rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-09-01 06:56:29 +00:00
Code Issues Releases Wiki Activity

Enable PodSecurityPolicy support

Browse Source
This commit is contained in:
moelsayed
2017-12-20 03:51:07 +02:00
parent 04a137b097
commit 2011a2cf01
10 changed files with 268 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
cluster/cluster.go
View File

@@ -140,6 +140,10 @@ func (c *Cluster) setClusterDefaults() {
if len(c.Authorization.Mode) == 0 {
c.Authorization.Mode = DefaultAuthorizationMode
}
if c.Services.KubeAPI.PodSecurityPolicy && c.Authorization.Mode != services.RBACAuthorizationMode {
logrus.Warnf("PodSecurityPolicy can't be enabled with RBAC support disabled")
c.Services.KubeAPI.PodSecurityPolicy = false
}
c.setClusterServicesDefaults()
c.setClusterNetworkDefaults()
c.setClusterImageDefaults()
@@ -258,5 +262,13 @@ func (c *Cluster) ApplyAuthzResources() error {
return fmt.Errorf("Failed to apply the ClusterRoleBinding needed for node authorization: %v", err)
}
}
if c.Authorization.Mode == services.RBACAuthorizationMode && c.Services.KubeAPI.PodSecurityPolicy {
if err := authz.ApplyDefaultPodSecurityPolicy(c.LocalKubeConfigPath); err != nil {
return fmt.Errorf("Failed to apply default PodSecurityPolicy: %v", err)
}
if err := authz.ApplyDefaultPodSecurityPolicyRole(c.LocalKubeConfigPath); err != nil {
return fmt.Errorf("Failed to apply default PodSecurityPolicy ClusterRole and ClusterRoleBinding: %v", err)
}
}
return nil
}