Merge branch 'master' into none-timeout

cmd/minikube/cmd/root_test.go

@@ -115,7 +115,7 @@ func hideEnv(t *testing.T) func(t *testing.T) {
 func TestPreRunDirectories(t *testing.T) {
 	// Make sure we create the required directories.
 	tempDir := tests.MakeTempDir()
-	defer os.RemoveAll(tempDir)
+	defer tests.RemoveTempDir(tempDir)
 
 	runCommand(RootCmd.PersistentPreRun)
 

cmd/minikube/cmd/start.go

@@ -898,6 +898,20 @@ func validateFlags(cmd *cobra.Command, drvName string) {
 		}
 	}
 
+	// validate kubeadm extra args
+	if invalidOpts := bsutil.FindInvalidExtraConfigFlags(config.ExtraOptions); len(invalidOpts) > 0 {
+		out.ErrT(
+			out.Warning,
+			"These --extra-config parameters are invalid: {{.invalid_extra_opts}}",
+			out.V{"invalid_extra_opts": invalidOpts},
+		)
+		exit.WithCodeT(
+			exit.Config,
+			"Valid components are: {{.valid_extra_opts}}",
+			out.V{"valid_extra_opts": bsutil.KubeadmExtraConfigOpts},
+		)
+	}
+
 	// check that kubeadm extra args contain only allowed parameters
 	for param := range config.ExtraOptions.AsMap().Get(bsutil.Kubeadm) {
 		if !config.ContainsParam(bsutil.KubeadmExtraArgsAllowed[bsutil.KubeadmCmdParam], param) &&

deploy/addons/pod-security-policy/pod-security-policy.yaml.tmpl

@@ -0,0 +1,132 @@
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: privileged
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+spec:
+  privileged: true
+  allowPrivilegeEscalation: true
+  allowedCapabilities:
+  - "*"
+  volumes:
+  - "*"
+  hostNetwork: true
+  hostPorts:
+  - min: 0
+    max: 65535
+  hostIPC: true
+  hostPID: true
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: restricted
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  requiredDropCapabilities:
+    - ALL
+  volumes:
+    - 'configMap'
+    - 'emptyDir'
+    - 'projected'
+    - 'secret'
+    - 'downwardAPI'
+    - 'persistentVolumeClaim'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: psp:privileged
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - privileged
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: psp:restricted
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - restricted
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: default:restricted
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp:restricted
+subjects:
+- kind: Group
+  name: system:authenticated
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: default:privileged
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp:privileged
+subjects:
+- kind: Group
+  name: system:masters
+  apiGroup: rbac.authorization.k8s.io
+- kind: Group
+  name: system:nodes
+  apiGroup: rbac.authorization.k8s.io
+- kind: Group
+  name: system:serviceaccounts:kube-system
+  apiGroup: rbac.authorization.k8s.io

pkg/addons/config.go

@@ -156,4 +156,9 @@ var Addons = []*Addon{
 		set:       SetBool,
 		callbacks: []setFn{enableOrDisableAddon},
 	},
+	{
+		name:      "pod-security-policy",
+		set:       SetBool,
+		callbacks: []setFn{enableOrDisableAddon},
+	},
 }

pkg/drivers/common_test.go

@@ -27,7 +27,7 @@ import (
 
 func Test_createDiskImage(t *testing.T) {
 	tmpdir := tests.MakeTempDir()
-	defer os.RemoveAll(tmpdir)
+	defer tests.RemoveTempDir(tmpdir)
 
 	sshPath := filepath.Join(tmpdir, "ssh")
 	if err := ioutil.WriteFile(sshPath, []byte("mysshkey"), 0644); err != nil {

pkg/drivers/hyperkit/network_test.go

@@ -51,7 +51,7 @@ var validLeases = []byte(`{
 
 func Test_getIpAddressFromFile(t *testing.T) {
 	tmpdir := tests.MakeTempDir()
-	defer os.RemoveAll(tmpdir)
+	defer tests.RemoveTempDir(tmpdir)
 
 	dhcpFile := filepath.Join(tmpdir, "dhcp")
 	if err := ioutil.WriteFile(dhcpFile, validLeases, 0644); err != nil {

pkg/minikube/assets/addons.go

@@ -81,6 +81,14 @@ var Addons = map[string]*Addon{
 			"0640",
 			false),
 	}, true, "default-storageclass"),
+	"pod-security-policy": NewAddon([]*BinAsset{
+		MustBinAsset(
+			"deploy/addons/pod-security-policy/pod-security-policy.yaml.tmpl",
+			vmpath.GuestAddonsDir,
+			"pod-security-policy.yaml",
+			"0640",
+			false),
+	}, false, "pod-security-policy"),
 	"storage-provisioner": NewAddon([]*BinAsset{
 		MustBinAsset(
 			"deploy/addons/storage-provisioner/storage-provisioner.yaml.tmpl",

pkg/minikube/bootstrapper/bsutil/extraconfig.go

@@ -95,6 +95,21 @@ func CreateFlagsFromExtraArgs(extraOptions config.ExtraOptionSlice) string {
 	return convertToFlags(kubeadmExtraOpts)
 }
 
