diff --git a/Makefile b/Makefile index c7a71d807..fd49648de 100644 --- a/Makefile +++ b/Makefile @@ -318,7 +318,6 @@ build/chart/: build/chart/index.yaml build/chart/index.yaml.$(YEAR_MONTH_DAY) install-chart-prerequisite: build/toolchain/bin/kubectl$(EXE_EXTENSION) update-chart-deps -$(KUBECTL) create namespace $(OPEN_MATCH_KUBERNETES_NAMESPACE) - $(KUBECTL) apply -f install/gke-metadata-server-workaround.yaml # Used for Open Match development. Install om-configmap-override.yaml by default. HELM_UPGRADE_FLAGS = --cleanup-on-fail -i --no-hooks --debug --timeout=600s --namespace=$(OPEN_MATCH_KUBERNETES_NAMESPACE) --set global.gcpProjectId=$(GCP_PROJECT_ID) --set open-match-override.enabled=true --set redis.password=$(REDIS_DEV_PASSWORD) --set redis.auth.enabled=false --set redis.auth.sentinel=false @@ -389,8 +388,8 @@ install-ci-chart: install-chart-prerequisite build/toolchain/bin/helm$(EXE_EXTEN delete-chart: build/toolchain/bin/helm$(EXE_EXTENSION) build/toolchain/bin/kubectl$(EXE_EXTENSION) -$(HELM) uninstall $(OPEN_MATCH_HELM_NAME) -$(HELM) uninstall $(OPEN_MATCH_HELM_NAME)-demo - -$(KUBECTL) delete psp,clusterrole,clusterrolebinding --selector=release=open-match - -$(KUBECTL) delete psp,clusterrole,clusterrolebinding --selector=release=open-match-demo + -$(KUBECTL) delete clusterrole,clusterrolebinding --selector=release=open-match + -$(KUBECTL) delete clusterrole,clusterrolebinding --selector=release=open-match-demo -$(KUBECTL) delete namespace $(OPEN_MATCH_KUBERNETES_NAMESPACE) -$(KUBECTL) delete namespace $(OPEN_MATCH_KUBERNETES_NAMESPACE)-demo @@ -641,7 +640,7 @@ delete-kind-cluster: build/toolchain/bin/kind$(EXE_EXTENSION) build/toolchain/bi create-cluster-role-binding: $(KUBECTL) create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=$(GCLOUD_ACCOUNT_EMAIL) -create-gke-cluster: GKE_VERSION = 1.22.12-gke.2300 # gcloud beta container get-server-config --zone us-west1-a +create-gke-cluster: GKE_VERSION = 1.25.5-gke.2000 # gcloud beta container get-server-config --zone us-west1-a create-gke-cluster: GKE_CLUSTER_SHAPE_FLAGS = --machine-type n1-standard-8 --enable-autoscaling --min-nodes 1 --num-nodes 6 --max-nodes 10 --disk-size 50 create-gke-cluster: GKE_FUTURE_COMPAT_FLAGS = --no-enable-basic-auth --no-issue-client-certificate --enable-ip-alias --metadata disable-legacy-endpoints=true --enable-autoupgrade create-gke-cluster: build/toolchain/bin/kubectl$(EXE_EXTENSION) gcloud @@ -650,7 +649,6 @@ create-gke-cluster: build/toolchain/bin/kubectl$(EXE_EXTENSION) gcloud --image-type cos_containerd \ --tags open-match \ --workload-pool $(GCP_PROJECT_ID).svc.id.goog - $(MAKE) create-cluster-role-binding delete-gke-cluster: gcloud diff --git a/install/helm/open-match/templates/podsecuritypolicy.yaml b/install/helm/open-match/templates/podsecuritypolicy.yaml deleted file mode 100644 index d8817f411..000000000 --- a/install/helm/open-match/templates/podsecuritypolicy.yaml +++ /dev/null @@ -1,140 +0,0 @@ -# Copyright 2019 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -{{- if index .Values "open-match-core" "enabled" }} -{{- if empty .Values.ci }} -# This is the least restricted PSP used to create privileged pods to disable THP in host kernel. -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "openmatch.fullname" . }}-redis-podsecuritypolicy - namespace: {{ .Release.Namespace }} - annotations: - {{- include "openmatch.chartmeta" . | nindent 4 }} - seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' - labels: - app: {{ template "openmatch.name" . }} - release: {{ .Release.Name }} -spec: - privileged: true - allowPrivilegeEscalation: true - allowedCapabilities: - - '*' - volumes: - - '*' - hostNetwork: true - hostPorts: - # Redis - - min: 6379 - max: 6379 - - min: 9121 - max: 9121 - hostIPC: true - hostPID: true - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' ---- -# This does not allow creating privileged pods and restrict binded pods to use the specified port ranges. -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "openmatch.fullname" . }}-core-podsecuritypolicy - namespace: {{ .Release.Namespace }} - annotations: {{- include "openmatch.chartmeta" . | nindent 4 }} - labels: - app: {{ template "openmatch.name" . }} - release: {{ .Release.Name }} -spec: - allowPrivilegeEscalation: false - defaultAllowPrivilegeEscalation: false - forbiddenSysctls: - - "*" - fsGroup: - rule: "MustRunAs" - ranges: - - min: 1 - max: 65535 - hostIPC: false - hostNetwork: false - hostPID: false - hostPorts: - # Open Match Services - - min: 50500 - max: 50510 - - min: 51500 - max: 51510 - # Cassandra - - min: 7000 - max: 7001 - - min: 7199 - max: 7199 - - min: 9042 - max: 9042 - - min: 9160 - max: 9160 - # Grafana - - min: 3000 - max: 3000 - # Jaeger - - min: 5775 - max: 5778 - - min: 6831 - max: 6832 - - min: 14267 - max: 14268 - - min: 9411 - max: 9411 - - min: 16686 - max: 16686 - # Prometheus - - min: 9090 - max: 9093 - - min: 9100 - max: 9100 - - min: 8080 - max: 8080 - privileged: false # Prevents creation of privileged Pods - readOnlyRootFilesystem: false - # Capabilities Reference: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities - # TODO: Open Match itself doesn't need any capabilties but its dependencies do. We should split out the service accounts later. - allowedCapabilities: - - CHOWN - #requiredDropCapabilities: - #- ALL - runAsUser: - rule: "RunAsAny" - # Blocked on isolating the open match services from dependencies (Redis, Prometheus, etc.) - # Require the container to run without root privileges. - #rule: 'MustRunAsNonRoot' - seLinux: - # This policy assumes the nodes are using AppArmor rather than SELinux. - rule: 'RunAsAny' - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - # Assume that persistentVolumes set up by the cluster admin are safe to use. - - 'persistentVolumeClaim' -{{- end }} -{{- end }} diff --git a/install/helm/open-match/templates/service-account.yaml b/install/helm/open-match/templates/service-account.yaml index 72a4f3a88..0f86a0dc2 100644 --- a/install/helm/open-match/templates/service-account.yaml +++ b/install/helm/open-match/templates/service-account.yaml @@ -23,6 +23,8 @@ metadata: labels: app: {{ template "openmatch.name" . }} release: {{ .Release.Name }} + pod-security.kubernetes.io/enforce: baseline + pod-security.kubernetes.io/warn: baseline {{- end }} --- # Create a universal service account for open-match-core services. @@ -39,79 +41,4 @@ metadata: release: {{ .Release.Name }} automountServiceAccountToken: true --- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "openmatch.fullname" . }}-service-role - namespace: {{ .Release.Namespace }} - annotations: {{- include "openmatch.chartmeta" . | nindent 4 }} - labels: - app: {{ template "openmatch.name" . }} - release: {{ .Release.Name }} -rules: -- apiGroups: - - extensions - resources: - - podsecuritypolicies - resourceNames: - - {{ include "openmatch.fullname" . }}-core-podsecuritypolicy - verbs: - - use ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "openmatch.fullname" . }}-service-role-binding - namespace: {{ .Release.Namespace }} - annotations: {{- include "openmatch.chartmeta" . | nindent 4 }} - labels: - app: {{ template "openmatch.name" . }} - release: {{ .Release.Name }} -subjects: -- kind: Group - name: system:authenticated # All authenticated users - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: {{ include "openmatch.fullname" . }}-service-role - apiGroup: rbac.authorization.k8s.io ---- -{{- if index .Values "open-match-core" "redis" "enabled" }} -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "openmatch.fullname" . }}-redis-role - namespace: {{ .Release.Namespace }} - annotations: {{- include "openmatch.chartmeta" . | nindent 4 }} - labels: - app: {{ template "openmatch.name" . }} - release: {{ .Release.Name }} -rules: -- apiGroups: - - extensions - resources: - - podsecuritypolicies - resourceNames: - - {{ include "openmatch.fullname" . }}-redis-podsecuritypolicy - verbs: - - use ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "openmatch.fullname" . }}-redis-role-binding - namespace: {{ .Release.Namespace }} - annotations: {{- include "openmatch.chartmeta" . | nindent 4 }} - labels: - app: {{ template "openmatch.name" . }} - release: {{ .Release.Name }} -subjects: -- kind: ServiceAccount - name: {{ include "call-nested" (list . "redis" "redis.serviceAccountName") }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: Role - name: {{ include "openmatch.fullname" . }}-redis-role - apiGroup: rbac.authorization.k8s.io -{{- end }} {{- end }} diff --git a/install/helm/open-match/templates/tests/om-test-role.yaml b/install/helm/open-match/templates/tests/om-test-role.yaml index f75dcaf6d..681157f2b 100644 --- a/install/helm/open-match/templates/tests/om-test-role.yaml +++ b/install/helm/open-match/templates/tests/om-test-role.yaml @@ -24,14 +24,6 @@ metadata: app: {{ template "openmatch.name" . }} release: {{ .Release.Name }} rules: -- apiGroups: - - extensions - resources: - - podsecuritypolicies - resourceNames: - - {{ include "openmatch.fullname" . }}-core-podsecuritypolicy - verbs: - - use # Grant this role get & list permission for k8s endpoints and pods resources # Required for e2e in-cluster testing. - apiGroups: diff --git a/install/terraform/open-match-build/open-match-build.tf b/install/terraform/open-match-build/open-match-build.tf index dac4ba98c..ccbc05e56 100644 --- a/install/terraform/open-match-build/open-match-build.tf +++ b/install/terraform/open-match-build/open-match-build.tf @@ -96,11 +96,6 @@ resource "google_container_cluster" "ci_cluster" { identity_namespace = "${var.gcp_project_id}.svc.id.goog" } - # Enable PodSecurityPolicy - pod_security_policy_config { - enabled = "true" - } - node_config { oauth_scopes = [ "https://www.googleapis.com/auth/devstorage.read_only",