From 88db8191702138294066f6c1b598d4c30bb346eb Mon Sep 17 00:00:00 2001
From: Tim Allclair <tallclair@google.com>
Date: Tue, 31 Oct 2017 17:14:47 -0700
Subject: [PATCH] GCP PodSecurityPolicy configuration

---
 cluster/common.sh                          |  1 +
 cluster/gce/config-default.sh              | 10 ++++++++--
 cluster/gce/configure-vm.sh                |  1 +
 cluster/gce/gci/configure-helper.sh        |  4 ++++
 cluster/saltbase/salt/kube-addons/init.sls | 11 +++++++++++
 5 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/cluster/common.sh b/cluster/common.sh
index 2b11917d77..5b0292b4c8 100755
--- a/cluster/common.sh
+++ b/cluster/common.sh
@@ -633,6 +633,7 @@ KUBE_PROXY_DAEMONSET: $(yaml-quote ${KUBE_PROXY_DAEMONSET:-false})
 KUBE_PROXY_TOKEN: $(yaml-quote ${KUBE_PROXY_TOKEN:-})
 NODE_PROBLEM_DETECTOR_TOKEN: $(yaml-quote ${NODE_PROBLEM_DETECTOR_TOKEN:-})
 ADMISSION_CONTROL: $(yaml-quote ${ADMISSION_CONTROL:-})
+ENABLE_POD_SECURITY_POLICY: $(yaml-quote ${ENABLE_POD_SECURITY_POLICY:-})
 MASTER_IP_RANGE: $(yaml-quote ${MASTER_IP_RANGE})
 RUNTIME_CONFIG: $(yaml-quote ${RUNTIME_CONFIG})
 CA_CERT: $(yaml-quote ${CA_CERT_BASE64:-})
diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh
index a88885ecb3..0b99a310fd 100755
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@@ -257,8 +257,14 @@ if [[ -n "${GCE_GLBC_IMAGE:-}" ]]; then
 fi
 
 # Admission Controllers to invoke prior to persisting objects in cluster
-# If we included ResourceQuota, we should keep it at the end of the list to prevent incrementing quota usage prematurely.
-ADMISSION_CONTROL=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority,ResourceQuota
+ADMISSION_CONTROL=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority
+
+if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then
+  ADMISSION_CONTROL="${ADMISSION_CONTROL},PodSecurityPolicy"
+fi
+
+# ResourceQuota must come last, or a creation is recorded, but the pod was forbidden.
+ADMISSION_CONTROL="${ADMISSION_CONTROL},ResourceQuota"
 
 # Optional: if set to true kube-up will automatically check for existing resources and clean them up.
 KUBE_UP_AUTOMATIC_CLEANUP=${KUBE_UP_AUTOMATIC_CLEANUP:-false}
diff --git a/cluster/gce/configure-vm.sh b/cluster/gce/configure-vm.sh
index ee5510d780..21726670dd 100755
--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@@ -421,6 +421,7 @@ enable_l7_loadbalancing: '$(echo "$ENABLE_L7_LOADBALANCING" | sed -e "s/'/''/g")
 enable_node_logging: '$(echo "$ENABLE_NODE_LOGGING" | sed -e "s/'/''/g")'
 enable_metadata_proxy: '$(echo "$ENABLE_METADATA_CONCEALMENT" | sed -e "s/'/''/g")'
 enable_metrics_server: '$(echo "$ENABLE_METRICS_SERVER" | sed -e "s/'/''/g")'
+enable_pod_security_policy: '$(echo "$ENABLE_POD_SECURITY_POLICY" | sed -e "s/'/''/g")'
 enable_rescheduler: '$(echo "$ENABLE_RESCHEDULER" | sed -e "s/'/''/g")'
 logging_destination: '$(echo "$LOGGING_DESTINATION" | sed -e "s/'/''/g")'
 elasticsearch_replicas: '$(echo "$ELASTICSEARCH_LOGGING_REPLICAS" | sed -e "s/'/''/g")'
diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index 12f7b6ec77..1c4331a47b 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -1745,6 +1745,10 @@ function start-kube-addons {
   # prep addition kube-up specific rbac objects
   setup-addon-manifests "addons" "rbac"
 
+  if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then
+      setup-addon-manifests "addons" "podsecuritypolicies"
+  fi
+
   # Set up manifests of other addons.
   if [[ "${KUBE_PROXY_DAEMONSET:-}" == "true" ]]; then
     prepare-kube-proxy-manifest-variables "$src_dir/kube-proxy/kube-proxy-ds.yaml"
diff --git a/cluster/saltbase/salt/kube-addons/init.sls b/cluster/saltbase/salt/kube-addons/init.sls
index d3b86dc4c3..3171cb6ca6 100644
--- a/cluster/saltbase/salt/kube-addons/init.sls
+++ b/cluster/saltbase/salt/kube-addons/init.sls
@@ -165,6 +165,17 @@ addon-dir-create:
     - file_mode: 644
 {% endif %}
 
+{% if pillar.get('enable_pod_security_policy', '').lower() == 'true' %}
+/etc/kubernetes/addons/podsecuritypolicies:
+  file.recurse:
+    - source: salt://kube-addons/podsecuritypolicies
+    - include_pat: E@^.+\.yaml$
+    - user: root
+    - group: root
+    - dir_mode: 755
+    - file_mode: 644
+{% endif %}
+
 {% if pillar.get('enable_cluster_ui', '').lower() == 'true' %}
 /etc/kubernetes/addons/dashboard:
   file.recurse: