deploy/clusters/clusters.sh

   1 #!/usr/bin/env bash
   2 set -eux -o pipefail
   3
   4 SCRIPTDIR="$(readlink -f $(dirname ${BASH_SOURCE[0]}))"
   5 LIBDIR="$(dirname $(dirname ${SCRIPTDIR}))/env/lib"
   6
   7 source $LIBDIR/logging.sh
   8 source $LIBDIR/common.sh
   9
  10 FLANNEL_VERSION="v0.15.0"
  11
  12 # This may be used to update the in-place addon YAML files from the
  13 # upstream projects
  14 function build_source {
  15     mkdir -p ${SCRIPTDIR}/addons
  16
  17     # Flannel
  18     curl -sL https://raw.githubusercontent.com/coreos/flannel/${FLANNEL_VERSION}/Documentation/kube-flannel.yml -o ${SCRIPTDIR}/addons/flannel.yaml
  19     cat <<EOF >${SCRIPTDIR}/templates/flannel-addon.yaml
  20 {{- range \$clusterName, \$cluster := .Values.clusters }}
  21 {{- if eq \$cluster.cni "flannel" }}
  22 ---
  23 $(kubectl create configmap flannel-addon --from-file=${SCRIPTDIR}/addons/flannel.yaml -o yaml --dry-run=client)
  24 {{- end }}
  25 {{- end }}
  26 EOF
  27     sed -i -e 's/  name: flannel-addon/  name: {{ $clusterName }}-flannel-addon/' ${SCRIPTDIR}/templates/flannel-addon.yaml
  28     sed -i -e 's/10.244.0.0\/16/{{ $cluster.podCidr }}/' ${SCRIPTDIR}/templates/flannel-addon.yaml
  29
  30     # Flux
  31     flux install --export >${SCRIPTDIR}/addons/flux-system.yaml
  32     # The name "sync" must be sorted after "flux-system" to ensure
  33     # Flux CRDs are instantiated first
  34     cat <<'EOF' >${SCRIPTDIR}/addons/sync.yaml
  35 ---
  36 apiVersion: source.toolkit.fluxcd.io/v1beta1
  37 kind: GitRepository
  38 metadata:
  39   name: {{ $cluster.flux.repositoryName }}
  40   namespace: flux-system
  41 spec:
  42   gitImplementation: go-git
  43   interval: 1m0s
  44   ref:
  45     branch: {{ $cluster.flux.branch }}
  46   timeout: 20s
  47   url: {{ $cluster.flux.url }}
  48 ---
  49 apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
  50 kind: Kustomization
  51 metadata:
  52   name: {{ $clusterName }}-flux-sync
  53   namespace: flux-system
  54 spec:
  55   interval: 10m0s
  56   path: {{ $cluster.flux.path }}
  57   prune: true
  58   sourceRef:
  59     kind: GitRepository
  60     name: {{ $cluster.flux.repositoryName }}
  61 EOF
  62     cat <<EOF >${SCRIPTDIR}/templates/flux-addon.yaml
  63 {{- range \$clusterName, \$cluster := .Values.clusters }}
  64 {{- if \$cluster.flux }}
  65 ---
  66 $(kubectl create configmap flux-addon --from-file=${SCRIPTDIR}/addons/flux-system.yaml,${SCRIPTDIR}/addons/sync.yaml -o yaml --dry-run=client)
  67 {{- end }}
  68 {{- end }}
  69 EOF
  70     sed -i -e 's/  name: flux-addon/  name: {{ $clusterName }}-flux-addon/' ${SCRIPTDIR}/templates/flux-addon.yaml
  71
  72     # PodSecurityPolicy is being replaced in future versions of K8s.
  73     # The recommended practice is described by K8s at
  74     # - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#recommended-practice
  75     # - https://kubernetes.io/docs/concepts/security/pod-security-standards/
  76     # and provides three levels: privileged, baseline, and restricted.
  77     #
  78     # The question to answer here is how to reconcile the K8s levels
  79     # against the Akraino security requirements.
  80     #
  81     # For the time being, the below populates the cluster with the K8s
  82     # recommended levels and provides an additional policy (icn) bound
  83     # to the system:authenticated group to meet the Akraino
  84     # requirements.
  85     cat <<EOF >${SCRIPTDIR}/addons/podsecurity.yaml
  86 ---
  87 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml)
  88 ---
  89 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/baseline-psp.yaml)
  90 ---
  91 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/restricted-psp.yaml)
  92 ---
  93 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml |
  94   sed -e 's/  name: privileged/  name: icn/' |
  95   sed -e '/^  allowedCapabilities:/,/^  [!-]/d')
  96   allowedCapabilities:
  97     - 'NET_ADMIN'
  98     - 'SYS_ADMIN'
  99     - 'SYS_NICE'
 100     - 'SYS_PTRACE'
 101   requiredDropCapabilities:
 102     - 'NET_RAW'
 103 ---
 104 apiVersion: rbac.authorization.k8s.io/v1
 105 kind: ClusterRole
 106 metadata:
 107   name: psp:privileged
 108   labels:
 109     addonmanager.kubernetes.io/mode: Reconcile
 110 rules:
 111 - apiGroups:
 112   - policy
 113   resourceNames:
 114   - privileged
 115   resources:
 116   - podsecuritypolicies
 117   verbs:
 118   - use
 119 ---
 120 apiVersion: rbac.authorization.k8s.io/v1
 121 kind: ClusterRole
 122 metadata:
 123   name: psp:baseline
 124   labels:
 125     addonmanager.kubernetes.io/mode: Reconcile
 126 rules:
 127 - apiGroups:
 128   - policy
 129   resourceNames:
 130   - baseline
 131   resources:
 132   - podsecuritypolicies
 133   verbs:
 134   - use
 135 ---
 136 apiVersion: rbac.authorization.k8s.io/v1
 137 kind: ClusterRole
 138 metadata:
 139   name: psp:icn
 140   labels:
 141     addonmanager.kubernetes.io/mode: Reconcile
 142 rules:
 143 - apiGroups:
 144   - policy
 145   resourceNames:
 146   - icn
 147   resources:
 148   - podsecuritypolicies
 149   verbs:
 150   - use
 151 ---
 152 apiVersion: rbac.authorization.k8s.io/v1
 153 kind: ClusterRole
 154 metadata:
 155   name: psp:restricted
 156   labels:
 157     addonmanager.kubernetes.io/mode: Reconcile
 158 rules:
 159 - apiGroups:
 160   - policy
 161   resourceNames:
 162   - restricted
 163   resources:
 164   - podsecuritypolicies
 165   verbs:
 166   - use
 167 ---
 168 apiVersion: rbac.authorization.k8s.io/v1
 169 kind: RoleBinding
 170 metadata:
 171   name: psp:privileged:nodes
 172   namespace: kube-system
 173   labels:
 174     addonmanager.kubernetes.io/mode: Reconcile
 175 roleRef:
 176   apiGroup: rbac.authorization.k8s.io
 177   kind: ClusterRole
 178   name: psp:privileged
 179 subjects:
 180 - kind: Group
 181   name: system:nodes
 182   apiGroup: rbac.authorization.k8s.io
 183 ---
 184 apiVersion: rbac.authorization.k8s.io/v1
 185 kind: RoleBinding
 186 metadata:
 187   name: psp:privileged:kube-system
 188   namespace: kube-system
 189 roleRef:
 190   apiGroup: rbac.authorization.k8s.io
 191   kind: ClusterRole
 192   name: psp:privileged
 193 subjects:
 194 - kind: Group
 195   name: system:serviceaccounts:kube-system
 196   apiGroup: rbac.authorization.k8s.io
 197 ---
 198 apiVersion: rbac.authorization.k8s.io/v1
 199 kind: ClusterRoleBinding
 200 metadata:
 201   name: psp:icn:any
 202 roleRef:
 203   kind: ClusterRole
 204   name: psp:icn
 205   apiGroup: rbac.authorization.k8s.io
 206 subjects:
 207 - kind: Group
 208   name: system:authenticated
 209   apiGroup: rbac.authorization.k8s.io
 210 EOF
 211     cat <<EOF >${SCRIPTDIR}/templates/podsecurity-addon.yaml
 212 {{- range \$clusterName, \$cluster := .Values.clusters }}
 213 ---
 214 $(kubectl create configmap podsecurity-addon --from-file=${SCRIPTDIR}/addons/podsecurity.yaml -o yaml --dry-run=client)
 215 {{- end }}
 216 EOF
 217     sed -i -e 's/  name: podsecurity-addon/  name: {{ $clusterName }}-podsecurity-addon/' ${SCRIPTDIR}/templates/podsecurity-addon.yaml
 218
 219 }
 220
 221 case $1 in
 222     "build-source") build_source ;;
 223     *) cat <<EOF
 224 Usage: $(basename $0) COMMAND
 225
 226 Commands:
 227   build-source  - Rebuild the in-tree addon YAML files
 228 EOF
 229        ;;
 230 esac