GCP PodSecurityPolicy configuration

2017-10-31 17:14:47 -07:00 · 2017-10-31 17:14:47 -07:00 · 88db819170
parent 368afc6217
commit 88db819170
5 changed files with 25 additions and 2 deletions
--- a/cluster/common.sh
+++ b/cluster/common.sh
@ -633,6 +633,7 @@ KUBE_PROXY_DAEMONSET: $(yaml-quote ${KUBE_PROXY_DAEMONSET:-false})
 KUBE_PROXY_TOKEN: $(yaml-quote ${KUBE_PROXY_TOKEN:-})
 NODE_PROBLEM_DETECTOR_TOKEN: $(yaml-quote ${NODE_PROBLEM_DETECTOR_TOKEN:-})
 ADMISSION_CONTROL: $(yaml-quote ${ADMISSION_CONTROL:-})
+ENABLE_POD_SECURITY_POLICY: $(yaml-quote ${ENABLE_POD_SECURITY_POLICY:-})
 MASTER_IP_RANGE: $(yaml-quote ${MASTER_IP_RANGE})
 RUNTIME_CONFIG: $(yaml-quote ${RUNTIME_CONFIG})
 CA_CERT: $(yaml-quote ${CA_CERT_BASE64:-})
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@ -257,8 +257,14 @@ if [[ -n "${GCE_GLBC_IMAGE:-}" ]]; then
 fi

 # Admission Controllers to invoke prior to persisting objects in cluster
-# If we included ResourceQuota, we should keep it at the end of the list to prevent incrementing quota usage prematurely.
-ADMISSION_CONTROL=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority,ResourceQuota
+ADMISSION_CONTROL=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority
+
+if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then
+  ADMISSION_CONTROL="${ADMISSION_CONTROL},PodSecurityPolicy"
+fi
+
+# ResourceQuota must come last, or a creation is recorded, but the pod was forbidden.
+ADMISSION_CONTROL="${ADMISSION_CONTROL},ResourceQuota"

 # Optional: if set to true kube-up will automatically check for existing resources and clean them up.
 KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false}
--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@ -421,6 +421,7 @@ enable_l7_loadbalancing: '$(echo "$ENABLE_L7_LOADBALANCING" | sed -e "s/'/''/g")
 enable_node_logging: '$(echo "$ENABLE_NODE_LOGGING" | sed -e "s/'/''/g")'
 enable_metadata_proxy: '$(echo "$ENABLE_METADATA_CONCEALMENT" | sed -e "s/'/''/g")'
 enable_metrics_server: '$(echo "$ENABLE_METRICS_SERVER" | sed -e "s/'/''/g")'
+enable_pod_security_policy: '$(echo "$ENABLE_POD_SECURITY_POLICY" | sed -e "s/'/''/g")'
 enable_rescheduler: '$(echo "$ENABLE_RESCHEDULER" | sed -e "s/'/''/g")'
 logging_destination: '$(echo "$LOGGING_DESTINATION" | sed -e "s/'/''/g")'
 elasticsearch_replicas: '$(echo "$ELASTICSEARCH_LOGGING_REPLICAS" | sed -e "s/'/''/g")'
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -1745,6 +1745,10 @@ function start-kube-addons {
  # prep addition kube-up specific rbac objects
  setup-addon-manifests "addons" "rbac"

+  if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then
+      setup-addon-manifests "addons" "podsecuritypolicies"
+  fi
+
  # Set up manifests of other addons.
  if [[ "${KUBE_PROXY_DAEMONSET:-}" == "true" ]]; then
    prepare-kube-proxy-manifest-variables "$src_dir/kube-proxy/kube-proxy-ds.yaml"
--- a/cluster/saltbase/salt/kube-addons/init.sls
+++ b/cluster/saltbase/salt/kube-addons/init.sls
@ -165,6 +165,17 @@ addon-dir-create:
    - file_mode: 644
 {% endif %}

+{% if pillar.get('enable_pod_security_policy', '').lower() == 'true' %}
+/etc/kubernetes/addons/podsecuritypolicies:
+  file.recurse:
+    - source: salt://kube-addons/podsecuritypolicies
+    - include_pat: E@^.+\.yaml$
+    - user: root
+    - group: root
+    - dir_mode: 755
+    - file_mode: 644
+{% endif %}
+
 {% if pillar.get('enable_cluster_ui', '').lower() == 'true' %}
 /etc/kubernetes/addons/dashboard:
  file.recurse: