mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-23 14:50:24 +00:00
parent
31d449f636
commit
abaf14a12d
@ -167,7 +167,7 @@ spec:
|
|||||||
type: DirectoryOrCreate
|
type: DirectoryOrCreate
|
||||||
- name: registration-dir
|
- name: registration-dir
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /var/lib/kubelet/plugins_registry/
|
path: {{ .Values.registrationDir }}
|
||||||
type: Directory
|
type: Directory
|
||||||
- name: mountpoint-dir
|
- name: mountpoint-dir
|
||||||
hostPath:
|
hostPath:
|
||||||
|
49
charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml
Normal file
49
charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
{{- if .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "ceph-csi-cephfs.fullname" . }}
|
||||||
|
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
||||||
|
component: {{ .Values.nodeplugin.name }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
heritage: {{ .Release.Service }}
|
||||||
|
spec:
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
|
allowedCapabilities:
|
||||||
|
- 'SYS_ADMIN'
|
||||||
|
fsGroup:
|
||||||
|
rule: RunAsAny
|
||||||
|
privileged: true
|
||||||
|
hostNetwork: true
|
||||||
|
hostPID: true
|
||||||
|
runAsUser:
|
||||||
|
rule: RunAsAny
|
||||||
|
seLinux:
|
||||||
|
rule: RunAsAny
|
||||||
|
supplementalGroups:
|
||||||
|
rule: RunAsAny
|
||||||
|
volumes:
|
||||||
|
- 'configMap'
|
||||||
|
- 'emptyDir'
|
||||||
|
- 'projected'
|
||||||
|
- 'secret'
|
||||||
|
- 'downwardAPI'
|
||||||
|
- 'hostPath'
|
||||||
|
allowedHostPaths:
|
||||||
|
- pathPrefix: '/dev'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/sys'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/lib/modules'
|
||||||
|
readOnly: true
|
||||||
|
- pathPrefix: '/var/lib/kubelet/pods'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '{{ .Values.socketDir }}'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '{{ .Values.registrationDir }}'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '{{ .Values.pluginDir }}'
|
||||||
|
readOnly: false
|
||||||
|
{{- end }}
|
18
charts/ceph-csi-cephfs/templates/nodeplugin-role.yaml
Normal file
18
charts/ceph-csi-cephfs/templates/nodeplugin-role.yaml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||||
|
kind: Role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "ceph-csi-cephfs.fullname" . }}
|
||||||
|
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
||||||
|
component: {{ .Values.nodeplugin.name }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
heritage: {{ .Release.Service }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ['policy']
|
||||||
|
resources: ['podsecuritypolicies']
|
||||||
|
verbs: ['use']
|
||||||
|
resourceNames: ['{{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}']
|
||||||
|
{{- end -}}
|
21
charts/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml
Normal file
21
charts/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||||
|
kind: RoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "ceph-csi-cephfs.fullname" . }}
|
||||||
|
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
||||||
|
component: {{ .Values.nodeplugin.name }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
heritage: {{ .Release.Service }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ include "ceph-csi-cephfs.serviceAccountName.nodeplugin" . }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
{{- end -}}
|
39
charts/ceph-csi-cephfs/templates/provisioner-psp.yaml
Normal file
39
charts/ceph-csi-cephfs/templates/provisioner-psp.yaml
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
{{- if .Values.provisioner.podSecurityPolicy.enabled -}}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "ceph-csi-cephfs.name" . }}
|
||||||
|
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
||||||
|
component: {{ .Values.provisioner.name }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
heritage: {{ .Release.Service }}
|
||||||
|
spec:
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
|
allowedCapabilities:
|
||||||
|
- 'SYS_ADMIN'
|
||||||
|
fsGroup:
|
||||||
|
rule: RunAsAny
|
||||||
|
privileged: true
|
||||||
|
runAsUser:
|
||||||
|
rule: RunAsAny
|
||||||
|
seLinux:
|
||||||
|
rule: RunAsAny
|
||||||
|
supplementalGroups:
|
||||||
|
rule: RunAsAny
|
||||||
|
volumes:
|
||||||
|
- 'configMap'
|
||||||
|
- 'emptyDir'
