From b24bf0c5e2ff24ff900a169d9065268e5d5c4ee8 Mon Sep 17 00:00:00 2001 From: Davide Belloni Date: Tue, 26 Jun 2018 14:06:32 +0200 Subject: [PATCH 1/5] =?UTF-8?q?Enable=20=E2=80=9CKubernetes=20Monitoring?= =?UTF-8?q?=E2=80=9D=20and=20=E2=80=9CPodSecurityPolicies=E2=80=9D=20on=20?= =?UTF-8?q?the=20same=20cluster?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Without that the daemonset "metadata-agent" return: ```pods "metadata-agent-" is forbidden: unable to validate against any pod security policy: [spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 8799: Host port 8799 is not allowed to be used. Allowed ports: []]``` --- .../stackdriver/metadata-agent-rbac.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml b/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml index dfcada4d585..1631c0d57e3 100644 --- a/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml +++ b/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml @@ -32,3 +32,20 @@ subjects: - kind: ServiceAccount name: metadata-agent namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gce:podsecuritypolicy:metadata-agent + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: Reconcile + kubernetes.io/cluster-service: "true" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gce:podsecuritypolicy:privileged +subjects: + - kind: ServiceAccount + name: metadata-agent + namespace: kube-system From 7fe017f8487893af8c4e02f86ab2e228b3458117 Mon Sep 17 00:00:00 2001 From: Davide Belloni Date: Fri, 29 Jun 2018 12:15:54 +0200 Subject: [PATCH 2/5] Moved under podsecuritypolicies directory --- .../{ => podsecuritypolicies}/metadata-agent-rbac.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cluster/addons/metadata-agent/stackdriver/{ => podsecuritypolicies}/metadata-agent-rbac.yaml (100%) diff --git a/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml b/cluster/addons/metadata-agent/stackdriver/podsecuritypolicies/metadata-agent-rbac.yaml similarity index 100% rename from cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml rename to cluster/addons/metadata-agent/stackdriver/podsecuritypolicies/metadata-agent-rbac.yaml From 54573a3505728605badb21f48eef7850aa1752e7 Mon Sep 17 00:00:00 2001 From: Davide Belloni Date: Fri, 29 Jun 2018 12:16:46 +0200 Subject: [PATCH 3/5] bugfix separated files --- .../metadata-agent-rbac.yaml | 35 ------------------- 1 file changed, 35 deletions(-) diff --git a/cluster/addons/metadata-agent/stackdriver/podsecuritypolicies/metadata-agent-rbac.yaml b/cluster/addons/metadata-agent/stackdriver/podsecuritypolicies/metadata-agent-rbac.yaml index 1631c0d57e3..102b80771ff 100644 --- a/cluster/addons/metadata-agent/stackdriver/podsecuritypolicies/metadata-agent-rbac.yaml +++ b/cluster/addons/metadata-agent/stackdriver/podsecuritypolicies/metadata-agent-rbac.yaml @@ -1,39 +1,4 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: stackdriver:metadata-agent - labels: - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -rules: -- apiGroups: - - "" - - "apps" - - "extensions" - resources: - - "*" - verbs: - - watch - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: stackdriver:metadata-agent - labels: - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: stackdriver:metadata-agent -subjects: -- kind: ServiceAccount - name: metadata-agent - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: gce:podsecuritypolicy:metadata-agent From 957b6ff1875449d4085eae853deab60c276dc99b Mon Sep 17 00:00:00 2001 From: Davide Belloni Date: Fri, 29 Jun 2018 12:21:48 +0200 Subject: [PATCH 4/5] FIX removed file --- .../stackdriver/metadata-agent-rbac.yaml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml diff --git a/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml b/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml new file mode 100644 index 00000000000..dfcada4d585 --- /dev/null +++ b/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml @@ -0,0 +1,34 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: stackdriver:metadata-agent + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +rules: +- apiGroups: + - "" + - "apps" + - "extensions" + resources: + - "*" + verbs: + - watch + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: stackdriver:metadata-agent + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: stackdriver:metadata-agent +subjects: +- kind: ServiceAccount + name: metadata-agent + namespace: kube-system From d8d894ae1162d1e37d13dbac6466d5c94a2ed6b8 Mon Sep 17 00:00:00 2001 From: Davide Belloni Date: Fri, 29 Jun 2018 12:23:29 +0200 Subject: [PATCH 5/5] Renamed with psp-binding suffix --- .../{metadata-agent-rbac.yaml => metadata-agent-psp-binding.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cluster/addons/metadata-agent/stackdriver/podsecuritypolicies/{metadata-agent-rbac.yaml => metadata-agent-psp-binding.yaml} (100%) diff --git a/cluster/addons/metadata-agent/stackdriver/podsecuritypolicies/metadata-agent-rbac.yaml b/cluster/addons/metadata-agent/stackdriver/podsecuritypolicies/metadata-agent-psp-binding.yaml similarity index 100% rename from cluster/addons/metadata-agent/stackdriver/podsecuritypolicies/metadata-agent-rbac.yaml rename to cluster/addons/metadata-agent/stackdriver/podsecuritypolicies/metadata-agent-psp-binding.yaml