+// FindInvalidExtraConfigFlags returns all invalid 'extra-config' options
+func FindInvalidExtraConfigFlags(opts config.ExtraOptionSlice) []string {
+	invalidOptsMap := make(map[string]struct{})
+	var invalidOpts []string
+	for _, extraOpt := range opts {
+		if _, ok := componentToKubeadmConfigKey[extraOpt.Component]; !ok {
+			if _, ok := invalidOptsMap[extraOpt.Component]; !ok {
+				invalidOpts = append(invalidOpts, extraOpt.Component)
+				invalidOptsMap[extraOpt.Component] = struct{}{}
+			}
+		}
+	}
+	return invalidOpts
+}
+
 // extraConfigForComponent generates a map of flagname-value pairs for a k8s
 // component.
 func extraConfigForComponent(component string, opts config.ExtraOptionSlice, version semver.Version) (map[string]string, error) {
@@ -133,20 +148,12 @@ func defaultOptionsForComponentAndVersion(component string, version semver.Versi
 
 // newComponentOptions creates a new componentOptions
 func newComponentOptions(opts config.ExtraOptionSlice, version semver.Version, featureGates string, cp config.Node) ([]componentOptions, error) {
+	if invalidOpts := FindInvalidExtraConfigFlags(opts); len(invalidOpts) > 0 {
+		return nil, fmt.Errorf("unknown components %v. valid components are: %v", invalidOpts, KubeadmExtraConfigOpts)
+	}
+
 	var kubeadmExtraArgs []componentOptions
-	for _, extraOpt := range opts {
-		if _, ok := componentToKubeadmConfigKey[extraOpt.Component]; !ok {
-			return nil, fmt.Errorf("unknown component %q. valid components are: %v", componentToKubeadmConfigKey, componentToKubeadmConfigKey)
-		}
-	}
-
-	keys := []string{}
-	for k := range componentToKubeadmConfigKey {
-		keys = append(keys, k)
-	}
-	sort.Strings(keys)
-
-	for _, component := range keys {
+	for _, component := range KubeadmExtraConfigOpts {
 		kubeadmComponentKey := componentToKubeadmConfigKey[component]
 		if kubeadmComponentKey == "" {
 			continue

pkg/minikube/bootstrapper/bsutil/extraconfig_test.go

@@ -0,0 +1,59 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package bsutil will eventually be renamed to kubeadm package after getting rid of older one
+package bsutil
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/minikube/pkg/minikube/config"
+)
+
+func TestFindInvalidExtraConfigFlags(t *testing.T) {
+	defaultOpts := getExtraOpts()
+	badOption1 := config.ExtraOption{Component: "bad_option_1"}
+	badOption2 := config.ExtraOption{Component: "bad_option_2"}
+	tests := []struct {
+		name string
+		opts config.ExtraOptionSlice
+		want []string
+	}{
+		{
+			name: "with valid options only",
+			opts: defaultOpts,
+			want: nil,
+		},
+		{
+			name: "with invalid options",
+			opts: append(defaultOpts, badOption1, badOption2),
+			want: []string{"bad_option_1", "bad_option_2"},
+		},
+		{
+			name: "with invalid options and duplicates",
+			opts: append(defaultOpts, badOption2, badOption1, badOption1),
+			want: []string{"bad_option_2", "bad_option_1"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := FindInvalidExtraConfigFlags(tt.opts); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("FindInvalidExtraConfigFlags() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

pkg/minikube/bootstrapper/bsutil/kubeadm.go

@@ -147,15 +147,26 @@ func GenerateKubeadmYAML(cc config.ClusterConfig, n config.Node, r cruntime.Mana
 // These are the components that can be configured
 // through the "extra-config"
 const (
-	Kubelet           = "kubelet"
-	Kubeadm           = "kubeadm"
 	Apiserver         = "apiserver"
-	Scheduler         = "scheduler"
 	ControllerManager = "controller-manager"
-	Kubeproxy         = "kube-proxy"
+	Scheduler         = "scheduler"
 	Etcd              = "etcd"
+	Kubeadm           = "kubeadm"
+	Kubeproxy         = "kube-proxy"
+	Kubelet           = "kubelet"
 )
 