|
||||||
|
- 'projected'
|
||||||
|
- 'secret'
|
||||||
|
- 'downwardAPI'
|
||||||
|
- 'hostPath'
|
||||||
|
allowedHostPaths:
|
||||||
|
- pathPrefix: '/dev'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/sys'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/lib/modules'
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
@ -20,4 +20,10 @@ rules:
|
|||||||
- apiGroups: ["coordination.k8s.io"]
|
- apiGroups: ["coordination.k8s.io"]
|
||||||
resources: ["leases"]
|
resources: ["leases"]
|
||||||
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
||||||
|
{{- if .Values.provisioner.podSecurityPolicy.enabled }}
|
||||||
|
- apiGroups: ['policy']
|
||||||
|
resources: ['podsecuritypolicies']
|
||||||
|
verbs: ['use']
|
||||||
|
resourceNames: ['{{ include "ceph-csi-cephfs.provisioner.fullname" . }}']
|
||||||
|
{{- end -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
@ -114,6 +114,11 @@ nodeplugin:
|
|||||||
|
|
||||||
affinity: {}
|
affinity: {}
|
||||||
|
|
||||||
|
# If true, create & use Pod Security Policy resources
|
||||||
|
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
|
||||||
|
podSecurityPolicy:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
provisioner:
|
provisioner:
|
||||||
name: provisioner
|
name: provisioner
|
||||||
replicaCount: 3
|
replicaCount: 3
|
||||||
@ -213,6 +218,11 @@ provisioner:
|
|||||||
|
|
||||||
affinity: {}
|
affinity: {}
|
||||||
|
|
||||||
|
# If true, create & use Pod Security Policy resources
|
||||||
|
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
|
||||||
|
podSecurityPolicy:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
#########################################################
|
#########################################################
|
||||||
# Variables for 'internal' use please use with caution! #
|
# Variables for 'internal' use please use with caution! #
|
||||||
#########################################################
|
#########################################################
|
||||||
|
49
charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml
Normal file
49
charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
{{- if .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "ceph-csi-rbd.name" . }}
|
||||||
|
chart: {{ include "ceph-csi-rbd.chart" . }}
|
||||||
|
component: {{ .Values.nodeplugin.name }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
heritage: {{ .Release.Service }}
|
||||||
|
spec:
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
|
allowedCapabilities:
|
||||||
|
- 'SYS_ADMIN'
|
||||||
|
fsGroup:
|
||||||
|
rule: RunAsAny
|
||||||
|
privileged: true
|
||||||
|
hostNetwork: true
|
||||||
|
hostPID: true
|
||||||
|
runAsUser:
|
||||||
|
rule: RunAsAny
|
||||||
|
seLinux:
|
||||||
|
rule: RunAsAny
|
||||||
|
supplementalGroups:
|
||||||
|
rule: RunAsAny
|
||||||
|
volumes:
|
||||||
|
- 'configMap'
|
||||||
|
- 'emptyDir'
|
||||||
|
- 'projected'
|
||||||
|
- 'secret'
|
||||||
|
- 'downwardAPI'
|
||||||
|
- 'hostPath'
|
||||||
|
allowedHostPaths:
|
||||||
|
- pathPrefix: '/dev'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/sys'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/lib/modules'
|
||||||
|
readOnly: true
|
||||||
|
- pathPrefix: '/var/lib/kubelet/pods'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '{{ .Values.socketDir }}'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '{{ .Values.registrationDir }}'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '{{ .Values.pluginDir }}'
|
||||||
|
readOnly: false
|
||||||
|
{{- end }}
|
18
charts/ceph-csi-rbd/templates/nodeplugin-role.yaml
Normal file
18
charts/ceph-csi-rbd/templates/nodeplugin-role.yaml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||||
|
kind: Role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "ceph-csi-rbd.name" . }}
|
||||||
|
chart: {{ include "ceph-csi-rbd.chart" . }}
|
||||||
|
component: {{ .Values.nodeplugin.name }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
heritage: {{ .Release.Service }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ['policy']
|
||||||
|
resources: ['podsecuritypolicies']
|
||||||
|
verbs: ['use']
|
||||||
|
resourceNames: ['{{ include "ceph-csi-rbd.nodeplugin.fullname" . }}']
|
||||||
|
{{- end -}}
|
21
charts/ceph-csi-rbd/templates/nodeplugin-rolebinding.yaml
Normal file
21
