSI plugins:**
```bash ```bash

12
e2e/cephfs.go
View File

@ -13,8 +13,10 @@ import (
var ( var (
cephfsProvisioner = "csi-cephfsplugin-provisioner.yaml" cephfsProvisioner = "csi-cephfsplugin-provisioner.yaml"
cephfsProvisionerRBAC = "csi-provisioner-rbac.yaml" cephfsProvisionerRBAC = "csi-provisioner-rbac.yaml"
cephfsProvisionerPSP = "csi-provisioner-psp.yaml"
cephfsNodePlugin = "csi-cephfsplugin.yaml" cephfsNodePlugin = "csi-cephfsplugin.yaml"
cephfsNodePluginRBAC = "csi-nodeplugin-rbac.yaml" cephfsNodePluginRBAC = "csi-nodeplugin-rbac.yaml"
cephfsNodePluginPSP = "csi-nodeplugin-psp.yaml"
cephfsDeploymentName = "csi-cephfsplugin-provisioner" cephfsDeploymentName = "csi-cephfsplugin-provisioner"
cephfsDeamonSetName = "csi-cephfsplugin" cephfsDeamonSetName = "csi-cephfsplugin"
cephfsDirPath = "../deploy/cephfs/kubernetes/" cephfsDirPath = "../deploy/cephfs/kubernetes/"
@ -28,9 +30,11 @@ func deployCephfsPlugin() {
// deploy provisioner // deploy provisioner
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsProvisioner) framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsProvisioner)
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsProvisionerRBAC) framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsProvisionerRBAC)
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsProvisionerPSP)
// deploy nodeplugin // deploy nodeplugin
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsNodePlugin) framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsNodePlugin)
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsNodePluginRBAC) framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsNodePluginRBAC)
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsNodePluginPSP)
} }
func deleteCephfsPlugin() { func deleteCephfsPlugin() {
@ -42,6 +46,10 @@ func deleteCephfsPlugin() {
if err != nil { if err != nil {
e2elog.Logf("failed to delete cephfs provisioner rbac %v", err) e2elog.Logf("failed to delete cephfs provisioner rbac %v", err)
} }
_, err = framework.RunKubectl("delete", "-f", cephfsDirPath+cephfsProvisionerPSP)
if err != nil {
e2elog.Logf("failed to delete cephfs provisioner psp %v", err)
}
_, err = framework.RunKubectl("delete", "-f", cephfsDirPath+cephfsNodePlugin) _, err = framework.RunKubectl("delete", "-f", cephfsDirPath+cephfsNodePlugin)
if err != nil { if err != nil {
e2elog.Logf("failed to delete cephfs nodeplugin %v", err) e2elog.Logf("failed to delete cephfs nodeplugin %v", err)
@ -50,6 +58,10 @@ func deleteCephfsPlugin() {
if err != nil { if err != nil {
e2elog.Logf("failed to delete cephfs nodeplugin rbac %v", err) e2elog.Logf("failed to delete cephfs nodeplugin rbac %v", err)
} }
_, err = framework.RunKubectl("delete", "-f", cephfsDirPath+cephfsNodePluginPSP)
if err != nil {
e2elog.Logf("failed to delete cephfs nodeplugin psp %v", err)
}
} }
var _ = Describe("cephfs", func() { var _ = Describe("cephfs", func() {

12
e2e/rbd.go
View File

@ -13,8 +13,10 @@ import (
var ( var (
rbdProvisioner = "csi-rbdplugin-provisioner.yaml" rbdProvisioner = "csi-rbdplugin-provisioner.yaml"
rbdProvisionerRBAC = "csi-provisioner-rbac.yaml" rbdProvisionerRBAC = "csi-provisioner-rbac.yaml"
rbdProvisionerPSP = "csi-provisioner-psp.yaml"
rbdNodePlugin = "csi-rbdplugin.yaml" rbdNodePlugin = "csi-rbdplugin.yaml"
rbdNodePluginRBAC = "csi-nodeplugin-rbac.yaml" rbdNodePluginRBAC = "csi-nodeplugin-rbac.yaml"
rbdNodePluginPSP = "csi-nodeplugin-psp.yaml"
configMap = "csi-config-map.yaml" configMap = "csi-config-map.yaml"
rbdDirPath = "../deploy/rbd/kubernetes/" rbdDirPath = "../deploy/rbd/kubernetes/"
rbdExamplePath = "../examples/rbd/" rbdExamplePath = "../examples/rbd/"
@ -30,9 +32,11 @@ func deployRBDPlugin() {
// deploy provisioner // deploy provisioner
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdProvisioner) framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdProvisioner)
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdProvisionerRBAC) framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdProvisionerRBAC)
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdProvisionerPSP)
// deploy nodeplugin // deploy nodeplugin
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdNodePlugin) framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdNodePlugin)
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdNodePluginRBAC) framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdNodePluginRBAC)
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdNodePluginPSP)
} }
func deleteRBDPlugin() { func deleteRBDPlugin() {
@ -44,6 +48,10 @@ func deleteRBDPlugin() {
