Skip to content
This repository has been archived by the owner on Jun 29, 2022. It is now read-only.

calico-host-protection: add psp rule #1274

Merged
merged 3 commits into from
Dec 24, 2020
Merged

calico-host-protection: add psp rule #1274

merged 3 commits into from
Dec 24, 2020

Conversation

knrt10
Copy link
Member

@knrt10 knrt10 commented Dec 18, 2020
edited
Loading

Calico host endpoint controller only needs to talk to the apiserver and
should not be granted privileged PSP.

Update deprecated apiVersion for clusterrole and clusterrolebinding.

closes: #287
Signed-off-by: knrt10 kautilya@kinvolk.io

@knrt10 knrt10 requested review from surajssd and invidian December 18, 2020 07:16
@knrt10 knrt10 changed the title calico-host-protection: add psp to resource calico-host-protection: add psp rule Dec 18, 2020
@knrt10 knrt10 force-pushed the knrt10/calico-host-protection-psp-update branch 2 times, most recently from 4d39991 to f6518da Compare December 18, 2020 07:21
@knrt10 knrt10 requested a review from ipochi December 18, 2020 12:57
@knrt10
Copy link
Member Author

knrt10 commented Dec 21, 2020

kc auth can-i --list --as="system:serviceaccount:kube-system:calico-hostendpoint-controller" has both

podsecuritypolicies.policy                      []                  [zz-minimal]      [use]
podsecuritypolicies.policy                      []                  [zz-privileged]   [use]

listed as we have set privileged policy for all Serviceaccounts in kube-system namespace.

Pod created using calico-hostendpoint-controller, still does not use zz-minimal policy.

Trying to debug why this is happening

@knrt10 knrt10 force-pushed the knrt10/calico-host-protection-psp-update branch 2 times, most recently from 5a249a2 to ec26c47 Compare December 23, 2020 10:34
@knrt10
calico-host-protection: add psp rule
e71c251 
Calico host endpoint controller only needs to talk to the apiserver and
should not be granted privileged PSP.

Add new psp for calico-host-protection.

closes: #287
Signed-off-by: knrt10 <kautilya@kinvolk.io>
@knrt10
calico-host-endpoint-controller: Add test
40f09df 
This adds test to check annotation for respective pod that correct
annotation value is applied for "kubernetes.io/psp".

Signed-off-by: knrt10 <kautilya@kinvolk.io>
@knrt10
calico-host-protection: update deprecated api
e10865e 
Update deprecated apiVersion for clusterrole and clusterrolebinding.
Also lint rules.

Signed-off-by: knrt10 <kautilya@kinvolk.io>
@knrt10 knrt10 force-pushed the knrt10/calico-host-protection-psp-update branch from ec26c47 to e10865e Compare December 23, 2020 11:34
@knrt10 knrt10 requested a review from invidian December 23, 2020 11:34
surajssd
surajssd approved these changes Dec 24, 2020
View reviewed changes
Copy link
Member

@surajssd surajssd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@knrt10 knrt10 merged commit a6113fe into master Dec 24, 2020
@knrt10 knrt10 deleted the knrt10/calico-host-protection-psp-update branch December 24, 2020 09:31
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@invidian invidian invidian approved these changes

@surajssd surajssd surajssd approved these changes

@ipochi ipochi Awaiting requested review from ipochi

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

host endpoint controller is granted privileged PSP
3 participants
@knrt10 @surajssd @invidian