calico-host-protection: add psp rule

Calico host endpoint controller only needs to talk to the apiserver and should not be granted privileged PSP. Update deprecated apiVersion for clusterrole and clusterrolebinding. closes: #287 Signed-off-by: knrt10 <kautilya@kinvolk.io>
kinvolk · Dec 18, 2020 · f6518da · f6518da
1 parent 96a0488
commit f6518da
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/assets/charts/control-plane/calico-host-protection/templates/host-endpoint-controller.yaml b/assets/charts/control-plane/calico-host-protection/templates/host-endpoint-controller.yaml
@@ -43,7 +43,7 @@ spec:
 
 ---
 # rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: calico-hostendpoint-controller-role
@@ -61,8 +61,12 @@ rules:
    - delete
    # To use kubectl apply on resources that already exist
    - patch
+- apiGroups: ["policy"]
+  resources: ["podsecuritypolicies"]
+  verbs: ["use"]
+  resourceNames: ["zz-minimal"]
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: calico-hostendpoint-controller-role-binding

diff --git a/pkg/assets/generated_assets.go b/pkg/assets/generated_assets.go