X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=deploy%2Fclusters%2Fclusters.sh;h=73f63d89b7690881fe47387be923828052661ed0;hb=2fa0034df330ff9032b0a04fe745ffa74f2ec7ef;hp=b10d2ca362d86bc7f07e1aefb575a3372e1bd6aa;hpb=ac5065a33c66cecb97b06593fa36c8c4c2b7188c;p=icn.git

diff --git a/deploy/clusters/clusters.sh b/deploy/clusters/clusters.sh
index b10d2ca..73f63d8 100755
--- a/deploy/clusters/clusters.sh
+++ b/deploy/clusters/clusters.sh
@@ -68,6 +68,154 @@ $(kubectl create configmap flux-addon --from-file=${SCRIPTDIR}/addons/flux-syste
 {{- end }}
 EOF
     sed -i -e 's/  name: flux-addon/  name: {{ $clusterName }}-flux-addon/' ${SCRIPTDIR}/templates/flux-addon.yaml
+
+    # PodSecurityPolicy is being replaced in future versions of K8s.
+    # The recommended practice is described by K8s at
+    # - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#recommended-practice
+    # - https://kubernetes.io/docs/concepts/security/pod-security-standards/
+    # and provides three levels: privileged, baseline, and restricted.
+    #
+    # The question to answer here is how to reconcile the K8s levels
+    # against the Akraino security requirements.
+    #
+    # For the time being, the below populates the cluster with the K8s
+    # recommended levels and provides an additional policy (icn) bound
+    # to the system:authenticated group to meet the Akraino
+    # requirements.
+    cat <<EOF >${SCRIPTDIR}/addons/podsecurity.yaml
+---
+$(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml)
+---
+$(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/baseline-psp.yaml)
+---
+$(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/restricted-psp.yaml)
+---
+$(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml |
+  sed -e 's/  name: privileged/  name: icn/' |
+  sed -e '/^  allowedCapabilities:/,/^  [!-]/d')
+  allowedCapabilities:
+    - 'NET_ADMIN'
+    - 'SYS_ADMIN'
+    - 'SYS_NICE'
+    - 'SYS_PTRACE'
+  requiredDropCapabilities:
+    - 'NET_RAW'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: psp:privileged
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - policy
+  resourceNames:
+  - privileged
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: psp:baseline
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - policy
+  resourceNames:
+  - baseline
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: psp:icn
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - policy
+  resourceNames:
+  - icn
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: psp:restricted
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - policy
+  resourceNames:
+  - restricted
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: psp:privileged:nodes
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp:privileged
+subjects:
+- kind: Group
+  name: system:nodes
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: psp:privileged:kube-system
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp:privileged
+subjects:
+- kind: Group
+  name: system:serviceaccounts:kube-system
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: psp:icn:any
+roleRef:
+  kind: ClusterRole
+  name: psp:icn
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: Group
+  name: system:authenticated
+  apiGroup: rbac.authorization.k8s.io
+EOF
+    cat <<EOF >${SCRIPTDIR}/templates/podsecurity-addon.yaml
+{{- range \$clusterName, \$cluster := .Values.clusters }}
+---
+$(kubectl create configmap podsecurity-addon --from-file=${SCRIPTDIR}/addons/podsecurity.yaml -o yaml --dry-run=client)
+{{- end }}
+EOF
+    sed -i -e 's/  name: podsecurity-addon/  name: {{ $clusterName }}-podsecurity-addon/' ${SCRIPTDIR}/templates/podsecurity-addon.yaml
+
 }
 
 case $1 in