4 SCRIPTDIR="$(readlink -f $(dirname ${BASH_SOURCE[0]}))"
5 LIBDIR="$(dirname $(dirname ${SCRIPTDIR}))/env/lib"
7 source $LIBDIR/logging.sh
8 source $LIBDIR/common.sh
10 function build_source_flannel {
11 curl -sL https://raw.githubusercontent.com/coreos/flannel/${FLANNEL_VERSION}/Documentation/kube-flannel.yml -o ${SCRIPTDIR}/addons/flannel.yaml
12 cat <<EOF >${SCRIPTDIR}/templates/flannel-addon.yaml
13 {{- if eq .Values.cni "flannel" }}
15 $(kubectl create configmap flannel-addon --from-file=${SCRIPTDIR}/addons/flannel.yaml -o yaml --dry-run=client)
18 sed -i -e 's/ name: flannel-addon/ name: {{ .Values.clusterName }}-flannel-addon/' ${SCRIPTDIR}/templates/flannel-addon.yaml
19 sed -i -e 's/10.244.0.0\/16/{{ .Values.podCidr }}/' ${SCRIPTDIR}/templates/flannel-addon.yaml
22 function build_source_flux {
23 flux install --export >${SCRIPTDIR}/addons/flux-system.yaml
24 cat <<EOF >>${SCRIPTDIR}/addons/flux-system.yaml
26 apiVersion: rbac.authorization.k8s.io/v1
29 name: psp:privileged:flux-system
30 namespace: flux-system
32 apiGroup: rbac.authorization.k8s.io
37 name: system:serviceaccounts:flux-system
38 apiGroup: rbac.authorization.k8s.io
40 # The name "sync" must be sorted after "flux-system" to ensure
41 # CRDs are instantiated first
42 cat <<'EOF' >${SCRIPTDIR}/addons/sync.yaml
43 {{- if .Values.flux.decryptionSecret }}
49 name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg
50 namespace: flux-system
52 sops.asc: {{ .Values.flux.decryptionSecret | b64enc }}
55 apiVersion: source.toolkit.fluxcd.io/v1beta1
58 name: {{ .Values.flux.repositoryName }}
59 namespace: flux-system
61 gitImplementation: go-git
64 branch: {{ .Values.flux.branch }}
66 url: {{ .Values.flux.url }}
68 apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
71 name: {{ .Values.clusterName }}-flux-sync
72 namespace: flux-system
75 path: {{ .Values.flux.path }}
79 name: {{ .Values.flux.repositoryName }}
80 {{- if .Values.flux.decryptionSecret }}
84 name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg
87 cat <<EOF >${SCRIPTDIR}/templates/flux-addon.yaml
88 {{- if .Values.flux }}
90 $(kubectl create configmap flux-addon --from-file=${SCRIPTDIR}/addons/flux-system.yaml,${SCRIPTDIR}/addons/sync.yaml -o yaml --dry-run=client)
93 sed -i -e 's/ name: flux-addon/ name: {{ .Values.clusterName }}-flux-addon/' ${SCRIPTDIR}/templates/flux-addon.yaml
96 function build_source_podsecurity {
97 # PodSecurityPolicy is being replaced in future versions of K8s.
98 # The recommended practice is described by K8s at
99 # - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#recommended-practice
100 # - https://kubernetes.io/docs/concepts/security/pod-security-standards/
101 # and provides three levels: privileged, baseline, and restricted.
103 # The question to answer here is how to reconcile the K8s levels
104 # against the Akraino security requirements.