if err != nil { if err != nil {
e2elog.Logf("failed to delete provisioner rbac %v", err) e2elog.Logf("failed to delete provisioner rbac %v", err)
} }
_, err = framework.RunKubectl("delete", "-f", rbdDirPath+rbdProvisionerPSP)
if err != nil {
e2elog.Logf("failed to delete provisioner psp %v", err)
}
_, err = framework.RunKubectl("delete", "-f", rbdDirPath+rbdNodePlugin) _, err = framework.RunKubectl("delete", "-f", rbdDirPath+rbdNodePlugin)
if err != nil { if err != nil {
e2elog.Logf("failed to delete nodeplugin %v", err) e2elog.Logf("failed to delete nodeplugin %v", err)
@ -52,6 +60,10 @@ func deleteRBDPlugin() {
if err != nil { if err != nil {
e2elog.Logf("failed to delete nodeplugin rbac %v", err) e2elog.Logf("failed to delete nodeplugin rbac %v", err)
} }
_, err = framework.RunKubectl("delete", "-f", rbdDirPath+rbdNodePluginPSP)
if err != nil {
e2elog.Logf("failed to delete nodeplugin psp %v", err)
}
} }
var _ = Describe("RBD", func() { var _ = Describe("RBD", func() {

15
scripts/minikube.sh
View File

@ -53,6 +53,13 @@ function install_kubectl() {
curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/"${KUBE_VERSION}"/bin/linux/"${MINIKUBE_ARCH}"/kubectl && chmod +x kubectl && mv kubectl /usr/local/bin/ curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/"${KUBE_VERSION}"/bin/linux/"${MINIKUBE_ARCH}"/kubectl && chmod +x kubectl && mv kubectl /usr/local/bin/
} }
function enable_psp() {
echo "prepare minikube to support pod security policies"
mkdir -p "$HOME"/.minikube/files/etc/kubernetes/addons
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
cp "$DIR"/psp.yaml "$HOME"/.minikube/files/etc/kubernetes/addons/psp.yaml
}
# configure minikube # configure minikube
MINIKUBE_ARCH=${MINIKUBE_ARCH:-"amd64"} MINIKUBE_ARCH=${MINIKUBE_ARCH:-"amd64"}
MINIKUBE_VERSION=${MINIKUBE_VERSION:-"latest"} MINIKUBE_VERSION=${MINIKUBE_VERSION:-"latest"}
@ -71,6 +78,9 @@ fi
#feature-gates for kube #feature-gates for kube
K8S_FEATURE_GATES=${K8S_FEATURE_GATES:-"BlockVolume=true,CSIBlockVolume=true,VolumeSnapshotDataSource=true,ExpandCSIVolumes=true"} K8S_FEATURE_GATES=${K8S_FEATURE_GATES:-"BlockVolume=true,CSIBlockVolume=true,VolumeSnapshotDataSource=true,ExpandCSIVolumes=true"}
#extra-config for kube https://minikube.sigs.k8s.io/docs/reference/configuration/kubernetes/
EXTRA_CONFIG=${EXTRA_CONFIG:-"--extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy"}
case "${1:-}" in case "${1:-}" in
up) up)
install_minikube install_minikube
@ -80,8 +90,11 @@ up)
install_kubectl install_kubectl
fi fi
enable_psp
echo "starting minikube with kubeadm bootstrapper" echo "starting minikube with kubeadm bootstrapper"
minikube start --memory="${MEMORY}" -b kubeadm --kubernetes-version="${KUBE_VERSION}" --vm-driver="${VM_DRIVER}" --feature-gates="${K8S_FEATURE_GATES}" # shellcheck disable=SC2086
minikube start --memory="${MEMORY}" -b kubeadm --kubernetes-version="${KUBE_VERSION}" --vm-driver="${VM_DRIVER}" --feature-gates="${K8S_FEATURE_GATES}" ${EXTRA_CONFIG}
# create a link so the default dataDirHostPath will work for this # create a link so the default dataDirHostPath will work for this
# environment # environment

135
scripts/psp.yaml Normal file
View File

@ -0,0 +1,135 @@
# Required PodSecurityPolicies, Roles and RoleBindings
# for minikube to bootstrap when PSPs are enabled
# https://minikube.sigs.k8s.io/docs/tutorials/using_psp/
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels:
addonmanager.kubernetes.io/mode: EnsureExists
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- "*"
volumes:
- "*"
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
labels:
addonmanager.kubernetes.io/mode: EnsureExists
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: psp:privileged
labels:
addonmanager.kubernetes.io/mode: EnsureExists
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- privileged
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: psp:restricted
labels:
addonmanager.kubernetes.io/mode: EnsureExists
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- restricted
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: default:restricted
labels:
addonmanager.kubernetes.io/mode: EnsureExists
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: psp:restricted
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: default:privileged
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: psp:privileged
subjects:
- kind: Group
name: system:masters
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:serviceaccounts:kube-system
apiGroup: rbac.authorization.k8s.io