C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Added pod psp in Rancher Local Path Provisioner (#4385)

Browse source 
* Added pod psp in Rancher Local Path Provisioner

Added pod security policy (psp) in Rancher Local Path Provisioner.

Signed-off-by: André R. de Miranda <andre@miranda.work>

* Apply psp for Rancher Local Path Provisioner only when local_path_provisioner_namespace is not kube-system and also reorganized the templates
This commit is contained in:
André R. de Miranda 2019-05-22 04:16:08 -03:00 committed by Kubernetes Prow Robot
parent a3fff1e438
commit 0ef3a7914c
12 changed files with 202 additions and 113 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml
View file

@ -1,5 +1,4 @@
--- ---
- name: Local Path Provisioner | Create addon dir - name: Local Path Provisioner | Create addon dir
file: file:
path: "{{ kube_config_dir }}/addons/local_path_provisioner" path: "{{ kube_config_dir }}/addons/local_path_provisioner"
@ -18,7 +17,24 @@
- name: Local Path Provisioner | Render Template - name: Local Path Provisioner | Render Template
set_fact: set_fact:
local_path_provisioner_templates: local_path_provisioner_templates:
- { name: local-path-storage, file: local-path-storage.yaml, type: sc } - { name: local-path-storage-ns, file: local-path-storage-ns.yml, type: ns }
- { name: local-path-storage-sa, file: local-path-storage-sa.yml, type: sa }
- { name: local-path-storage-cr, file: local-path-storage-cr.yml, type: cr }
- { name: local-path-storage-clusterrolebinding, file: local-path-storage-clusterrolebinding.yml, type: clusterrolebinding }
- { name: local-path-storage-cm, file: local-path-storage-cm.yml, type: cm }
- { name: local-path-storage-deployment, file: local-path-storage-deployment.yml, type: deployment }
- { name: local-path-storage-sc, file: local-path-storage-sc.yml, type: sc }
local_path_provisioner_templates_for_psp_not_system_ns:
- { name: local-path-storage-psp, file: local-path-storage-psp.yml, type: psp }
- { name: local-path-storage-psp-role, file: local-path-storage-psp-cr.yml, type: clusterrole }
- { name: local-path-storage-psp-rb, file: local-path-storage-psp-rb.yml, type: rolebinding }
- name: Local Path Provisioner | Insert extra templates to Local Path Provisioner templates list for PodSecurityPolicy
set_fact:
local_path_provisioner_templates: "{{ local_path_provisioner_templates[:3] + local_path_provisioner_templates_for_psp_not_system_ns + local_path_provisioner_templates[3:] }}"
when:
- podsecuritypolicy_enabled
- local_path_provisioner_namespace != "kube-system"
- name: Local Path Provisioner | Create manifests - name: Local Path Provisioner | Create manifests
template: template:

14
roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-clusterrolebinding.yml.j2 Normal file
View file

@ -0,0 +1,14 @@
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: local-path-provisioner-bind
namespace: {{ local_path_provisioner_namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: local-path-provisioner-role
subjects:
- kind: ServiceAccount
name: local-path-provisioner-service-account
namespace: {{ local_path_provisioner_namespace }}

16
roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2 Normal file
View file

@ -0,0 +1,16 @@
---
kind: ConfigMap
apiVersion: v1
metadata:
name: local-path-config
namespace: {{ local_path_provisioner_namespace }}
data:
config.json: |-
{
"nodePathMap":[
{
"node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
"paths":["{{ local_path_provisioner_claim_root }}"]
}
]
}

19
roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2 Normal file
View file

@ -0,0 +1,19 @@
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: local-path-provisioner-role
namespace: {{ local_path_provisioner_namespace }}
rules:
- apiGroups: [""]
resources: ["nodes", "persistentvolumeclaims"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "persistentvolumes", "pods"]
verbs: ["*"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]

41
roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-deployment.yml.j2 Normal file
View file

@ -0,0 +1,41 @@
---
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: local-path-provisioner
namespace: {{ local_path_provisioner_namespace }}
spec:
replicas: 1
selector:
matchLabels:
app: local-path-provisioner
template:
metadata:
labels:
app: local-path-provisioner
spec:
serviceAccountName: local-path-provisioner-service-account
containers:
- name: local-path-provisioner
image: {{ local_path_provisioner_image_repo }}:{{ local_path_provisioner_image_tag }}
imagePullPolicy: Always
command:
- local-path-provisioner
- start
- --config
- /etc/config/config.json
{% if local_path_provisioner_debug|default(false) %}
- --debug
{% endif %}
volumeMounts:
- name: config-volume
mountPath: /etc/config/
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumes:
- name: config-volume
configMap:
name: local-path-config