106 # For the time being, the below populates the cluster with the K8s
107 # recommended levels and provides an additional policy (icn) bound
108 # to the system:authenticated group to meet the Akraino
110 cat <<EOF >${SCRIPTDIR}/addons/podsecurity.yaml
112 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml)
114 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/baseline-psp.yaml)
116 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/restricted-psp.yaml)
118 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml |
119 sed -e 's/ name: privileged/ name: icn/' |
120 sed -e '/^ allowedCapabilities:/,/^ [!-]/d')
126 requiredDropCapabilities:
129 apiVersion: rbac.authorization.k8s.io/v1
134 addonmanager.kubernetes.io/mode: Reconcile
141 - podsecuritypolicies
145 apiVersion: rbac.authorization.k8s.io/v1
150 addonmanager.kubernetes.io/mode: Reconcile
157 - podsecuritypolicies
161 apiVersion: rbac.authorization.k8s.io/v1
166 addonmanager.kubernetes.io/mode: Reconcile
173 - podsecuritypolicies
177 apiVersion: rbac.authorization.k8s.io/v1
182 addonmanager.kubernetes.io/mode: Reconcile
189 - podsecuritypolicies
193 apiVersion: rbac.authorization.k8s.io/v1
196 name: psp:privileged:nodes
197 namespace: kube-system
199 addonmanager.kubernetes.io/mode: Reconcile
201 apiGroup: rbac.authorization.k8s.io
207 apiGroup: rbac.authorization.k8s.io
209 apiVersion: rbac.authorization.k8s.io/v1
212 name: psp:privileged:kube-system
213 namespace: kube-system
215 apiGroup: rbac.authorization.k8s.io
220 name: system:serviceaccounts:kube-system
221 apiGroup: rbac.authorization.k8s.io
223 apiVersion: rbac.authorization.k8s.io/v1
224 kind: ClusterRoleBinding
230 apiGroup: rbac.authorization.k8s.io
233 name: system:authenticated
234 apiGroup: rbac.authorization.k8s.io
236 cat <<EOF >${SCRIPTDIR}/templates/podsecurity-addon.yaml
238 $(kubectl create configmap podsecurity-addon --from-file=${SCRIPTDIR}/addons/podsecurity.yaml -o yaml --dry-run=client)
240 sed -i -e 's/ name: podsecurity-addon/ name: {{ .Values.clusterName }}-podsecurity-addon/' ${SCRIPTDIR}/templates/podsecurity-addon.yaml
243 function build_source_calico {
244 mkdir -p ${SCRIPTDIR}/addons/calico
245 curl -sL https://docs.projectcalico.org/archive/${CALICO_VERSION%.*}/manifests/calico.yaml -o ${SCRIPTDIR}/addons/calico/calico.yaml
246 # Remove trailing whitespace so that kubectl create configmap
247 # doesn't insert explicit newlines
248 sed -i -r 's/\s+$//g' ${SCRIPTDIR}/addons/calico/calico.yaml
249 cat <<EOF >${SCRIPTDIR}/addons/calico/ip-autodetection-method-patch.yaml
254 namespace: kube-system
261 - name: IP_AUTODETECTION_METHOD
262 value: can-reach=www.google.com
264 cat <<EOF >${SCRIPTDIR}/addons/calico/kustomization.yaml
268 - path: ip-autodetection-method-patch.yaml
270 kustomize build ${SCRIPTDIR}/addons/calico >${SCRIPTDIR}/addons/calico.yaml
271 cat <<EOF >${SCRIPTDIR}/templates/calico-addon.yaml
272 {{- if eq .Values.cni "calico" }}
274 $(kubectl create configmap calico-addon --from-file=${SCRIPTDIR}/addons/calico.yaml -o yaml --dry-run=client)
277 sed -i -e 's/ name: calico-addon/ name: {{ .Values.clusterName }}-calico-addon/' ${SCRIPTDIR}/templates/calico-addon.yaml
280 # This may be used to update the in-place addon YAML files from the
282 function build_source {
283 mkdir -p ${SCRIPTDIR}/addons
287 build_source_podsecurity
291 "build-source") build_source ;;
292 "foo") build_source_calico ;;
294 Usage: $(basename $0) COMMAND
297 build-source - Rebuild the in-tree addon YAML files