From 859df84b45249979acbf9cce2c080185a64eaf28 Mon Sep 17 00:00:00 2001
From: Kay Yan <yankay@users.noreply.github.com>
Date: Fri, 14 Oct 2022 15:16:47 +0800
Subject: [PATCH] remove-psp-in-flannel (#9365)
---
.../flannel/templates/cni-flannel-rbac.yml.j2 | 53 -------------------
.../flannel/templates/cni-flannel.yml.j2 | 10 +++-
2 files changed, 9 insertions(+), 54 deletions(-)
diff --git a/roles/network_plugin/flannel/templates/cni-flannel-rbac.yml.j2 b/roles/network_plugin/flannel/templates/cni-flannel-rbac.yml.j2
index bb55fd4da..7c73b095d 100644
--- a/roles/network_plugin/flannel/templates/cni-flannel-rbac.yml.j2
+++ b/roles/network_plugin/flannel/templates/cni-flannel-rbac.yml.j2
@@ -5,64 +5,11 @@ metadata:
name: flannel
namespace: kube-system
---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: psp.flannel.unprivileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
- seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
-{% if podsecuritypolicy_enabled and apparmor_enabled %}
- apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
- apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
-{% endif %}
-spec:
- privileged: false
- volumes:
- - configMap
- - secret
- - emptyDir
- - hostPath
- allowedHostPaths:
- - pathPrefix: "/etc/cni/net.d"
- - pathPrefix: "/etc/kube-flannel"
- - pathPrefix: "/run/flannel"
- readOnlyRootFilesystem: false
- # Users and groups
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- fsGroup:
- rule: RunAsAny
- # Privilege Escalation
- allowPrivilegeEscalation: false
- defaultAllowPrivilegeEscalation: false
- # Capabilities
- allowedCapabilities: ['NET_ADMIN']
- defaultAddCapabilities: []
- requiredDropCapabilities: []
- # Host namespaces
- hostPID: false
- hostIPC: false
- hostNetwork: true
- hostPorts:
- - min: 0
- max: 65535
- # SELinux
- seLinux:
- # SELinux is unused in CaaSP
- rule: 'RunAsAny'
----
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel
rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: ['psp.flannel.unprivileged']
- apiGroups:
- ""
resources:
diff --git a/roles/network_plugin/flannel/templates/cni-flannel.yml.j2 b/roles/network_plugin/flannel/templates/cni-flannel.yml.j2
index 3fe3cab84..59cecb257 100644
--- a/roles/network_plugin/flannel/templates/cni-flannel.yml.j2
+++ b/roles/network_plugin/flannel/templates/cni-flannel.yml.j2
@@ -79,7 +79,7 @@ spec:
securityContext:
privileged: false
capabilities:
- add: ["NET_ADMIN"]
+ add: ["NET_ADMIN", "NET_RAW"]
env:
- name: POD_NAME
valueFrom:
@@ -89,11 +89,15 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
+ - name: EVENT_QUEUE_DEPTH
+ value: "5000"
volumeMounts:
- name: run
mountPath: /run/flannel
- name: flannel-cfg
mountPath: /etc/kube-flannel/
+ - name: xtables-lock
+ mountPath: /run/xtables.lock
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
@@ -146,6 +150,10 @@ spec:
- name: flannel-cfg
configMap:
name: kube-flannel-cfg
+ - name: xtables-lock
+ hostPath:
+ path: /run/xtables.lock
+ type: FileOrCreate
- name: cni-plugin
hostPath:
path: /opt/cni/bin
--
GitLab