From 0ef3a7914c9f7758c0ccad2fadfe99d4e0b342e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20R=2E=20de=20Miranda?= <andre@miranda.work>
Date: Wed, 22 May 2019 04:16:08 -0300
Subject: [PATCH] Added pod psp in Rancher Local Path Provisioner (#4385)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* Added pod psp in Rancher Local Path Provisioner
Added pod security policy (psp) in Rancher Local Path Provisioner.
Signed-off-by: André R. de Miranda <andre@miranda.work>
* Apply psp for Rancher Local Path Provisioner only when local_path_provisioner_namespace is not kube-system and also reorganized the templates
---
.../local_path_provisioner/tasks/main.yml | 20 +++-
...cal-path-storage-clusterrolebinding.yml.j2 | 14 +++
.../templates/local-path-storage-cm.yml.j2 | 16 +++
.../templates/local-path-storage-cr.yml.j2 | 19 +++
.../local-path-storage-deployment.yml.j2 | 41 +++++++
.../templates/local-path-storage-ns.yml.j2 | 5 +
.../local-path-storage-psp-cr.yml.j2 | 15 +++
.../local-path-storage-psp-rb.yml.j2 | 14 +++
.../templates/local-path-storage-psp.yml.j2 | 44 +++++++
.../templates/local-path-storage-sa.yml.j2 | 6 +
.../templates/local-path-storage-sc.yml.j2 | 10 ++
.../templates/local-path-storage.yaml.j2 | 111 ------------------
12 files changed, 202 insertions(+), 113 deletions(-)
create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-clusterrolebinding.yml.j2
create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2
create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2
create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-deployment.yml.j2
create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-ns.yml.j2
create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2
create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2
create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2
create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sa.yml.j2
create mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sc.yml.j2
delete mode 100644 roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage.yaml.j2
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml
index 27d52ad7c..a723d24f8 100644
--- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml
@@ -1,5 +1,4 @@
---
-
- name: Local Path Provisioner | Create addon dir
file:
path: "{{ kube_config_dir }}/addons/local_path_provisioner"
@@ -18,7 +17,24 @@
- name: Local Path Provisioner | Render Template
set_fact:
local_path_provisioner_templates:
- - { name: local-path-storage, file: local-path-storage.yaml, type: sc }
+ - { name: local-path-storage-ns, file: local-path-storage-ns.yml, type: ns }
+ - { name: local-path-storage-sa, file: local-path-storage-sa.yml, type: sa }
+ - { name: local-path-storage-cr, file: local-path-storage-cr.yml, type: cr }
+ - { name: local-path-storage-clusterrolebinding, file: local-path-storage-clusterrolebinding.yml, type: clusterrolebinding }
+ - { name: local-path-storage-cm, file: local-path-storage-cm.yml, type: cm }
+ - { name: local-path-storage-deployment, file: local-path-storage-deployment.yml, type: deployment }
+ - { name: local-path-storage-sc, file: local-path-storage-sc.yml, type: sc }
+ local_path_provisioner_templates_for_psp_not_system_ns:
+ - { name: local-path-storage-psp, file: local-path-storage-psp.yml, type: psp }
+ - { name: local-path-storage-psp-role, file: local-path-storage-psp-cr.yml, type: clusterrole }
+ - { name: local-path-storage-psp-rb, file: local-path-storage-psp-rb.yml, type: rolebinding }
+
+- name: Local Path Provisioner | Insert extra templates to Local Path Provisioner templates list for PodSecurityPolicy
+ set_fact:
+ local_path_provisioner_templates: "{{ local_path_provisioner_templates[:3] + local_path_provisioner_templates_for_psp_not_system_ns + local_path_provisioner_templates[3:] }}"
+ when:
+ - podsecuritypolicy_enabled
+ - local_path_provisioner_namespace != "kube-system"
- name: Local Path Provisioner | Create manifests
template:
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-clusterrolebinding.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-clusterrolebinding.yml.j2
new file mode 100644
index 000000000..a18727437
--- /dev/null
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-clusterrolebinding.yml.j2
@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: local-path-provisioner-bind
+ namespace: {{ local_path_provisioner_namespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: local-path-provisioner-role
