From 00efc63f74dbd78bef6fda82a615cb2495ee775e Mon Sep 17 00:00:00 2001 From: Pasquale Toscano Date: Wed, 15 Apr 2020 12:18:02 +0200 Subject: [PATCH] Customize PodSecurityPolicies from inventory (#5920) * Customize PodSecurityPolicies from inventory * Fixed yaml indentation --- .../group_vars/k8s-cluster/k8s-cluster.yml | 6 ++ .../cluster_roles/defaults/main.yml | 59 +++++++++++++++++++ .../cluster_roles/templates/psp.yml.j2 | 57 +----------------- 3 files changed, 67 insertions(+), 55 deletions(-) diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml index a95bf0f42..ab8d4ba6f 100644 --- a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml +++ b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml @@ -222,6 +222,12 @@ dynamic_kubelet_configuration_dir: "{{ kubelet_config_dir | default(default_kube # pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled) podsecuritypolicy_enabled: false +# Custom PodSecurityPolicySpec for restricted policy +# podsecuritypolicy_restricted_spec: {} + +# Custom PodSecurityPolicySpec for privileged policy +# podsecuritypolicy_privileged_spec: {} + # Make a copy of kubeconfig on the host that runs Ansible in {{ inventory_dir }}/artifacts # kubeconfig_localhost: false # Download kubectl onto the host that runs Ansible in {{ bin_dir }} diff --git a/roles/kubernetes-apps/cluster_roles/defaults/main.yml b/roles/kubernetes-apps/cluster_roles/defaults/main.yml index ed97d539c..d183c1b11 100644 --- a/roles/kubernetes-apps/cluster_roles/defaults/main.yml +++ b/roles/kubernetes-apps/cluster_roles/defaults/main.yml @@ -1 +1,60 @@ --- + +podsecuritypolicy_restricted_spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + forbiddenSysctls: + - '*' + +podsecuritypolicy_privileged_spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: + - '*' + volumes: + - '*' + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags + allowedUnsafeSysctls: + - '*' diff --git a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 index 1e1e070e1..9245424cd 100644 --- a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 +++ b/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 @@ -13,37 +13,7 @@ metadata: labels: addonmanager.kubernetes.io/mode: Reconcile spec: - privileged: false - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - - 'persistentVolumeClaim' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - forbiddenSysctls: - - '*' + {{ podsecuritypolicy_restricted_spec | to_yaml(indent=2, width=1337) | indent(width=2) }} --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy @@ -54,27 +24,4 @@ metadata: labels: addonmanager.kubernetes.io/mode: Reconcile spec: - privileged: true - allowPrivilegeEscalation: true - allowedCapabilities: - - '*' - volumes: - - '*' - hostNetwork: true - hostPorts: - - min: 0 - max: 65535 - hostIPC: true - hostPID: true - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' - readOnlyRootFilesystem: false - # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags - allowedUnsafeSysctls: - - '*' + {{ podsecuritypolicy_privileged_spec | to_yaml(indent=2, width=1337) | indent(width=2) }}