charts/ceph-csi-rbd/templates/nodeplugin-rolebinding.yaml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||||
|
kind: RoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "ceph-csi-rbd.name" . }}
|
||||||
|
chart: {{ include "ceph-csi-rbd.chart" . }}
|
||||||
|
component: {{ .Values.nodeplugin.name }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
heritage: {{ .Release.Service }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ include "ceph-csi-rbd.serviceAccountName.nodeplugin" . }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
{{- end -}}
|
39
charts/ceph-csi-rbd/templates/provisioner-psp.yaml
Normal file
39
charts/ceph-csi-rbd/templates/provisioner-psp.yaml
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
{{- if .Values.provisioner.podSecurityPolicy.enabled -}}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: {{ include "ceph-csi-rbd.provisioner.fullname" . }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "ceph-csi-rbd.name" . }}
|
||||||
|
chart: {{ include "ceph-csi-rbd.chart" . }}
|
||||||
|
component: {{ .Values.provisioner.name }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
heritage: {{ .Release.Service }}
|
||||||
|
spec:
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
|
allowedCapabilities:
|
||||||
|
- 'SYS_ADMIN'
|
||||||
|
fsGroup:
|
||||||
|
rule: RunAsAny
|
||||||
|
privileged: true
|
||||||
|
runAsUser:
|
||||||
|
rule: RunAsAny
|
||||||
|
seLinux:
|
||||||
|
rule: RunAsAny
|
||||||
|
supplementalGroups:
|
||||||
|
rule: RunAsAny
|
||||||
|
volumes:
|
||||||
|
- 'configMap'
|
||||||
|
- 'emptyDir'
|
||||||
|
- 'projected'
|
||||||
|
- 'secret'
|
||||||
|
- 'downwardAPI'
|
||||||
|
- 'hostPath'
|
||||||
|
allowedHostPaths:
|
||||||
|
- pathPrefix: '/dev'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/sys'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/lib/modules'
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
@ -17,4 +17,10 @@ rules:
|
|||||||
- apiGroups: ["coordination.k8s.io"]
|
- apiGroups: ["coordination.k8s.io"]
|
||||||
resources: ["leases"]
|
resources: ["leases"]
|
||||||
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
||||||
|
{{- if .Values.provisioner.podSecurityPolicy.enabled }}
|
||||||
|
- apiGroups: ['policy']
|
||||||
|
resources: ['podsecuritypolicies']
|
||||||
|
verbs: ['use']
|
||||||
|
resourceNames: ['{{ include "ceph-csi-rbd.provisioner.fullname" . }}']
|
||||||
|
{{- end -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
@ -114,6 +114,11 @@ nodeplugin:
|
|||||||
|
|
||||||
affinity: {}
|
affinity: {}
|
||||||
|
|
||||||
|
# If true, create & use Pod Security Policy resources
|
||||||
|
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
|
||||||
|
podSecurityPolicy:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
provisioner:
|
provisioner:
|
||||||
name: provisioner
|
name: provisioner
|
||||||
replicaCount: 3
|
replicaCount: 3
|
||||||
@ -220,6 +225,11 @@ provisioner:
|
|||||||
|
|
||||||
affinity: {}
|
affinity: {}
|
||||||
|
|
||||||
|
# If true, create & use Pod Security Policy resources
|
||||||
|
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
|
||||||
|
podSecurityPolicy:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
#########################################################
|
#########################################################
|
||||||
# Variables for 'internal' use please use with caution! #
|
# Variables for 'internal' use please use with caution! #
|
||||||
#########################################################
|
#########################################################
|
||||||
|
72
deploy/cephfs/kubernetes/csi-nodeplugin-psp.yaml
Normal file
72
deploy/cephfs/kubernetes/csi-nodeplugin-psp.yaml
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
---
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: cephfs-csi-nodeplugin-psp
|
||||||
|
spec:
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
|
allowedCapabilities:
|
||||||
|
- 'SYS_ADMIN'
|
||||||
|
fsGroup:
|
||||||
|
rule: RunAsAny
|
||||||
|
privileged: true
|
||||||
|
hostNetwork: true
|
||||||
|
hostPID: true
|
||||||
|
runAsUser:
|
||||||
|
rule: RunAsAny
|
||||||
|
seLinux:
|
||||||
|
rule: RunAsAny
|
||||||
|
supplementalGroups:
|
||||||
|
rule: RunAsAny
|
||||||
|
volumes:
|
||||||
|
- 'configMap'
|
||||||
|
- 'emptyDir'
|
||||||
|
- 'projected'
|
||||||
|
- 'secret'
|
||||||
|
- 'downwardAPI'
|
||||||
|
- 'hostPath'
|
||||||
|
allowedHostPaths:
|
||||||
|
- pathPrefix: '/dev'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/sys'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/lib/modules'
|
||||||
|
readOnly: true
|
||||||
|
- pathPrefix: '/var/lib/kubelet/pods'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/var/lib/kubelet/plugins/cephfs.csi.ceph.com'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/var/lib/kubelet/plugins_registry'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/var/lib/kubelet/plugins'
|
||||||
|
readOnly: false
|
||||||
|
|
||||||
|
---
|
||||||
|
kind: Role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: cephfs-csi-nodeplugin-psp
|
||||||
|
# replace with non-default namespace name
|
||||||
|
namespace: default
|
||||||
|
rules:
|
||||||
|
- apiGroups: ['policy']
|
||||||
|
resources: ['podsecuritypolicies']
|
||||||
|
verbs: ['use']
|
||||||
|
resourceNames: ['cephfs-csi-nodeplugin-psp']
|
||||||
|
|
||||||
|
---
|
||||||
|
kind: RoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: cephfs-csi-nodeplugin-psp
|
||||||
|
# replace with non-default namespace name
|
||||||
|
namespace: default
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: cephfs-csi-nodeplugin
|
||||||
|
# replace with non-default namespace name
|
||||||
|
namespace: default
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: cephfs-csi-nodeplugin-psp
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
62
deploy/cephfs/kubernetes/csi-provisioner-psp.yaml
Normal file
62
deploy/cephfs/kubernetes/csi-provisioner-psp.yaml
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
---
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: cephfs-csi-provisioner-psp
|
||||||
|
spec:
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
|
allowedCapabilities:
|
||||||
|
- 'SYS_ADMIN'
|
||||||
|
fsGroup:
|
||||||
|
rule: RunAsAny
|
||||||
|
privileged: true
|
||||||
|
runAsUser:
|
||||||
|
rule: RunAsAny
|
||||||
|
seLinux:
|
||||||
|
rule: RunAsAny
|
||||||
|
supplementalGroups:
|
||||||
|
rule: RunAsAny
|
||||||
|
volumes:
|
||||||
|
- 'configMap'
|
||||||
|
- 'emptyDir'
|
||||||
|
- 'projected'
|
||||||
|
- 'secret'
|
||||||
|
- 'downwardAPI'
|
||||||
|
- 'hostPath'
|
||||||
|
allowedHostPaths:
|
||||||
|
- pathPrefix: '/dev'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/sys'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/lib/modules'
|
||||||
|
readOnly: true
|
||||||
|
|
||||||
|
---
|
||||||
|
kind: Role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: cephfs-csi-provisioner-psp
|
||||||
|
# replace with non-default namespace name
|
||||||
|
namespace: default
|
||||||
|
rules:
|
||||||
|
- apiGroups: ['policy']
|
||||||
|
resources: ['podsecuritypolicies']
|
||||||
|
verbs: ['use']
|
||||||
|
resourceNames: ['cephfs-csi-provisioner-psp']
|
||||||
|
|
||||||
|
---
|
||||||
|
kind: RoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: cephfs-csi-provisioner-psp
|
||||||
|
# replace with non-default namespace name
|
||||||
|
namespace: default
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: cephfs-csi-provisioner
|
||||||
|
# replace with non-default namespace name
|
||||||
|
namespace: default
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: cephfs-csi-provisioner-psp
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
72
deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml
Normal file
72
deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
---
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: rbd-csi-nodeplugin-psp
|
||||||
|
spec:
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
|
allowedCapabilities:
|
||||||
|
- 'SYS_ADMIN'
|
||||||
|
fsGroup:
|
||||||
|
rule: RunAsAny
|
||||||
|
privileged: true
|
||||||
|
hostNetwork: true
|
||||||
|
hostPID: true
|
||||||
|
runAsUser:
|
||||||
|
rule: RunAsAny
|
||||||
|
seLinux:
|
||||||
|
rule: RunAsAny
|
||||||
|
supplementalGroups:
|
||||||
|
rule: RunAsAny
|
||||||
|
volumes:
|
||||||
|
- 'configMap'
|
||||||
|
- 'emptyDir'
|
||||||
|
- 'projected'
|
||||||
|
- 'secret'
|
||||||
|
- 'downwardAPI'
|
||||||
|
- 'hostPath'
|
||||||
|
allowedHostPaths:
|
||||||
|
- pathPrefix: '/dev'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/sys'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/lib/modules'