+// KubeadmExtraConfigOpts is a list of allowed "extra-config" components
+var KubeadmExtraConfigOpts = []string{
+	Apiserver,
+	ControllerManager,
+	Scheduler,
+	Etcd,
+	Kubeadm,
+	Kubelet,
+	Kubeproxy,
+}
+
 // InvokeKubeadm returns the invocation command for Kubeadm
 func InvokeKubeadm(version string) string {
 	return fmt.Sprintf("sudo env PATH=%s:$PATH kubeadm", binRoot(version))

pkg/minikube/bootstrapper/certs_test.go

@@ -30,7 +30,7 @@ import (
 
 func TestSetupCerts(t *testing.T) {
 	tempDir := tests.MakeTempDir()
-	defer os.RemoveAll(tempDir)
+	defer tests.RemoveTempDir(tempDir)
 
 	k8s := config.KubernetesConfig{
 		APIServerName: constants.APIServerName,

pkg/minikube/kubeconfig/context_test.go

@@ -26,6 +26,7 @@ import (
 func TestDeleteContext(t *testing.T) {
 	// See kubeconfig_test
 	fn := tempFile(t, kubeConfigWithoutHTTPS)
+	defer os.Remove(fn)
 	if err := DeleteContext("la-croix", fn); err != nil {
 		t.Fatal(err)
 	}

pkg/minikube/kubeconfig/kubeconfig_test.go

@@ -263,6 +263,7 @@ func TestVerifyEndpoint(t *testing.T) {
 		t.Run(test.description, func(t *testing.T) {
 			t.Parallel()
 			configFilename := tempFile(t, test.existing)
+			defer os.Remove(configFilename)
 			err := VerifyEndpoint("minikube", test.hostname, test.port, configFilename)
 			if err != nil && !test.err {
 				t.Errorf("Got unexpected error: %v", err)
@@ -330,6 +331,7 @@ func TestUpdateIP(t *testing.T) {
 		t.Run(test.description, func(t *testing.T) {
 			t.Parallel()
 			configFilename := tempFile(t, test.existing)
+			defer os.Remove(configFilename)
 			statusActual, err := UpdateEndpoint("minikube", test.hostname, test.port, configFilename)
 			if err != nil && !test.err {
 				t.Errorf("Got unexpected error: %v", err)
@@ -419,6 +421,7 @@ func Test_Endpoint(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
 			configFilename := tempFile(t, test.cfg)
+			defer os.Remove(configFilename)
 			hostname, port, err := Endpoint("minikube", configFilename)
 			if err != nil && !test.err {
 				t.Errorf("Got unexpected error: %v", err)

pkg/minikube/machine/client_test.go

@@ -19,18 +19,15 @@ package machine
 import (
 	"bufio"
 	"fmt"
-	"io/ioutil"
-	"log"
 	"net"
 	"os"
-	"path/filepath"
 	"testing"
 
 	"github.com/docker/machine/libmachine/drivers/plugin/localbinary"
 
 	"k8s.io/minikube/pkg/minikube/driver"
-	"k8s.io/minikube/pkg/minikube/localpath"
 	_ "k8s.io/minikube/pkg/minikube/registry/drvs/virtualbox"
+	testutil "k8s.io/minikube/pkg/minikube/tests"
 )
 
 const vboxConfig = `
@@ -113,24 +110,9 @@ func TestLocalClientNewHost(t *testing.T) {
 	}
 }
 
-func makeTempDir() string {
-	tempDir, err := ioutil.TempDir("", "minipath")
-	if err != nil {
-		log.Fatal(err)
-	}
-	tempDir = filepath.Join(tempDir, ".minikube")
-	os.Setenv(localpath.MinikubeHome, tempDir)
-	return localpath.MiniPath()
-}
-
 func TestRunNotDriver(t *testing.T) {
-	tempDir := makeTempDir()
-	defer func() { //clean up tempdir
-		err := os.RemoveAll(tempDir)
-		if err != nil {
-			t.Errorf("failed to clean up temp folder  %q", tempDir)
-		}
-	}()
+	tempDir := testutil.MakeTempDir()
+	defer testutil.RemoveTempDir(tempDir)
 	StartDriver()
 	if !localbinary.CurrentBinaryIsDockerMachine {
 		t.Fatal("CurrentBinaryIsDockerMachine not set. This will break driver initialization.")
@@ -140,8 +122,8 @@ func TestRunNotDriver(t *testing.T) {
 func TestRunDriver(t *testing.T) {
 	// This test is a bit complicated. It verifies that when the root command is
 	// called with the proper environment variables, we setup the libmachine driver.
-	tempDir := makeTempDir()
-	defer os.RemoveAll(tempDir)
+	tempDir := testutil.MakeTempDir()
+	defer testutil.RemoveTempDir(tempDir)
 
 	os.Setenv(localbinary.PluginEnvKey, localbinary.PluginEnvVal)
 	os.Setenv(localbinary.PluginEnvDriverName, driver.VirtualBox)

pkg/minikube/machine/filesync_test.go

@@ -17,26 +17,16 @@ limitations under the License.
 package machine
 
 import (
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
 	"k8s.io/minikube/pkg/minikube/localpath"
+	testutil "k8s.io/minikube/pkg/minikube/tests"
 	"k8s.io/minikube/pkg/minikube/vmpath"
 )
 
-func setupTestDir() (string, error) {
-	path, err := ioutil.TempDir("", "minipath")
-	if err != nil {
-		return "", err
-	}
-
-	os.Setenv(localpath.MinikubeHome, path)
-	return path, err
-}
-
 func TestAssetsFromDir(t *testing.T) {
 	tests := []struct {
 		description string
@@ -107,17 +97,8 @@ func TestAssetsFromDir(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
-			testDir, err := setupTestDir()
-			defer func() { //clean up tempdir
-				err := os.RemoveAll(testDir)
-				if err != nil {
-					t.Errorf("failed to clean up temp folder  %q", testDir)
-				}
-			}()
-			if err != nil {
-				t.Errorf("got unexpected error creating test dir: %v", err)
-				return
-			}
+			testDir := testutil.MakeTempDir()
+			defer testutil.RemoveTempDir(testDir)
 
 			testDirs = append(testDirs, testDir)
 			testFileBaseDir := filepath.Join(testDir, test.baseDir)

pkg/minikube/notify/notify_test.go

@@ -43,7 +43,7 @@ func TestMaybePrintUpdateTextFromGithub(t *testing.T) {
 
 func TestShouldCheckURL(t *testing.T) {
 	tempDir := tests.MakeTempDir()
-	defer os.RemoveAll(tempDir)
+	defer tests.RemoveTempDir(tempDir)
 
 	lastUpdateCheckFilePath := filepath.Join(tempDir, "last_update_check")
 
@@ -152,7 +152,7 @@ func TestGetLatestVersionFromURLMalformed(t *testing.T) {
 
 func TestMaybePrintUpdateText(t *testing.T) {
 	tempDir := tests.MakeTempDir()
-	defer os.RemoveAll(tempDir)
+	defer tests.RemoveTempDir(tempDir)
 	outputBuffer := tests.NewFakeFile()
 	out.SetErrFile(outputBuffer)
 

pkg/minikube/tests/dir_utils.go

@@ -45,6 +45,13 @@ func MakeTempDir() string {
 	return localpath.MiniPath()
 }
 
+func RemoveTempDir(tempdir string) {
+	if filepath.Base(tempdir) == ".minikube" {
+		tempdir = filepath.Dir(tempdir)
+	}
+	os.RemoveAll(tempdir)
+}
+
 // FakeFile satisfies fdWriter
 type FakeFile struct {
 	b bytes.Buffer

site/content/en/docs/drivers/includes/podman_usage.inc

@@ -1,20 +1,22 @@
-## experimental
+## Experimental
 
-This is an experimental driver. please use it only for experimental reasons.
-for a better kubernetes in container experience, use docker [driver]({{< ref "/docs/drivers/docker/" >}})
-
-## Install Podman
-
-- [Podman](https://podman.io/getting-started/installation.html)
+This is an experimental driver. Please use it only for experimental reasons until it has reached maturity. For a more reliable minikube experience, use a non-experimental driver, like [Docker]({{< ref "/docs/drivers/docker.md" >}}).
 
 ## Usage
 
-Start a cluster using the podman driver:
+It's recommended to run minikube with the podman driver and [CRI-O container runtime](https://https://cri-o.io/): 
+
+```shell
+minikube start --driver=podman --container-runtime=cri-o
+```
+
+Alternatively, start minikube with the podman driver only: 
 
 ```shell
 minikube start --driver=podman 
 ```
-To make docker the default driver:
+
+To make podman the default driver: 
 
 ```shell
 minikube config set driver podman

site/content/en/docs/drivers/kvm2.md

@@ -37,6 +37,10 @@ The `minikube start` command supports 3 additional kvm specific flags:
 
 Also see [co/kvm2 open issues](https://github.com/kubernetes/minikube/labels/co%2Fkvm2)
 
+### Nested Virtulization
+
+If you are running KVM in a nested virtualization environment ensure your config the kernel modules correctly follow either [this](https://stafwag.github.io/blog/blog/2018/06/04/nested-virtualization-in-kvm/)  or [this](VM follow to config the kernel modules. also https://computingforgeeks.com/how-to-install-kvm-virtualization-on-debian/) tutorial.
+
 ## Troubleshooting
 * Run `virt-host-validate` and check for the suggestions.
 * Run `minikube start --alsologtostderr -v=7` to debug crashes

site/content/en/docs/drivers/podman.md

@@ -11,21 +11,36 @@ aliases:
 This driver is experimental and in active development. Help wanted!
 {{% /pageinfo %}}
 
-The podman driver is another kubernetes in container driver for minikube. similar to [docker](https://minikube.sigs.k8s.io/docs/drivers/docker/) driver. The podman driver is  experimental, and only supported on Linux and macOS (with a remote podman server).
+The podman driver is an alternative container runtime to the [Docker]({{< ref "/docs/drivers/docker.md" >}}) driver.
 
 ## Requirements
 
-- Install [Podman](https://podman.io/getting-started/installation) 
-- amd64 system 
+- Linux or macOS operating systems on amd64 architecture 
+- Install [podman](https://podman.io/getting-started/installation.html)
 
-## Try it with CRI-O container runtime.
-
-```shell
-minikube start --driver=podman --container-runtime=cri-o
-```
 
 {{% readfile file="/docs/drivers/includes/podman_usage.inc" %}}
 
 ## Known Issues
 
 - Podman driver is not supported on non-amd64 architectures such as arm yet. For non-amd64 archs please use [other drivers]({{< ref "/docs/drivers/_index.md" >}}) 
+- Podman requirements passwordless running of sudo. If you run into an error about sudo, do the following: 
+
+```shell
+$ sudo visudo
+```
+Then append the following to the section *at the very bottom* of the file where `username` is your user account.
+
+```shell
+username ALL=(ALL) NOPASSWD: /usr/bin/podman
+```
+
+Be sure this text is *after* `#includedir /etc/sudoers.d`. To confirm it worked, try: 
+
+```shell
+sudo -k -n podman version
+```
+
+## Troubleshooting
+
+- Run `minikube start --alsologtostderr -v=7` to debug errors and crashes

site/content/en/docs/tutorials/using_psp.md

@@ -13,10 +13,25 @@ This tutorial explains how to start minikube with Pod Security Policies (PSP) en
 
 ## Prerequisites
 
-- Minikube 1.5.2 with Kubernetes 1.16.x or higher
+- Minikube 1.11.1 with Kubernetes 1.16.x or higher
 
 ## Tutorial
 
+Start minikube with the `PodSecurityPolicy` admission controller and the
+`pod-security-policy` addon enabled.
+
+`minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy --addons=pod-security-policy`
+
+The `pod-security-policy` addon must be enabled along with the admission
+controller to prevent issues during bootstrap.
+
+## Older versions of minikube
+
+Older versions of minikube do not ship with the `pod-security-policy` addon, so
+the policies that addon enables must be separately applied to the cluster.
+
+## Minikube 1.5.2 through 1.6.2
+
 Before starting minikube, you need to give it the PSP YAMLs in order to allow minikube to bootstrap.
 
 Create the directory:
@@ -161,3 +176,24 @@ subjects:
   name: system:serviceaccounts:kube-system
   apiGroup: rbac.authorization.k8s.io
 ```
+
+### Minikube between 1.6.2 and 1.11.1
+
+With minikube versions greater than 1.6.2 and less than 1.11.1, the YAML files
+shown above will not be automatically applied to the cluster. You may have
+errors during bootstrap of the cluster if the admission controller is enabled.
+
+To use Pod Security Policies with these versions of minikube, first start a
+cluster without the `PodSecurityPolicy` admission controller enabled.
+
+Next, apply the YAML shown above to the cluster.
+
+Finally, stop the cluster and then restart it with the admission controller
+enabled.
+
+```
+minikube start
+kubectl apply -f /path/to/psp.yaml
+minikube stop
+minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy
+```

test.sh

@@ -67,6 +67,7 @@ then
         ${pkgs} \
         && echo ok || ((exitcode += 32))
     tail -n +2 "${cov_tmp}" >>"${COVERAGE_PATH}"
+    rm ${cov_tmp}
 fi
 
 exit "${exitcode}"