From 22c14c197adb69044bbf8ab1e1f56d7973f155b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=81nis=20Bebr=C4=ABtis?= Date: Fri, 2 Sep 2022 14:49:34 +0300 Subject: [PATCH 1/3] Removing podsecuritypolicy due to 1.25 policy/v1beta1 deprecation --- deploy/addons/metallb/metallb.yaml.tmpl | 29 ------------------------- 1 file changed, 29 deletions(-) diff --git a/deploy/addons/metallb/metallb.yaml.tmpl b/deploy/addons/metallb/metallb.yaml.tmpl index 7d033b69e7..0989071512 100644 --- a/deploy/addons/metallb/metallb.yaml.tmpl +++ b/deploy/addons/metallb/metallb.yaml.tmpl @@ -5,35 +5,6 @@ metadata: app: metallb name: metallb-system --- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - labels: - app: metallb - name: speaker - namespace: metallb-system -spec: - allowPrivilegeEscalation: false - allowedCapabilities: - - NET_ADMIN - - NET_RAW - - SYS_ADMIN - fsGroup: - rule: RunAsAny - hostNetwork: true - hostPorts: - - max: 7472 - min: 7472 - privileged: true - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - '*' ---- apiVersion: v1 kind: ServiceAccount metadata: From 3f46fea576d169ec147a15886f27a3032918abfe Mon Sep 17 00:00:00 2001 From: Janis Bebritis Date: Fri, 2 Sep 2022 15:59:51 +0300 Subject: [PATCH 2/3] Conditional podsecuritypolicy include for pre 1.25 versions --- deploy/addons/metallb/metallb.yaml.tmpl | 31 +++++++++++++++++++++++++ pkg/minikube/assets/addons.go | 13 +++++++++++ 2 files changed, 44 insertions(+) diff --git a/deploy/addons/metallb/metallb.yaml.tmpl b/deploy/addons/metallb/metallb.yaml.tmpl index 0989071512..b301921196 100644 --- a/deploy/addons/metallb/metallb.yaml.tmpl +++ b/deploy/addons/metallb/metallb.yaml.tmpl @@ -5,6 +5,37 @@ metadata: app: metallb name: metallb-system --- +{{- if and (eq .KubernetesVersion.Major 1 ) (lt .KubernetesVersion.Minor 25) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + labels: + app: metallb + name: speaker + namespace: metallb-system +spec: + allowPrivilegeEscalation: false + allowedCapabilities: + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + fsGroup: + rule: RunAsAny + hostNetwork: true + hostPorts: + - max: 7472 + min: 7472 + privileged: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - '*' +--- +{{- end }} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/pkg/minikube/assets/addons.go b/pkg/minikube/assets/addons.go index 0905078a6b..44cdc03412 100755 --- a/pkg/minikube/assets/addons.go +++ b/pkg/minikube/assets/addons.go @@ -859,6 +859,7 @@ func GenerateTemplateData(addon *Addon, cc *config.ClusterConfig, netInfo Networ } opts := struct { + KubernetesVersion map[string]uint64 PreOneTwentyKubernetes bool Arch string ExoticArch string @@ -874,6 +875,7 @@ func GenerateTemplateData(addon *Addon, cc *config.ClusterConfig, netInfo Networ CustomRegistries map[string]string NetworkInfo map[string]string }{ + KubernetesVersion: make(map[string]uint64), PreOneTwentyKubernetes: false, Arch: a, ExoticArch: ea, @@ -909,6 +911,17 @@ func GenerateTemplateData(addon *Addon, cc *config.ClusterConfig, netInfo Networ opts.PreOneTwentyKubernetes = true } + // Store kubernetes version in opts + kv, err := util.ParseKubernetesVersion(cfg.KubernetesVersion) + if err != nil { + return errors.Wrap(err, "parsing Kubernetes version") + } + opts.KubernetesVersion = map[string]uint64{ + "Major": kv.Major, + "Minor": kv.Minor, + "Patch": kv.Patch, + } + // Network info for generating template opts.NetworkInfo["ControlPlaneNodeIP"] = netInfo.ControlPlaneNodeIP opts.NetworkInfo["ControlPlaneNodePort"] = fmt.Sprint(netInfo.ControlPlaneNodePort) From 9dadf326e0245fa1c242a8b1c84a684b594ae851 Mon Sep 17 00:00:00 2001 From: Steven Powell Date: Wed, 14 Sep 2022 10:32:51 -0700 Subject: [PATCH 3/3] update naming to LegacyPodSecurityPolicy --- deploy/addons/metallb/metallb.yaml.tmpl | 6 +- pkg/minikube/assets/addons.go | 82 +++++++++++-------------- 2 files changed, 39 insertions(+), 49 deletions(-) diff --git a/deploy/addons/metallb/metallb.yaml.tmpl b/deploy/addons/metallb/metallb.yaml.tmpl index b301921196..f73f09f2a5 100644 --- a/deploy/addons/metallb/metallb.yaml.tmpl +++ b/deploy/addons/metallb/metallb.yaml.tmpl @@ -4,8 +4,7 @@ metadata: labels: app: metallb name: metallb-system ---- -{{- if and (eq .KubernetesVersion.Major 1 ) (lt .KubernetesVersion.Minor 25) }} +---{{ if .LegacyPodSecurityPolicy }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -34,8 +33,7 @@ spec: rule: RunAsAny volumes: - '*' ---- -{{- end }} +---{{ end }} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/pkg/minikube/assets/addons.go b/pkg/minikube/assets/addons.go index 44cdc03412..fabdcbf411 100755 --- a/pkg/minikube/assets/addons.go +++ b/pkg/minikube/assets/addons.go @@ -858,38 +858,45 @@ func GenerateTemplateData(addon *Addon, cc *config.ClusterConfig, netInfo Networ ea = "-" + runtime.GOARCH } + v, err := util.ParseKubernetesVersion(cfg.KubernetesVersion) + if err != nil { + return errors.Wrap(err, "parsing Kubernetes version") + } + opts := struct { - KubernetesVersion map[string]uint64 - PreOneTwentyKubernetes bool - Arch string - ExoticArch string - ImageRepository string - LoadBalancerStartIP string - LoadBalancerEndIP string - CustomIngressCert string - IngressAPIVersion string - ContainerRuntime string - RegistryAliases string - Images map[string]string - Registries map[string]string - CustomRegistries map[string]string - NetworkInfo map[string]string + KubernetesVersion map[string]uint64 + PreOneTwentyKubernetes bool + Arch string + ExoticArch string + ImageRepository string + LoadBalancerStartIP string + LoadBalancerEndIP string + CustomIngressCert string + IngressAPIVersion string + ContainerRuntime string + RegistryAliases string + Images map[string]string + Registries map[string]string + CustomRegistries map[string]string + NetworkInfo map[string]string + LegacyPodSecurityPolicy bool }{ - KubernetesVersion: make(map[string]uint64), - PreOneTwentyKubernetes: false, - Arch: a, - ExoticArch: ea, - ImageRepository: cfg.ImageRepository, - LoadBalancerStartIP: cfg.LoadBalancerStartIP, - LoadBalancerEndIP: cfg.LoadBalancerEndIP, - CustomIngressCert: cfg.CustomIngressCert, - RegistryAliases: cfg.RegistryAliases, - IngressAPIVersion: "v1", // api version for ingress (eg, "v1beta1"; defaults to "v1" for k8s 1.19+) - ContainerRuntime: cfg.ContainerRuntime, - Images: images, - Registries: addon.Registries, - CustomRegistries: customRegistries, - NetworkInfo: make(map[string]string), + KubernetesVersion: make(map[string]uint64), + PreOneTwentyKubernetes: false, + Arch: a, + ExoticArch: ea, + ImageRepository: cfg.ImageRepository, + LoadBalancerStartIP: cfg.LoadBalancerStartIP, + LoadBalancerEndIP: cfg.LoadBalancerEndIP, + CustomIngressCert: cfg.CustomIngressCert, + RegistryAliases: cfg.RegistryAliases, + IngressAPIVersion: "v1", // api version for ingress (eg, "v1beta1"; defaults to "v1" for k8s 1.19+) + ContainerRuntime: cfg.ContainerRuntime, + Images: images, + Registries: addon.Registries, + CustomRegistries: customRegistries, + NetworkInfo: make(map[string]string), + LegacyPodSecurityPolicy: v.LT(semver.Version{Major: 1, Minor: 25}), } if opts.ImageRepository != "" && !strings.HasSuffix(opts.ImageRepository, "/") { opts.ImageRepository += "/" @@ -900,10 +907,6 @@ func GenerateTemplateData(addon *Addon, cc *config.ClusterConfig, netInfo Networ // maintain backwards compatibility with k8s < v1.19 // by using v1beta1 instead of v1 api version for ingress - v, err := util.ParseKubernetesVersion(cfg.KubernetesVersion) - if err != nil { - return errors.Wrap(err, "parsing Kubernetes version") - } if semver.MustParseRange("<1.19.0")(v) { opts.IngressAPIVersion = "v1beta1" } @@ -911,17 +914,6 @@ func GenerateTemplateData(addon *Addon, cc *config.ClusterConfig, netInfo Networ opts.PreOneTwentyKubernetes = true } - // Store kubernetes version in opts - kv, err := util.ParseKubernetesVersion(cfg.KubernetesVersion) - if err != nil { - return errors.Wrap(err, "parsing Kubernetes version") - } - opts.KubernetesVersion = map[string]uint64{ - "Major": kv.Major, - "Minor": kv.Minor, - "Patch": kv.Patch, - } - // Network info for generating template opts.NetworkInfo["ControlPlaneNodeIP"] = netInfo.ControlPlaneNodeIP opts.NetworkInfo["ControlPlaneNodePort"] = fmt.Sprint(netInfo.ControlPlaneNodePort)