5
roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-ns.yml.j2 Normal file
View file

@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: {{ local_path_provisioner_namespace }}

15
roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2 Normal file
View file

@ -0,0 +1,15 @@
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: psp:local-path-provisioner
namespace: {{ local_path_provisioner_namespace }}
rules:
- apiGroups:
- policy
resourceNames:
- local-path-provisioner
resources:
- podsecuritypolicies
verbs:
- use

14
roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2 Normal file
View file

@ -0,0 +1,14 @@
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: psp:local-path-provisioner
namespace: {{ local_path_provisioner_namespace }}
subjects:
- kind: ServiceAccount
name: local-path-provisioner-service-account
namespace: {{ local_path_provisioner_namespace }}
roleRef:
kind: ClusterRole
name: psp:local-path-provisioner
apiGroup: rbac.authorization.k8s.io

44
roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2 Normal file
View file

@ -0,0 +1,44 @@
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: local-path-provisioner
annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
{% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
{% endif %}
labels:
kubernetes.io/cluster-service: 'true'
addonmanager.kubernetes.io/mode: Reconcile
spec:
privileged: true
allowPrivilegeEscalation: true
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'secret'
- 'downwardAPI'
- 'hostPath'
allowedHostPaths:
- pathPrefix: "{{ local_path_provisioner_claim_root }}"
readOnly: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false

6
roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sa.yml.j2 Normal file
View file

@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: local-path-provisioner-service-account
namespace: {{ local_path_provisioner_namespace }}

10
roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sc.yml.j2 Normal file
View file

@ -0,0 +1,10 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: {{ local_path_provisioner_storage_class }}
annotations:
storageclass.kubernetes.io/is-default-class: {{ local_path_provisioner_is_default_storageclass }}
provisioner: rancher.io/local-path
volumeBindingMode: WaitForFirstConsumer
reclaimPolicy: {{ local_path_provisioner_reclaim_policy }}

111
roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage.yaml.j2
View file

@ -1,111 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: {{ local_path_provisioner_namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: local-path-provisioner-service-account
namespace: {{ local_path_provisioner_namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: local-path-provisioner-role
namespace: {{ local_path_provisioner_namespace }}
rules:
- apiGroups: [""]
resources: ["nodes", "persistentvolumeclaims"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "persistentvolumes", "pods"]
verbs: ["*"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: local-path-provisioner-bind
namespace: {{ local_path_provisioner_namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: local-path-provisioner-role
subjects:
- kind: ServiceAccount
name: local-path-provisioner-service-account
namespace: {{ local_path_provisioner_namespace }}
---
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: local-path-provisioner
namespace: {{ local_path_provisioner_namespace }}
spec:
replicas: 1
selector:
matchLabels:
app: local-path-provisioner
template:
metadata:
labels:
app: local-path-provisioner
spec:
serviceAccountName: local-path-provisioner-service-account
containers:
- name: local-path-provisioner
image: {{ local_path_provisioner_image_repo }}:{{ local_path_provisioner_image_tag }}
imagePullPolicy: Always
command:
- local-path-provisioner
- start
- --config
- /etc/config/config.json
{% if local_path_provisioner_debug|default(false) %}
- --debug
{% endif %}
volumeMounts:
- name: config-volume
mountPath: /etc/config/
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumes:
- name: config-volume
configMap:
name: local-path-config
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: {{ local_path_provisioner_storage_class }}
annotations:
storageclass.kubernetes.io/is-default-class: {{ local_path_provisioner_is_default_storageclass }}
provisioner: rancher.io/local-path
volumeBindingMode: WaitForFirstConsumer
reclaimPolicy: {{ local_path_provisioner_reclaim_policy }}
---
kind: ConfigMap
apiVersion: v1
metadata:
name: local-path-config
namespace: {{ local_path_provisioner_namespace }}
data:
config.json: |-
{
"nodePathMap":[
{
"node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
"paths":["{{ local_path_provisioner_claim_root }}"]
}
]
}