Merge branch 'pod-security-policies' into merged-head

This commit is contained in:
Raj Perera 2017-06-28 11:33:53 -04:00
commit be92a3ade6
5 changed files with 75 additions and 0 deletions

View file

@ -44,6 +44,8 @@ kube_apiserver_admission_control:
- DefaultStorageClass - DefaultStorageClass
- ResourceQuota - ResourceQuota
psp_enabled: '{{ "PodSecurityPolicy" in kube_apiserver_admission_control }}'
## Enable/Disable Kube API Server Authentication Methods ## Enable/Disable Kube API Server Authentication Methods
kube_basic_auth: true kube_basic_auth: true
kube_token_auth: true kube_token_auth: true

View file

@ -60,6 +60,31 @@
when: kubesystem|failed and inventory_hostname == groups['kube-master'][0] when: kubesystem|failed and inventory_hostname == groups['kube-master'][0]
tags: apps tags: apps
- name: Lay Down kubelet PSP Resources (RBAC)
template:
src: "{{item.file}}"
dest: "{{kube_config_dir}}/{{item.file}}"
with_items:
- {name: kubelet-psp, file: kubelet-psp.yaml, type: psp}
- {name: kubelet-psp, file: kubelet-psp-clusterrole.yaml, type: clusterrole}
- {name: kubelet-psp, file: kubelet-psp-clusterrolebinding.yaml, type: clusterrolebinding}
register: manifests
when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and rbac_enabled and psp_enabled
tags: apps
- name: Apply kubelet PSP Resources (RBAC)
kube:
name: "{{item.item.name}}"
namespace: "{{ system_namespace }}"
kubectl: "{{bin_dir}}/kubectl"
resource: "{{item.item.type}}"
filename: "{{kube_config_dir}}/{{item.item.file}}"
state: "{{item.changed | ternary('latest','present') }}"
with_items: "{{ manifests.results }}"
failed_when: manifests|failed and "Error from server (AlreadyExists)" not in manifests.msg
when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and rbac_enabled and psp_enabled
tags: apps
- name: Write kube-scheduler kubeconfig - name: Write kube-scheduler kubeconfig
template: template:
src: kube-scheduler-kubeconfig.yaml.j2 src: kube-scheduler-kubeconfig.yaml.j2

View file

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kubelet-psp
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- kubelet-psp
verbs:
- use

View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubelet-psp
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: system:nodes
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubelet-psp

View file

@ -0,0 +1,23 @@
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: kubelet-psp
spec:
hostNetwork: true
privileged: true
hostPID: true
hostIPC: true
hostPorts:
- min: 1
max: 65534
fsGroup:
rule: RunAsAny
privileged: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- '*'