deploy/cluster/cluster.sh

   1 #!/usr/bin/env bash
   2 set -eux -o pipefail
   3
   4 SCRIPTDIR="$(readlink -f $(dirname ${BASH_SOURCE[0]}))"
   5 LIBDIR="$(dirname $(dirname ${SCRIPTDIR}))/env/lib"
   6
   7 source $LIBDIR/logging.sh
   8 source $LIBDIR/common.sh
   9
  10 FLANNEL_VERSION="v0.15.0"
  11
  12 # This may be used to update the in-place addon YAML files from the
  13 # upstream projects
  14 function build_source {
  15     mkdir -p ${SCRIPTDIR}/addons
  16
  17     # Flannel
  18     curl -sL https://raw.githubusercontent.com/coreos/flannel/${FLANNEL_VERSION}/Documentation/kube-flannel.yml -o ${SCRIPTDIR}/addons/flannel.yaml
  19     cat <<EOF >${SCRIPTDIR}/templates/flannel-addon.yaml
  20 {{- if eq .Values.cni "flannel" }}
  21 ---
  22 $(kubectl create configmap flannel-addon --from-file=${SCRIPTDIR}/addons/flannel.yaml -o yaml --dry-run=client)
  23 {{- end }}
  24 EOF
  25     sed -i -e 's/  name: flannel-addon/  name: {{ .Values.clusterName }}-flannel-addon/' ${SCRIPTDIR}/templates/flannel-addon.yaml
  26     sed -i -e 's/10.244.0.0\/16/{{ .Values.podCidr }}/' ${SCRIPTDIR}/templates/flannel-addon.yaml
  27
  28     # Flux
  29     flux install --export >${SCRIPTDIR}/addons/flux-system.yaml
  30     # The name "sync" must be sorted after "flux-system" to ensure
  31     # Flux CRDs are instantiated first
  32     cat <<'EOF' >${SCRIPTDIR}/addons/sync.yaml
  33 ---
  34 apiVersion: source.toolkit.fluxcd.io/v1beta1
  35 kind: GitRepository
  36 metadata:
  37   name: {{ .Values.flux.repositoryName }}
  38   namespace: flux-system
  39 spec:
  40   gitImplementation: go-git
  41   interval: 1m0s
  42   ref:
  43     branch: {{ .Values.flux.branch }}
  44   timeout: 20s
  45   url: {{ .Values.flux.url }}
  46 ---
  47 apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
  48 kind: Kustomization
  49 metadata:
  50   name: {{ .Values.clusterName }}-flux-sync
  51   namespace: flux-system
  52 spec:
  53   interval: 10m0s
  54   path: {{ .Values.flux.path }}
  55   prune: true
  56   sourceRef:
  57     kind: GitRepository
  58     name: {{ .Values.flux.repositoryName }}
  59 EOF
  60     cat <<EOF >${SCRIPTDIR}/templates/flux-addon.yaml
  61 {{- if .Values.flux }}
  62 ---
  63 $(kubectl create configmap flux-addon --from-file=${SCRIPTDIR}/addons/flux-system.yaml,${SCRIPTDIR}/addons/sync.yaml -o yaml --dry-run=client)
  64 {{- end }}
  65 EOF
  66     sed -i -e 's/  name: flux-addon/  name: {{ .Values.clusterName }}-flux-addon/' ${SCRIPTDIR}/templates/flux-addon.yaml
  67
  68     # PodSecurityPolicy is being replaced in future versions of K8s.
  69     # The recommended practice is described by K8s at
  70     # - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#recommended-practice
  71     # - https://kubernetes.io/docs/concepts/security/pod-security-standards/
  72     # and provides three levels: privileged, baseline, and restricted.
  73     #
  74     # The question to answer here is how to reconcile the K8s levels
  75     # against the Akraino security requirements.
  76     #
  77     # For the time being, the below populates the cluster with the K8s
  78     # recommended levels and provides an additional policy (icn) bound
  79     # to the system:authenticated group to meet the Akraino
  80     # requirements.
