4 SCRIPTDIR="$(readlink -f $(dirname ${BASH_SOURCE[0]}))"
5 LIBDIR="$(dirname $(dirname ${SCRIPTDIR}))/env/lib"
7 source $LIBDIR/logging.sh
8 source $LIBDIR/common.sh
10 FLANNEL_VERSION="v0.15.0"
12 # This may be used to update the in-place addon YAML files from the
14 function build_source {
15 mkdir -p ${SCRIPTDIR}/addons
18 curl -sL https://raw.githubusercontent.com/coreos/flannel/${FLANNEL_VERSION}/Documentation/kube-flannel.yml -o ${SCRIPTDIR}/addons/flannel.yaml
19 cat <<EOF >${SCRIPTDIR}/templates/flannel-addon.yaml
20 {{- if eq .Values.cni "flannel" }}
22 $(kubectl create configmap flannel-addon --from-file=${SCRIPTDIR}/addons/flannel.yaml -o yaml --dry-run=client)
25 sed -i -e 's/ name: flannel-addon/ name: {{ .Values.clusterName }}-flannel-addon/' ${SCRIPTDIR}/templates/flannel-addon.yaml
26 sed -i -e 's/10.244.0.0\/16/{{ .Values.podCidr }}/' ${SCRIPTDIR}/templates/flannel-addon.yaml
29 flux install --export >${SCRIPTDIR}/addons/flux-system.yaml
30 # The name "sync" must be sorted after "flux-system" to ensure
31 # Flux CRDs are instantiated first
32 cat <<'EOF' >${SCRIPTDIR}/addons/sync.yaml
33 {{- if .Values.flux.decryptionSecret }}
39 name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg
40 namespace: flux-system
42 sops.asc: {{ .Values.flux.decryptionSecret | b64enc }}
45 apiVersion: source.toolkit.fluxcd.io/v1beta1
48 name: {{ .Values.flux.repositoryName }}
49 namespace: flux-system
51 gitImplementation: go-git
54 branch: {{ .Values.flux.branch }}
56 url: {{ .Values.flux.url }}
58 apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
61 name: {{ .Values.clusterName }}-flux-sync
62 namespace: flux-system
65 path: {{ .Values.flux.path }}
69 name: {{ .Values.flux.repositoryName }}
70 {{- if .Values.flux.decryptionSecret }}
74 name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg
77 cat <<EOF >${SCRIPTDIR}/templates/flux-addon.yaml
78 {{- if .Values.flux }}
80 $(kubectl create configmap flux-addon --from-file=${SCRIPTDIR}/addons/flux-system.yaml,${SCRIPTDIR}/addons/sync.yaml -o yaml --dry-run=client)
83 sed -i -e 's/ name: flux-addon/ name: {{ .Values.clusterName }}-flux-addon/' ${SCRIPTDIR}/templates/flux-addon.yaml
85 # PodSecurityPolicy is being replaced in future versions of K8s.
86 # The recommended practice is described by K8s at
87 # - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#recommended-practice
88 # - https://kubernetes.io/docs/concepts/security/pod-security-standards/
89 # and provides three levels: privileged, baseline, and restricted.
91 # The question to answer here is how to reconcile the K8s levels
92 # against the Akraino security requirements.
94 # For the time being, the below populates the cluster with the K8s
95 # recommended levels and provides an additional policy (icn) bound
96 # to the system:authenticated group to meet the Akraino
98 cat <<EOF >${SCRIPTDIR}/addons/podsecurity.yaml
100 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml)
102 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/baseline-psp.yaml)
104 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/restricted-psp.yaml)
106 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml |
107 sed -e 's/ name: privileged/ name: icn/' |
108 sed -e '/^ allowedCapabilities:/,/^ [!-]/d')
114 requiredDropCapabilities:
117 apiVersion: rbac.authorization.k8s.io/v1
122 addonmanager.kubernetes.io/mode: Reconcile
129 - podsecuritypolicies
133 apiVersion: rbac.authorization.k8s.io/v1
138 addonmanager.kubernetes.io/mode: Reconcile
145 - podsecuritypolicies
149 apiVersion: rbac.authorization.k8s.io/v1
154 addonmanager.kubernetes.io/mode: Reconcile
161 - podsecuritypolicies
165 apiVersion: rbac.authorization.k8s.io/v1
170 addonmanager.kubernetes.io/mode: Reconcile
177 - podsecuritypolicies
181 apiVersion: rbac.authorization.k8s.io/v1
184 name: psp:privileged:nodes
185 namespace: kube-system
187 addonmanager.kubernetes.io/mode: Reconcile
189 apiGroup: rbac.authorization.k8s.io
195 apiGroup: rbac.authorization.k8s.io
197 apiVersion: rbac.authorization.k8s.io/v1
200 name: psp:privileged:kube-system
201 namespace: kube-system
203 apiGroup: rbac.authorization.k8s.io
208 name: system:serviceaccounts:kube-system
209 apiGroup: rbac.authorization.k8s.io
211 apiVersion: rbac.authorization.k8s.io/v1
212 kind: ClusterRoleBinding
218 apiGroup: rbac.authorization.k8s.io
221 name: system:authenticated
222 apiGroup: rbac.authorization.k8s.io
224 cat <<EOF >${SCRIPTDIR}/templates/podsecurity-addon.yaml
226 $(kubectl create configmap podsecurity-addon --from-file=${SCRIPTDIR}/addons/podsecurity.yaml -o yaml --dry-run=client)
228 sed -i -e 's/ name: podsecurity-addon/ name: {{ .Values.clusterName }}-podsecurity-addon/' ${SCRIPTDIR}/templates/podsecurity-addon.yaml
233 "build-source") build_source ;;
235 Usage: $(basename $0) COMMAND
238 build-source - Rebuild the in-tree addon YAML files