From b32cb5e6ba6875fad00556d4a92f3428cc84eacc Mon Sep 17 00:00:00 2001 From: colvin Date: Thu, 11 Jun 2020 09:51:13 -0400 Subject: [PATCH] Create a podsecuritypolicies addon Create a new addon, `podsecuritypolicies` that applies the PodSecurityPolicy and related RBAC configuration from the https://minikube.sigs.k8s.io/docs/tutorials/using_psp/ tutorial. Apparently, recent work on the addons system has invalidated the procedure shown in that tutorial, as the configuration is no longer automatically applied. The last known working version is `1.6.2`. This allows clusters started with `--extra-configs=apiserver.enable-admission-plugins=PodSecurityPolicy` to succeed, so long as they also include `--addons=podsecuritypolicies`. --- .../podsecuritypolicies.yaml.tmpl | 132 ++++++++++++++++++ pkg/addons/config.go | 5 + pkg/minikube/assets/addons.go | 8 ++ 3 files changed, 145 insertions(+) create mode 100644 deploy/addons/podsecuritypolicies/podsecuritypolicies.yaml.tmpl diff --git a/deploy/addons/podsecuritypolicies/podsecuritypolicies.yaml.tmpl b/deploy/addons/podsecuritypolicies/podsecuritypolicies.yaml.tmpl new file mode 100644 index 0000000000..fa4171fa91 --- /dev/null +++ b/deploy/addons/podsecuritypolicies/podsecuritypolicies.yaml.tmpl @@ -0,0 +1,132 @@ +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: privileged + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" + labels: + addonmanager.kubernetes.io/mode: EnsureExists +spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: + - "*" + volumes: + - "*" + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: restricted + labels: + addonmanager.kubernetes.io/mode: EnsureExists +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: psp:privileged + labels: + addonmanager.kubernetes.io/mode: EnsureExists +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - privileged +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: psp:restricted + labels: + addonmanager.kubernetes.io/mode: EnsureExists +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - restricted +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: default:restricted + labels: + addonmanager.kubernetes.io/mode: EnsureExists +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp:restricted +subjects: +- kind: Group + name: system:authenticated + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: default:privileged + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: EnsureExists +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp:privileged +subjects: +- kind: Group + name: system:masters + apiGroup: rbac.authorization.k8s.io +- kind: Group + name: system:nodes + apiGroup: rbac.authorization.k8s.io +- kind: Group + name: system:serviceaccounts:kube-system + apiGroup: rbac.authorization.k8s.io diff --git a/pkg/addons/config.go b/pkg/addons/config.go index 80fb4ad6f5..81d24e85f6 100644 --- a/pkg/addons/config.go +++ b/pkg/addons/config.go @@ -149,4 +149,9 @@ var Addons = []*Addon{ set: SetBool, callbacks: []setFn{enableOrDisableAddon}, }, + { + name: "podsecuritypolicies", + set: SetBool, + callbacks: []setFn{enableOrDisableAddon}, + }, } diff --git a/pkg/minikube/assets/addons.go b/pkg/minikube/assets/addons.go index 67403a4c14..d5bd8adfdc 100644 --- a/pkg/minikube/assets/addons.go +++ b/pkg/minikube/assets/addons.go @@ -81,6 +81,14 @@ var Addons = map[string]*Addon{ "0640", false), }, true, "default-storageclass"), + "podsecuritypolicies": NewAddon([]*BinAsset{ + MustBinAsset( + "deploy/addons/podsecuritypolicies/podsecuritypolicies.yaml.tmpl", + vmpath.GuestAddonsDir, + "podsecuritypolicies.yaml", + "0640", + false), + }, false, "podsecuritypolicies"), "storage-provisioner": NewAddon([]*BinAsset{ MustBinAsset( "deploy/addons/storage-provisioner/storage-provisioner.yaml.tmpl",