diff --git a/roles/kubernetes/master/defaults/main.yml b/roles/kubernetes/master/defaults/main.yml index 7cfe9cc9a..60871fb8f 100644 --- a/roles/kubernetes/master/defaults/main.yml +++ b/roles/kubernetes/master/defaults/main.yml @@ -44,6 +44,8 @@ kube_apiserver_admission_control: - DefaultStorageClass - ResourceQuota +psp_enabled: '{{ "PodSecurityPolicy" in kube_apiserver_admission_control }}' + ## Enable/Disable Kube API Server Authentication Methods kube_basic_auth: true kube_token_auth: true diff --git a/roles/kubernetes/master/tasks/main.yml b/roles/kubernetes/master/tasks/main.yml index 6922e6a51..ff319aa4b 100644 --- a/roles/kubernetes/master/tasks/main.yml +++ b/roles/kubernetes/master/tasks/main.yml @@ -60,6 +60,31 @@ when: kubesystem|failed and inventory_hostname == groups['kube-master'][0] tags: apps +- name: Lay Down kubelet PSP Resources (RBAC) + template: + src: "{{item.file}}" + dest: "{{kube_config_dir}}/{{item.file}}" + with_items: + - {name: kubelet-psp, file: kubelet-psp.yaml, type: psp} + - {name: kubelet-psp, file: kubelet-psp-clusterrole.yaml, type: clusterrole} + - {name: kubelet-psp, file: kubelet-psp-clusterrolebinding.yaml, type: clusterrolebinding} + register: manifests + when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and rbac_enabled and psp_enabled + tags: apps + +- name: Apply kubelet PSP Resources (RBAC) + kube: + name: "{{item.item.name}}" + namespace: "{{ system_namespace }}" + kubectl: "{{bin_dir}}/kubectl" + resource: "{{item.item.type}}" + filename: "{{kube_config_dir}}/{{item.item.file}}" + state: "{{item.changed | ternary('latest','present') }}" + with_items: "{{ manifests.results }}" + failed_when: manifests|failed and "Error from server (AlreadyExists)" not in manifests.msg + when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and rbac_enabled and psp_enabled + tags: apps + - name: Write kube-scheduler kubeconfig template: src: kube-scheduler-kubeconfig.yaml.j2 diff --git a/roles/kubernetes/master/templates/kubelet-psp-clusterrole.yaml b/roles/kubernetes/master/templates/kubelet-psp-clusterrole.yaml new file mode 100644 index 000000000..ad3522b53 --- /dev/null +++ b/roles/kubernetes/master/templates/kubelet-psp-clusterrole.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kubelet-psp +rules: +- apiGroups: + - extensions + resources: + - podsecuritypolicies + resourceNames: + - kubelet-psp + verbs: + - use diff --git a/roles/kubernetes/master/templates/kubelet-psp-clusterrolebinding.yaml b/roles/kubernetes/master/templates/kubelet-psp-clusterrolebinding.yaml new file mode 100644 index 000000000..7aab567a5 --- /dev/null +++ b/roles/kubernetes/master/templates/kubelet-psp-clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: kubelet-psp +subjects: +- kind: Group + apiGroup: rbac.authorization.k8s.io + name: system:nodes +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubelet-psp diff --git a/roles/kubernetes/master/templates/kubelet-psp.yaml b/roles/kubernetes/master/templates/kubelet-psp.yaml new file mode 100644 index 000000000..006452b3e --- /dev/null +++ b/roles/kubernetes/master/templates/kubelet-psp.yaml @@ -0,0 +1,23 @@ +apiVersion: extensions/v1beta1 +kind: PodSecurityPolicy +metadata: + name: kubelet-psp +spec: + hostNetwork: true + privileged: true + hostPID: true + hostIPC: true + hostPorts: + - min: 1 + max: 65534 + fsGroup: + rule: RunAsAny + privileged: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - '*'