github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/cluster/saltbase
History
Kubernetes Submit Queue 96d81fe688
Merge pull request #52367 from tallclair/psp-config 
Automatic merge from submit-queue (batch tested with PRs 52367, 53363, 54989, 54872, 54643). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Basic GCE PodSecurityPolicy Config

**What this PR does / why we need it**:

This PR lays the foundation for enabling PodSecurityPolicy in GCE and other default deployments. The 3 commits are:

1. Add policies, roles & bindings for the default addons on GCE.
2. Enable the PSP admission controller & load the addon policies when the`ENABLE_POD_SECURITY_POLICY=true` environment variable is set.
3. Support the PodSecurityPolicy in the E2E environment & add PSP tests.

NOTES:

- ~~Depends on https://github.com/kubernetes/kubernetes/pull/52301 for privileged capabilities~~
- ~~Depends on https://github.com/kubernetes/kubernetes/pull/52849 for sane mutations~~
- ~~Depends on https://github.com/kubernetes/kubernetes/pull/53479 for aggregator tests to pass~~
- ~~Depends on https://github.com/kubernetes/kubernetes/pull/54175 for dedicated fluentd service~~ account
- This PR is a fork of https://github.com/kubernetes/kubernetes/pull/46064, credit to @Q-Lee

**Which issue this PR fixes**: #43538

**Release note**:
```release-note
Add support for PodSecurityPolicy on GCE: `ENABLE_POD_SECURITY_POLICY=true` enables the admission controller, and installs policies for default addons.
```
 		2017-11-02 12:59:13 -07:00
..
pillar update oscodenames supporting systemd 2016-10-18 09:37:40 -04:00
reactor Remove kube-up for vsphere 2016-12-22 20:15:37 +00:00
salt Merge pull request #52367 from tallclair/psp-config 2017-11-02 12:59:13 -07:00
BUILD Replace git_repository with http_archive and use ixdy's fork of bazel tools for pkg_tar 2017-05-03 10:13:06 -07:00
README.md Fix url for Saltstack administration document 2017-09-17 14:46:26 +08:00
install.sh Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00

README.md

SaltStack configuration

This is the root of the SaltStack configuration for Kubernetes. A high level overview for the Kubernetes SaltStack configuration can be found in the docs tree.

This SaltStack configuration currently applies to default configurations for Debian-on-GCE, Fedora-on-Vagrant, Ubuntu-on-AWS and Ubuntu-on-Azure. (That doesn't mean it can't be made to apply to an arbitrary configuration, but those are only the in-tree OS/IaaS combinations supported today.) As you peruse the configuration, these are shorthanded as gce, vagrant, aws, azure-legacy in grains.cloud; the documentation in this tree uses this same shorthand for convenience.

See more:

Analytics