From b32cb5e6ba6875fad00556d4a92f3428cc84eacc Mon Sep 17 00:00:00 2001 From: colvin Date: Thu, 11 Jun 2020 09:51:13 -0400 Subject: [PATCH 1/3] Create a podsecuritypolicies addon Create a new addon, `podsecuritypolicies` that applies the PodSecurityPolicy and related RBAC configuration from the https://minikube.sigs.k8s.io/docs/tutorials/using_psp/ tutorial. Apparently, recent work on the addons system has invalidated the procedure shown in that tutorial, as the configuration is no longer automatically applied. The last known working version is `1.6.2`. This allows clusters started with `--extra-configs=apiserver.enable-admission-plugins=PodSecurityPolicy` to succeed, so long as they also include `--addons=podsecuritypolicies`. --- .../podsecuritypolicies.yaml.tmpl | 132 ++++++++++++++++++ pkg/addons/config.go | 5 + pkg/minikube/assets/addons.go | 8 ++ 3 files changed, 145 insertions(+) create mode 100644 deploy/addons/podsecuritypolicies/podsecuritypolicies.yaml.tmpl diff --git a/deploy/addons/podsecuritypolicies/podsecuritypolicies.yaml.tmpl b/deploy/addons/podsecuritypolicies/podsecuritypolicies.yaml.tmpl new file mode 100644 index 000000000000..fa4171fa91ef --- /dev/null +++ b/deploy/addons/podsecuritypolicies/podsecuritypolicies.yaml.tmpl @@ -0,0 +1,132 @@ +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: privileged + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" + labels: + addonmanager.kubernetes.io/mode: EnsureExists +spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: + - "*" + volumes: + - "*" + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: restricted + labels: + addonmanager.kubernetes.io/mode: EnsureExists +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: psp:privileged + labels: + addonmanager.kubernetes.io/mode: EnsureExists +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - privileged +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: psp:restricted + labels: + addonmanager.kubernetes.io/mode: EnsureExists +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - restricted +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: default:restricted + labels: + addonmanager.kubernetes.io/mode: EnsureExists +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp:restricted +subjects: +- kind: Group + name: system:authenticated + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: default:privileged + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: EnsureExists +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp:privileged +subjects: +- kind: Group + name: system:masters + apiGroup: rbac.authorization.k8s.io +- kind: Group + name: system:nodes + apiGroup: rbac.authorization.k8s.io +- kind: Group + name: system:serviceaccounts:kube-system + apiGroup: rbac.authorization.k8s.io diff --git a/pkg/addons/config.go b/pkg/addons/config.go index 80fb4ad6f5f3..81d24e85f6a3 100644 --- a/pkg/addons/config.go +++ b/pkg/addons/config.go @@ -149,4 +149,9 @@ var Addons = []*Addon{ set: SetBool, callbacks: []setFn{enableOrDisableAddon}, }, + { + name: "podsecuritypolicies", + set: SetBool, + callbacks: []setFn{enableOrDisableAddon}, + }, } diff --git a/pkg/minikube/assets/addons.go b/pkg/minikube/assets/addons.go index 67403a4c14d6..d5bd8adfdc46 100644 --- a/pkg/minikube/assets/addons.go +++ b/pkg/minikube/assets/addons.go @@ -81,6 +81,14 @@ var Addons = map[string]*Addon{ "0640", false), }, true, "default-storageclass"), + "podsecuritypolicies": NewAddon([]*BinAsset{ + MustBinAsset( + "deploy/addons/podsecuritypolicies/podsecuritypolicies.yaml.tmpl", + vmpath.GuestAddonsDir, + "podsecuritypolicies.yaml", + "0640", + false), + }, false, "podsecuritypolicies"), "storage-provisioner": NewAddon([]*BinAsset{ MustBinAsset( "deploy/addons/storage-provisioner/storage-provisioner.yaml.tmpl", From 3d2ae5423cd1c0723a00ce778bc512d60e76e61a Mon Sep 17 00:00:00 2001 From: colvin Date: Thu, 18 Jun 2020 17:00:08 -0400 Subject: [PATCH 2/3] Rename podsecuritypolicies addon to pod-security-policy --- .../pod-security-policy.yaml.tmpl} | 0 pkg/addons/config.go | 2 +- pkg/minikube/assets/addons.go | 8 ++++---- 3 files changed, 5 insertions(+), 5 deletions(-) rename deploy/addons/{podsecuritypolicies/podsecuritypolicies.yaml.tmpl => pod-security-policy/pod-security-policy.yaml.tmpl} (100%) diff --git a/deploy/addons/podsecuritypolicies/podsecuritypolicies.yaml.tmpl b/deploy/addons/pod-security-policy/pod-security-policy.yaml.tmpl similarity index 100% rename from deploy/addons/podsecuritypolicies/podsecuritypolicies.yaml.tmpl rename to deploy/addons/pod-security-policy/pod-security-policy.yaml.tmpl diff --git a/pkg/addons/config.go b/pkg/addons/config.go index 81d24e85f6a3..6ffe0f111311 100644 --- a/pkg/addons/config.go +++ b/pkg/addons/config.go @@ -150,7 +150,7 @@ var Addons = []*Addon{ callbacks: []setFn{enableOrDisableAddon}, }, { - name: "podsecuritypolicies", + name: "pod-security-policy", set: SetBool, callbacks: []setFn{enableOrDisableAddon}, }, diff --git a/pkg/minikube/assets/addons.go b/pkg/minikube/assets/addons.go index d5bd8adfdc46..6d57174252c5 100644 --- a/pkg/minikube/assets/addons.go +++ b/pkg/minikube/assets/addons.go @@ -81,14 +81,14 @@ var Addons = map[string]*Addon{ "0640", false), }, true, "default-storageclass"), - "podsecuritypolicies": NewAddon([]*BinAsset{ + "pod-security-policy": NewAddon([]*BinAsset{ MustBinAsset( - "deploy/addons/podsecuritypolicies/podsecuritypolicies.yaml.tmpl", + "deploy/addons/pod-security-policy/pod-security-policy.yaml.tmpl", vmpath.GuestAddonsDir, - "podsecuritypolicies.yaml", + "pod-security-policy.yaml", "0640", false), - }, false, "podsecuritypolicies"), + }, false, "pod-security-policy"), "storage-provisioner": NewAddon([]*BinAsset{ MustBinAsset( "deploy/addons/storage-provisioner/storage-provisioner.yaml.tmpl", From 08ee21fd439b988ce46c30153aad38291732ce0a Mon Sep 17 00:00:00 2001 From: colvin Date: Thu, 18 Jun 2020 17:33:34 -0400 Subject: [PATCH 3/3] update the Pod Security Policies tutorial --- site/content/en/docs/tutorials/using_psp.md | 44 +++++++++++++++++++-- 1 file changed, 40 insertions(+), 4 deletions(-) diff --git a/site/content/en/docs/tutorials/using_psp.md b/site/content/en/docs/tutorials/using_psp.md index b77fc4c46f9c..38123c73c0af 100644 --- a/site/content/en/docs/tutorials/using_psp.md +++ b/site/content/en/docs/tutorials/using_psp.md @@ -13,18 +13,33 @@ This tutorial explains how to start minikube with Pod Security Policies (PSP) en ## Prerequisites -- Minikube 1.5.2 with Kubernetes 1.16.x or higher +- Minikube 1.11.1 with Kubernetes 1.16.x or higher ## Tutorial -Before starting minikube, you need to give it the PSP YAMLs in order to allow minikube to bootstrap. +Start minikube with the `PodSecurityPolicy` admission controller and the +`pod-security-policy` addon enabled. -Create the directory: +`minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy --addons=pod-security-policy` + +The `pod-security-policy` addon must be enabled along with the admission +controller to prevent issues during bootstrap. + +## Older versions of minikube + +Older versions of minikube do not ship with the `pod-security-policy` addon, so +the policies that addon enables must be separately applied to the cluster. + +## Minikube 1.5.2 through 1.6.2 + +Before starting minikube, you need to give it the PSP YAMLs in order to allow minikube to bootstrap. + +Create the directory: `mkdir -p ~/.minikube/files/etc/kubernetes/addons` Copy the YAML below into this file: `~/.minikube/files/etc/kubernetes/addons/psp.yaml` -Now start minikube: +Now start minikube: `minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy` ```yaml @@ -161,3 +176,24 @@ subjects: name: system:serviceaccounts:kube-system apiGroup: rbac.authorization.k8s.io ``` + +### Minikube between 1.6.2 and 1.11.1 + +With minikube versions greater than 1.6.2 and less than 1.11.1, the YAML files +shown above will not be automatically applied to the cluster. You may have +errors during bootstrap of the cluster if the admission controller is enabled. + +To use Pod Security Policies with these versions of minikube, first start a +cluster without the `PodSecurityPolicy` admission controller enabled. + +Next, apply the YAML shown above to the cluster. + +Finally, stop the cluster and then restart it with the admission controller +enabled. + +``` +minikube start +kubectl apply -f /path/to/psp.yaml +minikube stop +minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy +```