Added pod psp in Rancher Local Path Provisioner (#4385)

* Added pod psp in Rancher Local Path Provisioner

Added pod security policy (psp) in Rancher Local Path Provisioner.

Signed-off-by: André R. de Miranda <andre@miranda.work>

* Apply psp for Rancher Local Path Provisioner only when local_path_provisioner_namespace is not kube-system and also reorganized the templates

roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Local Path Provisioner | Create addon dir
   file:
     path: "{{ kube_config_dir }}/addons/local_path_provisioner"
@@ -18,7 +17,24 @@
 - name: Local Path Provisioner | Render Template
   set_fact:
     local_path_provisioner_templates:
-      - { name: local-path-storage, file: local-path-storage.yaml, type: sc }
+      - { name: local-path-storage-ns, file: local-path-storage-ns.yml, type: ns }
+      - { name: local-path-storage-sa, file: local-path-storage-sa.yml, type: sa }
+      - { name: local-path-storage-cr, file: local-path-storage-cr.yml, type: cr }
+      - { name: local-path-storage-clusterrolebinding, file: local-path-storage-clusterrolebinding.yml, type: clusterrolebinding }
+      - { name: local-path-storage-cm, file: local-path-storage-cm.yml, type: cm }
+      - { name: local-path-storage-deployment, file: local-path-storage-deployment.yml, type: deployment }
+      - { name: local-path-storage-sc, file: local-path-storage-sc.yml, type: sc }
+    local_path_provisioner_templates_for_psp_not_system_ns:
+      - { name: local-path-storage-psp, file: local-path-storage-psp.yml, type: psp }
+      - { name: local-path-storage-psp-role, file: local-path-storage-psp-cr.yml, type: clusterrole }
+      - { name: local-path-storage-psp-rb, file: local-path-storage-psp-rb.yml, type: rolebinding }
+
+- name: Local Path Provisioner | Insert extra templates to Local Path Provisioner templates list for PodSecurityPolicy
+  set_fact:
+    local_path_provisioner_templates: "{{ local_path_provisioner_templates[:3] + local_path_provisioner_templates_for_psp_not_system_ns + local_path_provisioner_templates[3:] }}"
+  when:
+    - podsecuritypolicy_enabled
+    - local_path_provisioner_namespace != "kube-system"
 
 - name: Local Path Provisioner | Create manifests
   template:

roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-clusterrolebinding.yml.j2

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: local-path-provisioner-bind
+  namespace: {{ local_path_provisioner_namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: local-path-provisioner-role
+subjects:
+- kind: ServiceAccount
+  name: local-path-provisioner-service-account
+  namespace: {{ local_path_provisioner_namespace }}

roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2

@@ -0,0 +1,16 @@
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: local-path-config
+  namespace: {{ local_path_provisioner_namespace }}
+data:
+  config.json: |-
+        {
+                "nodePathMap":[
+                {
+                        "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
+                        "paths":["{{ local_path_provisioner_claim_root }}"]
+                }
+                ]
+        }

roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cr.yml.j2

@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: local-path-provisioner-role
+  namespace: {{ local_path_provisioner_namespace }}
+rules:
+- apiGroups: [""]
+  resources: ["nodes", "persistentvolumeclaims"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["endpoints", "persistentvolumes", "pods"]
+  verbs: ["*"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create", "patch"]
+- apiGroups: ["storage.k8s.io"]
+  resources: ["storageclasses"]
+  verbs: ["get", "list", "watch"]

roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-deployment.yml.j2

@@ -0,0 +1,41 @@
+---
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+  name: local-path-provisioner
+  namespace: {{ local_path_provisioner_namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: local-path-provisioner
+  template:
+    metadata:
+      labels:
+        app: local-path-provisioner
+    spec:
+      serviceAccountName: local-path-provisioner-service-account
+      containers:
+      - name: local-path-provisioner
+        image: {{ local_path_provisioner_image_repo }}:{{ local_path_provisioner_image_tag }}
+        imagePullPolicy: Always
+        command:
+        - local-path-provisioner
+        - start
+        - --config
+        - /etc/config/config.json
+{% if local_path_provisioner_debug|default(false) %}
+        - --debug
+{% endif %}
+        volumeMounts:
+        - name: config-volume
+          mountPath: /etc/config/
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+      volumes:
+        - name: config-volume
+          configMap:
+            name: local-path-config

roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-ns.yml.j2

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ local_path_provisioner_namespace }}

roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2

@@ -0,0 +1,15 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: psp:local-path-provisioner
+  namespace: {{ local_path_provisioner_namespace }}
+rules:
+  - apiGroups:
+    - policy
+    resourceNames:
+    - local-path-provisioner
+    resources:
+    - podsecuritypolicies
+    verbs:
+    - use

roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2

@@ -0,0 +1,14 @@
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: psp:local-path-provisioner
+  namespace: {{ local_path_provisioner_namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: local-path-provisioner-service-account
+    namespace: {{ local_path_provisioner_namespace }}
+roleRef:
+  kind: ClusterRole
+  name: psp:local-path-provisioner
+  apiGroup: rbac.authorization.k8s.io

roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2

@@ -0,0 +1,44 @@
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: local-path-provisioner
+  annotations:
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+{% if apparmor_enabled %}
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+{% endif %}
+  labels:
+    kubernetes.io/cluster-service: 'true'
+    addonmanager.kubernetes.io/mode: Reconcile
+spec:
+  privileged: true
+  allowPrivilegeEscalation: true
+  requiredDropCapabilities:
+    - ALL
+  volumes:
+    - 'configMap'
+    - 'emptyDir'
+    - 'secret'
+    - 'downwardAPI'
+    - 'hostPath'
+  allowedHostPaths:
+    - pathPrefix: "{{ local_path_provisioner_claim_root }}"
+      readOnly: false
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false

roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sa.yml.j2

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: local-path-provisioner-service-account
+  namespace: {{ local_path_provisioner_namespace }}

roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sc.yml.j2

@@ -0,0 +1,10 @@
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: {{ local_path_provisioner_storage_class }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: {{ local_path_provisioner_is_default_storageclass }}
+provisioner: rancher.io/local-path
+volumeBindingMode: WaitForFirstConsumer
+reclaimPolicy: {{ local_path_provisioner_reclaim_policy }}

roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage.yaml.j2

@@ -1,111 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: {{ local_path_provisioner_namespace }}
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: local-path-provisioner-service-account
-  namespace: {{ local_path_provisioner_namespace }}
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
-  name: local-path-provisioner-role
-  namespace: {{ local_path_provisioner_namespace }}
-rules:
-- apiGroups: [""]
-  resources: ["nodes", "persistentvolumeclaims"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: [""]
-  resources: ["endpoints", "persistentvolumes", "pods"]
-  verbs: ["*"]
-- apiGroups: [""]
-  resources: ["events"]
-  verbs: ["create", "patch"]
-- apiGroups: ["storage.k8s.io"]
-  resources: ["storageclasses"]
-  verbs: ["get", "list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: local-path-provisioner-bind
-  namespace: {{ local_path_provisioner_namespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: local-path-provisioner-role
-subjects:
-- kind: ServiceAccount
-  name: local-path-provisioner-service-account
-  namespace: {{ local_path_provisioner_namespace }}
----
-apiVersion: apps/v1beta2
-kind: Deployment
-metadata:
-  name: local-path-provisioner
-  namespace: {{ local_path_provisioner_namespace }}
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: local-path-provisioner
-  template:
-    metadata:
-      labels:
-        app: local-path-provisioner
-    spec:
-      serviceAccountName: local-path-provisioner-service-account
-      containers:
-      - name: local-path-provisioner
-        image: {{ local_path_provisioner_image_repo }}:{{ local_path_provisioner_image_tag }}
-        imagePullPolicy: Always
-        command:
-        - local-path-provisioner
-        - start
-        - --config
-        - /etc/config/config.json
-{% if local_path_provisioner_debug|default(false) %}
-        - --debug
-{% endif %}
-        volumeMounts:
-        - name: config-volume
-          mountPath: /etc/config/
-        env:
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-      volumes:
-        - name: config-volume
-          configMap:
-            name: local-path-config
----
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: {{ local_path_provisioner_storage_class }}
-  annotations:
-    storageclass.kubernetes.io/is-default-class: {{ local_path_provisioner_is_default_storageclass }}
-provisioner: rancher.io/local-path
-volumeBindingMode: WaitForFirstConsumer
-reclaimPolicy: {{ local_path_provisioner_reclaim_policy }}
----
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: local-path-config
-  namespace: {{ local_path_provisioner_namespace }}
-data:
-  config.json: |-
-        {
-                "nodePathMap":[
-                {
-                        "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
-                        "paths":["{{ local_path_provisioner_claim_root }}"]
-                }
-                ]
-        }
-