-
Notifications
You must be signed in to change notification settings - Fork 39.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #55509 from tallclair/psp-addons
Automatic merge from submit-queue (batch tested with PRs 54602, 54877, 55243, 55509, 55128). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. PodSecurityPolicies for addons **What this PR does / why we need it**: 1. Colocate addon PodSecurityPolicy config with the addons (in a `podsecuritypolicies` subdirectory). 2. Add policies for addons that are currently missing policies (not in the default GCE suite) 3. Remove HostPath SSL certs from several heapster deployments, so that heapster doesn't require a special PSP **Which issue(s) this PR fixes**: #43538 **Release note**: ```release-note - Add PodSecurityPolicies for cluster addons - Remove SSL cert HostPath volumes from heapster addons ```
- Loading branch information
Showing
20 changed files
with
160 additions
and
61 deletions.
There are no files selected for viewing
16 changes: 16 additions & 0 deletions
16
cluster/addons/calico-policy-controller/podsecuritypolicies/calico-node-psp-binding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: gce:podsecuritypolicy:calico | ||
namespace: kube-system | ||
labels: | ||
addonmanager.kubernetes.io/mode: Reconcile | ||
kubernetes.io/cluster-service: "true" | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: gce:podsecuritypolicy:privileged | ||
subjects: | ||
- kind: ServiceAccount | ||
name: calico | ||
namespace: kube-system |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
...addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp-binding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: gce:podsecuritypolicy:etcd-empty-dir-cleanup | ||
namespace: kube-system | ||
labels: | ||
addonmanager.kubernetes.io/mode: Reconcile | ||
kubernetes.io/cluster-service: "true" | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: gce:podsecuritypolicy:etcd-empty-dir-cleanup | ||
subjects: | ||
- kind: ServiceAccount | ||
name: etcd-empty-dir-cleanup | ||
namespace: kube-system |
17 changes: 17 additions & 0 deletions
17
...er/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp-role.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: gce:podsecuritypolicy:etcd-empty-dir-cleanup | ||
namespace: kube-system | ||
labels: | ||
kubernetes.io/cluster-service: "true" | ||
addonmanager.kubernetes.io/mode: Reconcile | ||
rules: | ||
- apiGroups: | ||
- extensions | ||
resourceNames: | ||
- gce.etcd-empty-dir-cleanup | ||
resources: | ||
- podsecuritypolicies | ||
verbs: | ||
- use |
31 changes: 31 additions & 0 deletions
31
cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
apiVersion: extensions/v1beta1 | ||
kind: PodSecurityPolicy | ||
metadata: | ||
name: gce.etcd-empty-dir-cleanup | ||
annotations: | ||
kubernetes.io/description: 'Policy used by the etcd-empty-dir-cleanup addon.' | ||
# TODO: etcd-empty-dir-cleanup should run with the default seccomp profile | ||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' | ||
# 'runtime/default' is already the default, but must be filled in on the | ||
# pod to pass admission. | ||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' | ||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' | ||
labels: | ||
kubernetes.io/cluster-service: 'true' | ||
addonmanager.kubernetes.io/mode: Reconcile | ||
spec: | ||
privileged: false | ||
volumes: | ||
- 'secret' | ||
hostNetwork: true | ||
hostIPC: false | ||
hostPID: false | ||
runAsUser: | ||
rule: 'RunAsAny' | ||
seLinux: | ||
rule: 'RunAsAny' | ||
supplementalGroups: | ||
rule: 'RunAsAny' | ||
fsGroup: | ||
rule: 'RunAsAny' | ||
readOnlyRootFilesystem: false |
16 changes: 16 additions & 0 deletions
16
cluster/addons/fluentd-elasticsearch/podsecuritypolicies/es-psp-binding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: gce:podsecuritypolicy:elasticsearch-logging | ||
namespace: kube-system | ||
labels: | ||
addonmanager.kubernetes.io/mode: Reconcile | ||
kubernetes.io/cluster-service: "true" | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: gce:podsecuritypolicy:privileged | ||
subjects: | ||
- kind: ServiceAccount | ||
name: elasticsearch-logging | ||
namespace: kube-system |
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
cluster/addons/ip-masq-agent/podsecuritypolicies/ip-masq-agent-psp-binding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: gce:podsecuritypolicy:ip-masq-agent | ||
namespace: kube-system | ||
labels: | ||
addonmanager.kubernetes.io/mode: Reconcile | ||
kubernetes.io/cluster-service: "true" | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: gce:podsecuritypolicy:privileged | ||
subjects: | ||
- kind: ServiceAccount | ||
name: ip-masq-agent | ||
namespace: kube-system |
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters