4 SCRIPTDIR="$(readlink -f $(dirname ${BASH_SOURCE[0]}))"
5 LIBDIR="$(dirname $(dirname ${SCRIPTDIR}))/env/lib"
7 source $LIBDIR/logging.sh
8 source $LIBDIR/common.sh
10 FLANNEL_VERSION="v0.15.0"
12 # This may be used to update the in-place addon YAML files from the
14 function build_source {
15 mkdir -p ${SCRIPTDIR}/addons
18 curl -sL https://raw.githubusercontent.com/coreos/flannel/${FLANNEL_VERSION}/Documentation/kube-flannel.yml -o ${SCRIPTDIR}/addons/flannel.yaml
19 cat <<EOF >${SCRIPTDIR}/templates/flannel-addon.yaml
20 {{- range \$clusterName, \$cluster := .Values.clusters }}
21 {{- if eq \$cluster.cni "flannel" }}
23 $(kubectl create configmap flannel-addon --from-file=${SCRIPTDIR}/addons/flannel.yaml -o yaml --dry-run=client)
27 sed -i -e 's/ name: flannel-addon/ name: {{ $clusterName }}-flannel-addon/' ${SCRIPTDIR}/templates/flannel-addon.yaml
28 sed -i -e 's/10.244.0.0\/16/{{ $cluster.podCidr }}/' ${SCRIPTDIR}/templates/flannel-addon.yaml
31 flux install --export >${SCRIPTDIR}/addons/flux-system.yaml
32 # The name "sync" must be sorted after "flux-system" to ensure
33 # Flux CRDs are instantiated first
34 cat <<'EOF' >${SCRIPTDIR}/addons/sync.yaml
36 apiVersion: source.toolkit.fluxcd.io/v1beta1
39 name: {{ $cluster.flux.repositoryName }}
40 namespace: flux-system
42 gitImplementation: go-git
45 branch: {{ $cluster.flux.branch }}
47 url: {{ $cluster.flux.url }}
49 apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
52 name: {{ $clusterName }}-flux-sync
53 namespace: flux-system
56 path: {{ $cluster.flux.path }}
60 name: {{ $cluster.flux.repositoryName }}
62 cat <<EOF >${SCRIPTDIR}/templates/flux-addon.yaml
63 {{- range \$clusterName, \$cluster := .Values.clusters }}
64 {{- if \$cluster.flux }}
66 $(kubectl create configmap flux-addon --from-file=${SCRIPTDIR}/addons/flux-system.yaml,${SCRIPTDIR}/addons/sync.yaml -o yaml --dry-run=client)
70 sed -i -e 's/ name: flux-addon/ name: {{ $clusterName }}-flux-addon/' ${SCRIPTDIR}/templates/flux-addon.yaml
72 # PodSecurityPolicy is being replaced in future versions of K8s.
73 # The recommended practice is described by K8s at
74 # - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#recommended-practice
75 # - https://kubernetes.io/docs/concepts/security/pod-security-standards/
76 # and provides three levels: privileged, baseline, and restricted.
78 # The question to answer here is how to reconcile the K8s levels
79 # against the Akraino security requirements.
81 # For the time being, the below populates the cluster with the K8s
82 # recommended levels and provides an additional policy (icn) bound
83 # to the system:authenticated group to meet the Akraino
85 cat <<EOF >${SCRIPTDIR}/addons/podsecurity.yaml
87 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml)
89 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/baseline-psp.yaml)
91 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/restricted-psp.yaml)
93 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml |
94 sed -e 's/ name: privileged/ name: icn/' |
95 sed -e '/^ allowedCapabilities:/,/^ [!-]/d')
101 requiredDropCapabilities:
104 apiVersion: rbac.authorization.k8s.io/v1
109 addonmanager.kubernetes.io/mode: Reconcile
116 - podsecuritypolicies
120 apiVersion: rbac.authorization.k8s.io/v1
125 addonmanager.kubernetes.io/mode: Reconcile
132 - podsecuritypolicies
136 apiVersion: rbac.authorization.k8s.io/v1
141 addonmanager.kubernetes.io/mode: Reconcile
148 - podsecuritypolicies
152 apiVersion: rbac.authorization.k8s.io/v1
157 addonmanager.kubernetes.io/mode: Reconcile
164 - podsecuritypolicies
168 apiVersion: rbac.authorization.k8s.io/v1
171 name: psp:privileged:nodes
172 namespace: kube-system
174 addonmanager.kubernetes.io/mode: Reconcile
176 apiGroup: rbac.authorization.k8s.io
182 apiGroup: rbac.authorization.k8s.io
184 apiVersion: rbac.authorization.k8s.io/v1
187 name: psp:privileged:kube-system
188 namespace: kube-system
190 apiGroup: rbac.authorization.k8s.io
195 name: system:serviceaccounts:kube-system
196 apiGroup: rbac.authorization.k8s.io
198 apiVersion: rbac.authorization.k8s.io/v1
199 kind: ClusterRoleBinding
205 apiGroup: rbac.authorization.k8s.io
208 name: system:authenticated
209 apiGroup: rbac.authorization.k8s.io
211 cat <<EOF >${SCRIPTDIR}/templates/podsecurity-addon.yaml
212 {{- range \$clusterName, \$cluster := .Values.clusters }}
214 $(kubectl create configmap podsecurity-addon --from-file=${SCRIPTDIR}/addons/podsecurity.yaml -o yaml --dry-run=client)
217 sed -i -e 's/ name: podsecurity-addon/ name: {{ $clusterName }}-podsecurity-addon/' ${SCRIPTDIR}/templates/podsecurity-addon.yaml
222 "build-source") build_source ;;
224 Usage: $(basename $0) COMMAND
227 build-source - Rebuild the in-tree addon YAML files