+subjects:
+- kind: ServiceAccount
+ name: local-path-provisioner-service-account
+ namespace: {{ local_path_provisioner_namespace }}
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2
new file mode 100644
index 000000000..254ddea99
--- /dev/null
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2
@@ -0,0 +1,16 @@
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: local-path-config
+ namespace: {{ local_path_provisioner_namespace }}
+data:
+ config.json: |-
+ {
+ "nodePathMap":[
+ {
+ "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
+ "paths":["{{ local_path_provisioner_claim_root }}"]
+ }
+ ]
+ }
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2
new file mode 100644
index 000000000..4f9255381
--- /dev/null
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2
@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: local-path-provisioner-role
+ namespace: {{ local_path_provisioner_namespace }}
+rules:
+- apiGroups: [""]
+ resources: ["nodes", "persistentvolumeclaims"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+ resources: ["endpoints", "persistentvolumes", "pods"]
+ verbs: ["*"]
+- apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+- apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-deployment.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-deployment.yml.j2
new file mode 100644
index 000000000..384d13b58
--- /dev/null
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-deployment.yml.j2
@@ -0,0 +1,41 @@
+---
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+ name: local-path-provisioner
+ namespace: {{ local_path_provisioner_namespace }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: local-path-provisioner
+ template:
+ metadata:
+ labels:
+ app: local-path-provisioner
+ spec:
+ serviceAccountName: local-path-provisioner-service-account
+ containers:
+ - name: local-path-provisioner
+ image: {{ local_path_provisioner_image_repo }}:{{ local_path_provisioner_image_tag }}
+ imagePullPolicy: Always
+ command:
+ - local-path-provisioner
+ - start
+ - --config
+ - /etc/config/config.json
+{% if local_path_provisioner_debug|default(false) %}
+ - --debug
+{% endif %}
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/config/
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ volumes:
+ - name: config-volume
+ configMap:
+ name: local-path-config
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-ns.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-ns.yml.j2
new file mode 100644
index 000000000..5f178256f
--- /dev/null
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-ns.yml.j2
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: {{ local_path_provisioner_namespace }}
\ No newline at end of file
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2
new file mode 100644
index 000000000..a6ef02989
--- /dev/null
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2
@@ -0,0 +1,15 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: psp:local-path-provisioner
+ namespace: {{ local_path_provisioner_namespace }}
+rules:
+ - apiGroups:
+ - policy
+ resourceNames:
+ - local-path-provisioner
+ resources:
+ - podsecuritypolicies
+ verbs:
+ - use
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2
new file mode 100644
index 000000000..a7e7bbcab
--- /dev/null
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2
@@ -0,0 +1,14 @@
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: psp:local-path-provisioner
+ namespace: {{ local_path_provisioner_namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: local-path-provisioner-service-account
+ namespace: {{ local_path_provisioner_namespace }}
+roleRef:
+ kind: ClusterRole
+ name: psp:local-path-provisioner
+ apiGroup: rbac.authorization.k8s.io
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2
new file mode 100644
index 000000000..af56db6bc
--- /dev/null
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2
@@ -0,0 +1,44 @@
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: local-path-provisioner
+ annotations:
+ seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+{% if apparmor_enabled %}
+ apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
+ apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+{% endif %}
+ labels:
+ kubernetes.io/cluster-service: 'true'
+ addonmanager.kubernetes.io/mode: Reconcile
+spec:
+ privileged: true
+ allowPrivilegeEscalation: true
+ requiredDropCapabilities:
+ - ALL
+ volumes:
+ - 'configMap'
+ - 'emptyDir'
+ - 'secret'
+ - 'downwardAPI'
+ - 'hostPath'
+ allowedHostPaths:
+ - pathPrefix: "{{ local_path_provisioner_claim_root }}"
+ readOnly: false
+ hostNetwork: false
+ hostIPC: false
+ hostPID: false
+ runAsUser:
+ rule: 'RunAsAny'
+ seLinux:
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'MustRunAs'
+ ranges:
+ - min: 1
+ max: 65535
+ fsGroup:
+ rule: 'RunAsAny'
+ readOnlyRootFilesystem: false
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sa.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sa.yml.j2
new file mode 100644
index 000000000..d126a5b34
--- /dev/null
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sa.yml.j2
@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: local-path-provisioner-service-account
+ namespace: {{ local_path_provisioner_namespace }}
\ No newline at end of file
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sc.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sc.yml.j2
new file mode 100644
index 000000000..2bedd0534
--- /dev/null
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sc.yml.j2
@@ -0,0 +1,10 @@
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+ name: {{ local_path_provisioner_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: {{ local_path_provisioner_is_default_storageclass }}
+provisioner: rancher.io/local-path
+volumeBindingMode: WaitForFirstConsumer
+reclaimPolicy: {{ local_path_provisioner_reclaim_policy }}
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage.yaml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage.yaml.j2
deleted file mode 100644
index 7ea18ab14..000000000
--- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage.yaml.j2
+++ /dev/null
@@ -1,111 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
- name: {{ local_path_provisioner_namespace }}
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: local-path-provisioner-service-account
- namespace: {{ local_path_provisioner_namespace }}
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
- name: local-path-provisioner-role
- namespace: {{ local_path_provisioner_namespace }}
-rules:
-- apiGroups: [""]
- resources: ["nodes", "persistentvolumeclaims"]
- verbs: ["get", "list", "watch"]
-- apiGroups: [""]
- resources: ["endpoints", "persistentvolumes", "pods"]
- verbs: ["*"]
-- apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
-- apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
- verbs: ["get", "list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
- name: local-path-provisioner-bind
- namespace: {{ local_path_provisioner_namespace }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: local-path-provisioner-role
-subjects:
-- kind: ServiceAccount
- name: local-path-provisioner-service-account
- namespace: {{ local_path_provisioner_namespace }}
----
-apiVersion: apps/v1beta2
-kind: Deployment
-metadata:
- name: local-path-provisioner
- namespace: {{ local_path_provisioner_namespace }}
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: local-path-provisioner
- template:
- metadata:
- labels:
- app: local-path-provisioner
- spec:
- serviceAccountName: local-path-provisioner-service-account
- containers:
- - name: local-path-provisioner
- image: {{ local_path_provisioner_image_repo }}:{{ local_path_provisioner_image_tag }}
- imagePullPolicy: Always
- command:
- - local-path-provisioner
- - start
- - --config
- - /etc/config/config.json
-{% if local_path_provisioner_debug|default(false) %}
- - --debug
-{% endif %}
- volumeMounts:
- - name: config-volume
- mountPath: /etc/config/
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- volumes:
- - name: config-volume
- configMap:
- name: local-path-config
----
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
- name: {{ local_path_provisioner_storage_class }}
- annotations:
- storageclass.kubernetes.io/is-default-class: {{ local_path_provisioner_is_default_storageclass }}
-provisioner: rancher.io/local-path
-volumeBindingMode: WaitForFirstConsumer
-reclaimPolicy: {{ local_path_provisioner_reclaim_policy }}
----
-kind: ConfigMap
-apiVersion: v1
-metadata:
- name: local-path-config
- namespace: {{ local_path_provisioner_namespace }}
-data:
- config.json: |-
- {
- "nodePathMap":[
- {
- "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
- "paths":["{{ local_path_provisioner_claim_root }}"]
- }
- ]
- }
-
--
GitLab