  81     cat <<EOF >${SCRIPTDIR}/addons/podsecurity.yaml
  82 ---
  83 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml)
  84 ---
  85 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/baseline-psp.yaml)
  86 ---
  87 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/restricted-psp.yaml)
  88 ---
  89 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml |
  90   sed -e 's/  name: privileged/  name: icn/' |
  91   sed -e '/^  allowedCapabilities:/,/^  [!-]/d')
  92   allowedCapabilities:
  93     - 'NET_ADMIN'
  94     - 'SYS_ADMIN'
  95     - 'SYS_NICE'
  96     - 'SYS_PTRACE'
  97   requiredDropCapabilities:
  98     - 'NET_RAW'
  99 ---
 100 apiVersion: rbac.authorization.k8s.io/v1
 101 kind: ClusterRole
 102 metadata:
 103   name: psp:privileged
 104   labels:
 105     addonmanager.kubernetes.io/mode: Reconcile
 106 rules:
 107 - apiGroups:
 108   - policy
 109   resourceNames:
 110   - privileged
 111   resources:
 112   - podsecuritypolicies
 113   verbs:
 114   - use
 115 ---
 116 apiVersion: rbac.authorization.k8s.io/v1
 117 kind: ClusterRole
 118 metadata:
 119   name: psp:baseline
 120   labels:
 121     addonmanager.kubernetes.io/mode: Reconcile
 122 rules:
 123 - apiGroups:
 124   - policy
 125   resourceNames:
 126   - baseline
 127   resources:
 128   - podsecuritypolicies
 129   verbs:
 130   - use
 131 ---
 132 apiVersion: rbac.authorization.k8s.io/v1
 133 kind: ClusterRole
 134 metadata:
 135   name: psp:icn
 136   labels:
 137     addonmanager.kubernetes.io/mode: Reconcile
 138 rules:
 139 - apiGroups:
 140   - policy
 141   resourceNames:
 142   - icn
 143   resources:
 144   - podsecuritypolicies
 145   verbs:
 146   - use
 147 ---
 148 apiVersion: rbac.authorization.k8s.io/v1
 149 kind: ClusterRole
 150 metadata:
 151   name: psp:restricted
 152   labels:
 153     addonmanager.kubernetes.io/mode: Reconcile
 154 rules:
 155 - apiGroups:
 156   - policy
 157   resourceNames:
 158   - restricted
 159   resources:
 160   - podsecuritypolicies
 161   verbs:
 162   - use
 163 ---
 164 apiVersion: rbac.authorization.k8s.io/v1
 165 kind: RoleBinding
 166 metadata:
 167   name: psp:privileged:nodes
 168   namespace: kube-system
 169   labels:
 170     addonmanager.kubernetes.io/mode: Reconcile
 171 roleRef:
 172   apiGroup: rbac.authorization.k8s.io
 173   kind: ClusterRole
 174   name: psp:privileged
 175 subjects:
 176 - kind: Group
 177   name: system:nodes
 178   apiGroup: rbac.authorization.k8s.io
 179 ---
 180 apiVersion: rbac.authorization.k8s.io/v1
 181 kind: RoleBinding
 182 metadata:
 183   name: psp:privileged:kube-system
 184   namespace: kube-system
 185 roleRef:
 186   apiGroup: rbac.authorization.k8s.io
 187   kind: ClusterRole
 188   name: psp:privileged
 189 subjects:
 190 - kind: Group
 191   name: system:serviceaccounts:kube-system
 192   apiGroup: rbac.authorization.k8s.io
 193 ---
 194 apiVersion: rbac.authorization.k8s.io/v1
 195 kind: ClusterRoleBinding
 196 metadata:
 197   name: psp:icn:any
 198 roleRef:
 199   kind: ClusterRole
 200   name: psp:icn
 201   apiGroup: rbac.authorization.k8s.io
 202 subjects:
 203 - kind: Group
 204   name: system:authenticated
 205   apiGroup: rbac.authorization.k8s.io
 206 EOF
 207     cat <<EOF >${SCRIPTDIR}/templates/podsecurity-addon.yaml
 208 ---
 209 $(kubectl create configmap podsecurity-addon --from-file=${SCRIPTDIR}/addons/podsecurity.yaml -o yaml --dry-run=client)
 210 EOF
 211     sed -i -e 's/  name: podsecurity-addon/  name: {{ .Values.clusterName }}-podsecurity-addon/' ${SCRIPTDIR}/templates/podsecurity-addon.yaml
 212
 213 }
 214
 215 case $1 in
 216     "build-source") build_source ;;
 217     *) cat <<EOF
 218 Usage: $(basename $0) COMMAND
 219
 220 Commands:
 221   build-source  - Rebuild the in-tree addon YAML files
 222 EOF
 223        ;;
 224 esac