|
||||||
|
readOnly: true
|
||||||
|
- pathPrefix: '/var/lib/kubelet/pods'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/var/lib/kubelet/plugins/rbd.csi.ceph.com'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/var/lib/kubelet/plugins_registry'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/var/lib/kubelet/plugins'
|
||||||
|
readOnly: false
|
||||||
|
|
||||||
|
---
|
||||||
|
kind: Role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: rbd-csi-nodeplugin-psp
|
||||||
|
# replace with non-default namespace name
|
||||||
|
namespace: default
|
||||||
|
rules:
|
||||||
|
- apiGroups: ['policy']
|
||||||
|
resources: ['podsecuritypolicies']
|
||||||
|
verbs: ['use']
|
||||||
|
resourceNames: ['rbd-csi-nodeplugin-psp']
|
||||||
|
|
||||||
|
---
|
||||||
|
kind: RoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: rbd-csi-nodeplugin-psp
|
||||||
|
# replace with non-default namespace name
|
||||||
|
namespace: default
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: rbd-csi-nodeplugin
|
||||||
|
# replace with non-default namespace name
|
||||||
|
namespace: default
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: rbd-csi-nodeplugin-psp
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
62
deploy/rbd/kubernetes/csi-provisioner-psp.yaml
Normal file
62
deploy/rbd/kubernetes/csi-provisioner-psp.yaml
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
---
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: rbd-csi-provisioner-psp
|
||||||
|
spec:
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
|
allowedCapabilities:
|
||||||
|
- 'SYS_ADMIN'
|
||||||
|
fsGroup:
|
||||||
|
rule: RunAsAny
|
||||||
|
privileged: true
|
||||||
|
runAsUser:
|
||||||
|
rule: RunAsAny
|
||||||
|
seLinux:
|
||||||
|
rule: RunAsAny
|
||||||
|
supplementalGroups:
|
||||||
|
rule: RunAsAny
|
||||||
|
volumes:
|
||||||
|
- 'configMap'
|
||||||
|
- 'emptyDir'
|
||||||
|
- 'projected'
|
||||||
|
- 'secret'
|
||||||
|
- 'downwardAPI'
|
||||||
|
- 'hostPath'
|
||||||
|
allowedHostPaths:
|
||||||
|
- pathPrefix: '/dev'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/sys'
|
||||||
|
readOnly: false
|
||||||
|
- pathPrefix: '/lib/modules'
|
||||||
|
readOnly: true
|
||||||
|
|
||||||
|
---
|
||||||
|
kind: Role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
# replace with non-default namespace name
|
||||||
|
namespace: default
|
||||||
|
name: rbd-csi-provisioner-psp
|
||||||
|
rules:
|
||||||
|
- apiGroups: ['policy']
|
||||||
|
resources: ['podsecuritypolicies']
|
||||||
|
verbs: ['use']
|
||||||
|
resourceNames: ['rbd-csi-provisioner-psp']
|
||||||
|
|
||||||
|
---
|
||||||
|
kind: RoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: rbd-csi-provisioner-psp
|
||||||
|
# replace with non-default namespace name
|
||||||
|
namespace: default
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: rbd-csi-provisioner
|
||||||
|
# replace with non-default namespace name
|
||||||
|
namespace: default
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: rbd-csi-provisioner-psp
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
@ -138,6 +138,16 @@ Those manifests deploy service accounts, cluster roles and cluster role
|
|||||||
bindings. These are shared for both RBD and CephFS CSI plugins, as they require
|
bindings. These are shared for both RBD and CephFS CSI plugins, as they require
|
||||||
the same permissions.
|
the same permissions.
|
||||||
|
|
||||||
|
**Deploy PodSecurityPolicy resources for sidecar containers and node plugins:**
|
||||||
|
|
||||||
|
**NOTE:** These manifests are required only if [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy)
|
||||||
|
admission controller is active on your cluster.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
kubectl create -f csi-provisioner-psp.yaml
|
||||||
|
kubectl create -f csi-nodeplugin-psp.yaml
|
||||||
|
```
|
||||||
|
|
||||||
**Deploy ConfigMap for CSI plugins:**
|
**Deploy ConfigMap for CSI plugins:**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
@ -94,6 +94,16 @@ Those manifests deploy service accounts, cluster roles and cluster role
|
|||||||
bindings. These are shared for both RBD and CephFS CSI plugins, as they require
|
bindings. These are shared for both RBD and CephFS CSI plugins, as they require
|
||||||
the same permissions.
|
the same permissions.
