Merge pull request #55509 from tallclair/psp-addons

Automatic merge from submit-queue (batch tested with PRs 54602, 54877, 55243, 55509, 55128). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

PodSecurityPolicies for addons

**What this PR does / why we need it**:

1. Colocate addon PodSecurityPolicy config with the addons (in a `podsecuritypolicies` subdirectory). 
2. Add policies for addons that are currently missing policies (not in the default GCE suite)
3. Remove HostPath SSL certs from several heapster deployments, so that heapster doesn't require a special PSP

**Which issue(s) this PR fixes**:
#43538

**Release note**:
```release-note
- Add PodSecurityPolicies for cluster addons
- Remove SSL cert HostPath volumes from heapster addons
```

cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp-binding.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gce:podsecuritypolicy:event-exporter
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/cluster-service: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: gce:podsecuritypolicy:event-exporter
+subjects:
+- kind: ServiceAccount
+  name: event-exporter-sa
+  namespace: kube-system

cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp-role.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: gce:podsecuritypolicy:event-exporter
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - extensions
+  resourceNames:
+  - gce.event-exporter
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use

cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp.yaml

@@ -0,0 +1,38 @@
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: gce.event-exporter
+  annotations:
+    kubernetes.io/description: 'Policy used by the event-exporter addon.'
+    # TODO: event-exporter should run with the default seccomp profile
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+    # 'runtime/default' is already the default, but must be filled in on the
+    # pod to pass admission.
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+  labels:
+    kubernetes.io/cluster-service: 'true'
+    addonmanager.kubernetes.io/mode: Reconcile
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  volumes:
+  - 'hostPath'
+  - 'secret'
+  # TODO: This only needs a hostPath to read /etc/ssl/certs,
+  #   but it should be able to just include these in the image.
+  allowedHostPaths:
+    - pathPrefix: /etc/ssl/certs
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  # TODO: This doesn't need to run as root.
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false

cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp-binding.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gce:podsecuritypolicy:fluentd-gcp
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/cluster-service: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: gce:podsecuritypolicy:fluentd-gcp
+subjects:
+- kind: ServiceAccount
+  name: fluentd-gcp
+  namespace: kube-system

cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp-role.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: gce:podsecuritypolicy:fluentd-gcp
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - extensions
+  resourceNames:
+  - gce.fluentd-gcp
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use

cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp.yaml

@@ -0,0 +1,38 @@
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: gce.fluentd-gcp
+  annotations:
+    kubernetes.io/description: 'Policy used by the fluentd-gcp addon.'
+    # TODO: fluentd-gcp should run with the default seccomp profile
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+    # 'runtime/default' is already the default, but must be filled in on the
+    # pod to pass admission.
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+  labels:
+    kubernetes.io/cluster-service: 'true'
+    addonmanager.kubernetes.io/mode: Reconcile
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  volumes:
+  - 'configMap'
+  - 'hostPath'
+  - 'secret'
+  allowedHostPaths:
+    - pathPrefix: /var/log
+    - pathPrefix: /var/lib/docker/containers
+    - pathPrefix: /usr/lib64
+  hostNetwork: true
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false