From 0ef3a7914c9f7758c0ccad2fadfe99d4e0b342e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20R=2E=20de=20Miranda?= Date: Wed, 22 May 2019 04:16:08 -0300 Subject: [PATCH] Added pod psp in Rancher Local Path Provisioner (#4385) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Added pod psp in Rancher Local Path Provisioner Added pod security policy (psp) in Rancher Local Path Provisioner. Signed-off-by: André R. de Miranda * Apply psp for Rancher Local Path Provisioner only when local_path_provisioner_namespace is not kube-system and also reorganized the templates --- .../local_path_provisioner/tasks/main.yml | 20 +++- ...cal-path-storage-clusterrolebinding.yml.j2 | 14 +++ .../templates/local-path-storage-cm.yml.j2 | 16 +++ .../templates/local-path-storage-cr.yml.j2 | 19 +++ .../local-path-storage-deployment.yml.j2 | 41 +++++++ .../templates/local-path-storage-ns.yml.j2 | 5 + .../local-path-storage-psp-cr.yml.j2 | 15 +++ .../local-path-storage-psp-rb.yml.j2 | 14 +++ .../templates/local-path-storage-psp.yml.j2 | 44 +++++++ .../templates/local-path-storage-sa.yml.j2 | 6 + .../templates/local-path-storage-sc.yml.j2 | 10 ++ .../templates/local-path-storage.yaml.j2 | 111 ------------------ 12 files changed, 202 insertions(+), 113 deletions(-) create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-clusterrolebinding.yml.j2 create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2 create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2 create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-deployment.yml.j2 create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-ns.yml.j2 create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2 create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2 create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2 create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sa.yml.j2 create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sc.yml.j2 delete mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage.yaml.j2 diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml index 27d52ad7c..a723d24f8 100644 --- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml @@ -1,5 +1,4 @@ --- - - name: Local Path Provisioner | Create addon dir file: path: "{{ kube_config_dir }}/addons/local_path_provisioner" @@ -18,7 +17,24 @@ - name: Local Path Provisioner | Render Template set_fact: local_path_provisioner_templates: - - { name: local-path-storage, file: local-path-storage.yaml, type: sc } + - { name: local-path-storage-ns, file: local-path-storage-ns.yml, type: ns } + - { name: local-path-storage-sa, file: local-path-storage-sa.yml, type: sa } + - { name: local-path-storage-cr, file: local-path-storage-cr.yml, type: cr } + - { name: local-path-storage-clusterrolebinding, file: local-path-storage-clusterrolebinding.yml, type: clusterrolebinding } + - { name: local-path-storage-cm, file: local-path-storage-cm.yml, type: cm } + - { name: local-path-storage-deployment, file: local-path-storage-deployment.yml, type: deployment } + - { name: local-path-storage-sc, file: local-path-storage-sc.yml, type: sc } + local_path_provisioner_templates_for_psp_not_system_ns: + - { name: local-path-storage-psp, file: local-path-storage-psp.yml, type: psp } + - { name: local-path-storage-psp-role, file: local-path-storage-psp-cr.yml, type: clusterrole } + - { name: local-path-storage-psp-rb, file: local-path-storage-psp-rb.yml, type: rolebinding } + +- name: Local Path Provisioner | Insert extra templates to Local Path Provisioner templates list for PodSecurityPolicy + set_fact: + local_path_provisioner_templates: "{{ local_path_provisioner_templates[:3] + local_path_provisioner_templates_for_psp_not_system_ns + local_path_provisioner_templates[3:] }}" + when: + - podsecuritypolicy_enabled + - local_path_provisioner_namespace != "kube-system" - name: Local Path Provisioner | Create manifests template: diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-clusterrolebinding.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-clusterrolebinding.yml.j2 new file mode 100644 index 000000000..a18727437 --- /dev/null +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-clusterrolebinding.yml.j2 @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: local-path-provisioner-bind + namespace: {{ local_path_provisioner_namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: local-path-provisioner-role +subjects: +- kind: ServiceAccount + name: local-path-provisioner-service-account + namespace: {{ local_path_provisioner_namespace }} diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2 new file mode 100644 index 000000000..254ddea99 --- /dev/null +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2 @@ -0,0 +1,16 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: local-path-config + namespace: {{ local_path_provisioner_namespace }} +data: + config.json: |- + { + "nodePathMap":[ + { + "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES", + "paths":["{{ local_path_provisioner_claim_root }}"] + } + ] + } diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2 new file mode 100644 index 000000000..4f9255381 --- /dev/null +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2 @@ -0,0 +1,19 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: local-path-provisioner-role + namespace: {{ local_path_provisioner_namespace }} +rules: +- apiGroups: [""] + resources: ["nodes", "persistentvolumeclaims"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["endpoints", "persistentvolumes", "pods"] + verbs: ["*"] +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-deployment.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-deployment.yml.j2 new file mode 100644 index 000000000..384d13b58 --- /dev/null +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-deployment.yml.j2 @@ -0,0 +1,41 @@ +--- +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: local-path-provisioner + namespace: {{ local_path_provisioner_namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app: local-path-provisioner + template: + metadata: + labels: + app: local-path-provisioner + spec: + serviceAccountName: local-path-provisioner-service-account + containers: + - name: local-path-provisioner + image: {{ local_path_provisioner_image_repo }}:{{ local_path_provisioner_image_tag }} + imagePullPolicy: Always + command: + - local-path-provisioner + - start + - --config + - /etc/config/config.json +{% if local_path_provisioner_debug|default(false) %} + - --debug +{% endif %} + volumeMounts: + - name: config-volume + mountPath: /etc/config/ + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumes: + - name: config-volume + configMap: + name: local-path-config diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-ns.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-ns.yml.j2 new file mode 100644 index 000000000..5f178256f --- /dev/null +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-ns.yml.j2 @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: {{ local_path_provisioner_namespace }} \ No newline at end of file diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2 new file mode 100644 index 000000000..a6ef02989 --- /dev/null +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2 @@ -0,0 +1,15 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: psp:local-path-provisioner + namespace: {{ local_path_provisioner_namespace }} +rules: + - apiGroups: + - policy + resourceNames: + - local-path-provisioner + resources: + - podsecuritypolicies + verbs: + - use diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2 new file mode 100644 index 000000000..a7e7bbcab --- /dev/null +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2 @@ -0,0 +1,14 @@ +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: psp:local-path-provisioner + namespace: {{ local_path_provisioner_namespace }} +subjects: + - kind: ServiceAccount + name: local-path-provisioner-service-account + namespace: {{ local_path_provisioner_namespace }} +roleRef: + kind: ClusterRole + name: psp:local-path-provisioner + apiGroup: rbac.authorization.k8s.io diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2 new file mode 100644 index 000000000..af56db6bc --- /dev/null +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2 @@ -0,0 +1,44 @@ +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: local-path-provisioner + annotations: + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' +{% if apparmor_enabled %} + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' +{% endif %} + labels: + kubernetes.io/cluster-service: 'true' + addonmanager.kubernetes.io/mode: Reconcile +spec: + privileged: true + allowPrivilegeEscalation: true + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'emptyDir' + - 'secret' + - 'downwardAPI' + - 'hostPath' + allowedHostPaths: + - pathPrefix: "{{ local_path_provisioner_claim_root }}" + readOnly: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sa.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sa.yml.j2 new file mode 100644 index 000000000..d126a5b34 --- /dev/null +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sa.yml.j2 @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: local-path-provisioner-service-account + namespace: {{ local_path_provisioner_namespace }} \ No newline at end of file diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sc.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sc.yml.j2 new file mode 100644 index 000000000..2bedd0534 --- /dev/null +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sc.yml.j2 @@ -0,0 +1,10 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ local_path_provisioner_storage_class }} + annotations: + storageclass.kubernetes.io/is-default-class: {{ local_path_provisioner_is_default_storageclass }} +provisioner: rancher.io/local-path +volumeBindingMode: WaitForFirstConsumer +reclaimPolicy: {{ local_path_provisioner_reclaim_policy }} diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage.yaml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage.yaml.j2 deleted file mode 100644 index 7ea18ab14..000000000 --- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage.yaml.j2 +++ /dev/null @@ -1,111 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: {{ local_path_provisioner_namespace }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: local-path-provisioner-service-account - namespace: {{ local_path_provisioner_namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: local-path-provisioner-role - namespace: {{ local_path_provisioner_namespace }} -rules: -- apiGroups: [""] - resources: ["nodes", "persistentvolumeclaims"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["endpoints", "persistentvolumes", "pods"] - verbs: ["*"] -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] -- apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: local-path-provisioner-bind - namespace: {{ local_path_provisioner_namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: local-path-provisioner-role -subjects: -- kind: ServiceAccount - name: local-path-provisioner-service-account - namespace: {{ local_path_provisioner_namespace }} ---- -apiVersion: apps/v1beta2 -kind: Deployment -metadata: - name: local-path-provisioner - namespace: {{ local_path_provisioner_namespace }} -spec: - replicas: 1 - selector: - matchLabels: - app: local-path-provisioner - template: - metadata: - labels: - app: local-path-provisioner - spec: - serviceAccountName: local-path-provisioner-service-account - containers: - - name: local-path-provisioner - image: {{ local_path_provisioner_image_repo }}:{{ local_path_provisioner_image_tag }} - imagePullPolicy: Always - command: - - local-path-provisioner - - start - - --config - - /etc/config/config.json -{% if local_path_provisioner_debug|default(false) %} - - --debug -{% endif %} - volumeMounts: - - name: config-volume - mountPath: /etc/config/ - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumes: - - name: config-volume - configMap: - name: local-path-config ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: {{ local_path_provisioner_storage_class }} - annotations: - storageclass.kubernetes.io/is-default-class: {{ local_path_provisioner_is_default_storageclass }} -provisioner: rancher.io/local-path -volumeBindingMode: WaitForFirstConsumer -reclaimPolicy: {{ local_path_provisioner_reclaim_policy }} ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: local-path-config - namespace: {{ local_path_provisioner_namespace }} -data: - config.json: |- - { - "nodePathMap":[ - { - "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES", - "paths":["{{ local_path_provisioner_claim_root }}"] - } - ] - } -