|
||||||
|
|
||||||
|
**Deploy PodSecurityPolicy resources for sidecar containers and node plugins:**
|
||||||
|
|
||||||
|
**NOTE:** These manifests are required only if [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy)
|
||||||
|
admission controller is active on your cluster.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
kubectl create -f csi-provisioner-psp.yaml
|
||||||
|
kubectl create -f csi-nodeplugin-psp.yaml
|
||||||
|
```
|
||||||
|
|
||||||
**Deploy ConfigMap for CSI plugins:**
|
**Deploy ConfigMap for CSI plugins:**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
@ -13,8 +13,10 @@ import (
|
|||||||
var (
|
var (
|
||||||
cephfsProvisioner = "csi-cephfsplugin-provisioner.yaml"
|
cephfsProvisioner = "csi-cephfsplugin-provisioner.yaml"
|
||||||
cephfsProvisionerRBAC = "csi-provisioner-rbac.yaml"
|
cephfsProvisionerRBAC = "csi-provisioner-rbac.yaml"
|
||||||
|
cephfsProvisionerPSP = "csi-provisioner-psp.yaml"
|
||||||
cephfsNodePlugin = "csi-cephfsplugin.yaml"
|
cephfsNodePlugin = "csi-cephfsplugin.yaml"
|
||||||
cephfsNodePluginRBAC = "csi-nodeplugin-rbac.yaml"
|
cephfsNodePluginRBAC = "csi-nodeplugin-rbac.yaml"
|
||||||
|
cephfsNodePluginPSP = "csi-nodeplugin-psp.yaml"
|
||||||
cephfsDeploymentName = "csi-cephfsplugin-provisioner"
|
cephfsDeploymentName = "csi-cephfsplugin-provisioner"
|
||||||
cephfsDeamonSetName = "csi-cephfsplugin"
|
cephfsDeamonSetName = "csi-cephfsplugin"
|
||||||
cephfsDirPath = "../deploy/cephfs/kubernetes/"
|
cephfsDirPath = "../deploy/cephfs/kubernetes/"
|
||||||
@ -28,9 +30,11 @@ func deployCephfsPlugin() {
|
|||||||
// deploy provisioner
|
// deploy provisioner
|
||||||
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsProvisioner)
|
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsProvisioner)
|
||||||
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsProvisionerRBAC)
|
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsProvisionerRBAC)
|
||||||
|
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsProvisionerPSP)
|
||||||
// deploy nodeplugin
|
// deploy nodeplugin
|
||||||
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsNodePlugin)
|
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsNodePlugin)
|
||||||
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsNodePluginRBAC)
|
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsNodePluginRBAC)
|
||||||
|
framework.RunKubectlOrDie("create", "-f", cephfsDirPath+cephfsNodePluginPSP)
|
||||||
}
|
}
|
||||||
|
|
||||||
func deleteCephfsPlugin() {
|
func deleteCephfsPlugin() {
|
||||||
@ -42,6 +46,10 @@ func deleteCephfsPlugin() {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
e2elog.Logf("failed to delete cephfs provisioner rbac %v", err)
|
e2elog.Logf("failed to delete cephfs provisioner rbac %v", err)
|
||||||
}
|
}
|
||||||
|
_, err = framework.RunKubectl("delete", "-f", cephfsDirPath+cephfsProvisionerPSP)
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Logf("failed to delete cephfs provisioner psp %v", err)
|
||||||
|
}
|
||||||
_, err = framework.RunKubectl("delete", "-f", cephfsDirPath+cephfsNodePlugin)
|
_, err = framework.RunKubectl("delete", "-f", cephfsDirPath+cephfsNodePlugin)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
e2elog.Logf("failed to delete cephfs nodeplugin %v", err)
|
e2elog.Logf("failed to delete cephfs nodeplugin %v", err)
|
||||||
@ -50,6 +58,10 @@ func deleteCephfsPlugin() {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
e2elog.Logf("failed to delete cephfs nodeplugin rbac %v", err)
|
e2elog.Logf("failed to delete cephfs nodeplugin rbac %v", err)
|
||||||
}
|
}
|
||||||
|
_, err = framework.RunKubectl("delete", "-f", cephfsDirPath+cephfsNodePluginPSP)
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Logf("failed to delete cephfs nodeplugin psp %v", err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
var _ = Describe("cephfs", func() {
|
var _ = Describe("cephfs", func() {
|
||||||
|
12
e2e/rbd.go
12
e2e/rbd.go
@ -13,8 +13,10 @@ import (
|
|||||||
var (
|
var (
|
||||||
rbdProvisioner = "csi-rbdplugin-provisioner.yaml"
|
rbdProvisioner = "csi-rbdplugin-provisioner.yaml"
|
||||||
rbdProvisionerRBAC = "csi-provisioner-rbac.yaml"
|
rbdProvisionerRBAC = "csi-provisioner-rbac.yaml"
|
||||||
|
rbdProvisionerPSP = "csi-provisioner-psp.yaml"
|
||||||
rbdNodePlugin = "csi-rbdplugin.yaml"
|
rbdNodePlugin = "csi-rbdplugin.yaml"
|
||||||
rbdNodePluginRBAC = "csi-nodeplugin-rbac.yaml"
|
rbdNodePluginRBAC = "csi-nodeplugin-rbac.yaml"
|
||||||
|
rbdNodePluginPSP = "csi-nodeplugin-psp.yaml"
|
||||||
configMap = "csi-config-map.yaml"
|
configMap = "csi-config-map.yaml"
|
||||||
rbdDirPath = "../deploy/rbd/kubernetes/"
|
rbdDirPath = "../deploy/rbd/kubernetes/"
|
||||||
rbdExamplePath = "../examples/rbd/"
|
rbdExamplePath = "../examples/rbd/"
|
||||||
@ -30,9 +32,11 @@ func deployRBDPlugin() {
|
|||||||
// deploy provisioner
|
// deploy provisioner
|
||||||
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdProvisioner)
|
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdProvisioner)
|
||||||
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdProvisionerRBAC)
|
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdProvisionerRBAC)
|
||||||
|
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdProvisionerPSP)
|
||||||
// deploy nodeplugin
|
// deploy nodeplugin
|
||||||
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdNodePlugin)
|
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdNodePlugin)
|
||||||
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdNodePluginRBAC)
|
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdNodePluginRBAC)
|
||||||
|
framework.RunKubectlOrDie("create", "-f", rbdDirPath+rbdNodePluginPSP)
|
||||||
}
|
}
|
||||||
|
|
||||||
func deleteRBDPlugin() {
|
func deleteRBDPlugin() {
|
||||||
@ -44,6 +48,10 @@ func deleteRBDPlugin() {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
e2elog.Logf("failed to delete provisioner rbac %v", err)
|
e2elog.Logf("failed to delete provisioner rbac %v", err)
|
||||||
}
|
}
|
||||||
|
_, err = framework.RunKubectl("delete", "-f", rbdDirPath+rbdProvisionerPSP)
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Logf("failed to delete provisioner psp %v", err)
|
||||||
|
}
|
||||||
_, err = framework.RunKubectl("delete", "-f", rbdDirPath+rbdNodePlugin)
|
_, err = framework.RunKubectl("delete", "-f", rbdDirPath+rbdNodePlugin)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
e2elog.Logf("failed to delete nodeplugin %v", err)
|
e2elog.Logf("failed to delete nodeplugin %v", err)
|
||||||
@ -52,6 +60,10 @@ func deleteRBDPlugin() {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
e2elog.Logf("failed to delete nodeplugin rbac %v", err)
|
e2elog.Logf("failed to delete nodeplugin rbac %v", err)
|
||||||
}
|
}
|
||||||
|
_, err = framework.RunKubectl("delete", "-f", rbdDirPath+rbdNodePluginPSP)
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Logf("failed to delete nodeplugin psp %v", err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
var _ = Describe("RBD", func() {
|
var _ = Describe("RBD", func() {
|
||||||
|
@ -53,6 +53,13 @@ function install_kubectl() {
|
|||||||
curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/"${KUBE_VERSION}"/bin/linux/"${MINIKUBE_ARCH}"/kubectl && chmod +x kubectl && mv kubectl /usr/local/bin/
|
curl -Lo kubectl https://storage.googleapis.com/kubernetes-release/release/"${KUBE_VERSION}"/bin/linux/"${MINIKUBE_ARCH}"/kubectl && chmod +x kubectl && mv kubectl /usr/local/bin/
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function enable_psp() {
|
||||||
|
echo "prepare minikube to support pod security policies"
|
||||||
|
mkdir -p "$HOME"/.minikube/files/etc/kubernetes/addons
|
||||||
|
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
|
||||||
|
cp "$DIR"/psp.yaml "$HOME"/.minikube/files/etc/kubernetes/addons/psp.yaml
|
||||||
|
}
|
||||||
|
|
||||||
# configure minikube
|
# configure minikube
|
||||||
MINIKUBE_ARCH=${MINIKUBE_ARCH:-"amd64"}
|
MINIKUBE_ARCH=${MINIKUBE_ARCH:-"amd64"}
|
||||||
MINIKUBE_VERSION=${MINIKUBE_VERSION:-"latest"}
|
MINIKUBE_VERSION=${MINIKUBE_VERSION:-"latest"}
|
||||||
@ -71,6 +78,9 @@ fi
|
|||||||
#feature-gates for kube
|
#feature-gates for kube
|
||||||
K8S_FEATURE_GATES=${K8S_FEATURE_GATES:-"BlockVolume=true,CSIBlockVolume=true,VolumeSnapshotDataSource=true,ExpandCSIVolumes=true"}
|
K8S_FEATURE_GATES=${K8S_FEATURE_GATES:-"BlockVolume=true,CSIBlockVolume=true,VolumeSnapshotDataSource=true,ExpandCSIVolumes=true"}
|
||||||
|
|
||||||
|
#extra-config for kube https://minikube.sigs.k8s.io/docs/reference/configuration/kubernetes/
|
||||||
|
EXTRA_CONFIG=${EXTRA_CONFIG:-"--extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy"}
|
||||||
|
|
||||||
case "${1:-}" in
|
case "${1:-}" in
|
||||||
up)
|
up)
|
||||||
install_minikube
|
install_minikube
|
||||||
@ -80,8 +90,11 @@ up)
|
|||||||
install_kubectl
|
install_kubectl
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
enable_psp
|
||||||
|
|
||||||
echo "starting minikube with kubeadm bootstrapper"
|
echo "starting minikube with kubeadm bootstrapper"
|
||||||
minikube start --memory="${MEMORY}" -b kubeadm --kubernetes-version="${KUBE_VERSION}" --vm-driver="${VM_DRIVER}" --feature-gates="${K8S_FEATURE_GATES}"
|
# shellcheck disable=SC2086
|
||||||
|
minikube start --memory="${MEMORY}" -b kubeadm --kubernetes-version="${KUBE_VERSION}" --vm-driver="${VM_DRIVER}" --feature-gates="${K8S_FEATURE_GATES}" ${EXTRA_CONFIG}
|
||||||
|
|
||||||
# create a link so the default dataDirHostPath will work for this
|
# create a link so the default dataDirHostPath will work for this
|
||||||
# environment
|
# environment
|
||||||
|
135
scripts/psp.yaml
Normal file
135
scripts/psp.yaml
Normal file
@ -0,0 +1,135 @@
|
|||||||
|
# Required PodSecurityPolicies, Roles and RoleBindings
|
||||||
|
# for minikube to bootstrap when PSPs are enabled
|
||||||
|
# https://minikube.sigs.k8s.io/docs/tutorials/using_psp/
|
||||||
|
---
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: privileged
|
||||||
|
annotations:
|
||||||
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
|
||||||
|
labels:
|
||||||
|
addonmanager.kubernetes.io/mode: EnsureExists
|
||||||
|
spec:
|
||||||
|
privileged: true
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
|
allowedCapabilities:
|
||||||
|
- "*"
|
||||||
|
volumes:
|
||||||
|
- "*"
|
||||||
|
hostNetwork: true
|
||||||
|
hostPorts:
|
||||||
|
- min: 0
|
||||||
|
max: 65535
|
||||||
|
hostIPC: true
|
||||||
|
hostPID: true
|
||||||
|
runAsUser:
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
seLinux:
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
supplementalGroups:
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
fsGroup:
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
---
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodSecurityPolicy
|
||||||
|
metadata:
|
||||||
|
name: restricted
|
||||||
|
labels:
|
||||||
|
addonmanager.kubernetes.io/mode: EnsureExists
|
||||||
|
spec:
|
||||||
|
privileged: false
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
requiredDropCapabilities:
|
||||||
|
- ALL
|
||||||
|
volumes:
|
||||||
|
- 'configMap'
|
||||||
|
- 'emptyDir'
|
||||||
|
- 'projected'
|
||||||
|
- 'secret'
|
||||||
|
- 'downwardAPI'
|
||||||
|
- 'persistentVolumeClaim'
|
||||||
|
hostNetwork: false
|
||||||
|
hostIPC: false
|
||||||
|
hostPID: false
|
||||||
|
runAsUser:
|
||||||
|
rule: 'MustRunAsNonRoot'
|
||||||
|
seLinux:
|
||||||
|
rule: 'RunAsAny'
|
||||||
|
supplementalGroups:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
# Forbid adding the root group.
|
||||||
|
- min: 1
|
||||||
|
max: 65535
|
||||||
|
fsGroup:
|
||||||
|
rule: 'MustRunAs'
|
||||||
|
ranges:
|
||||||
|
# Forbid adding the root group.
|
||||||
|
- min: 1
|
||||||
|
max: 65535
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: psp:privileged
|
||||||
|
labels:
|
||||||
|
addonmanager.kubernetes.io/mode: EnsureExists
|
||||||
|
rules:
|
||||||
|
- apiGroups: ['policy']
|
||||||
|
resources: ['podsecuritypolicies']
|
||||||
|
verbs: ['use']
|
||||||
|
resourceNames:
|
||||||
|
- privileged
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: psp:restricted
|
||||||
|
labels:
|
||||||
|
addonmanager.kubernetes.io/mode: EnsureExists
|
||||||
|
rules:
|
||||||
|
- apiGroups: ['policy']
|
||||||
|
resources: ['podsecuritypolicies']
|
||||||
|
verbs: ['use']
|
||||||
|
resourceNames:
|
||||||
|
- restricted
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: default:restricted
|
||||||
|
labels:
|
||||||
|
addonmanager.kubernetes.io/mode: EnsureExists
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: psp:restricted
|
||||||
|
subjects:
|
||||||
|
- kind: Group
|
||||||
|
name: system:authenticated
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: default:privileged
|
||||||
|
namespace: kube-system
|
||||||
|
labels:
|
||||||
|
addonmanager.kubernetes.io/mode: EnsureExists
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: psp:privileged
|
||||||
|
subjects:
|
||||||
|
- kind: Group
|
||||||
|
name: system:masters
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
- kind: Group
|
||||||
|
name: system:nodes
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
- kind: Group
|
||||||
|
name: system:serviceaccounts:kube-system
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
Loading…
Reference in New Issue
Block a user