rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-09-01 15:06:23 +00:00
Code Issues Releases Wiki Activity

add the support for PodSecurity on cluster at least v1.23

Browse Source
This commit is contained in:
Jiaqi Luo
2022-11-01 22:05:35 -07:00
parent f5e18110b6
commit 5fcf75db40
11 changed files with 290 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
cluster/validation.go
View File

@@ -55,7 +55,11 @@ func (c *Cluster) ValidateCluster(ctx context.Context) error {
}
// validate enabling Pod Security Policy
if err := validatePSP(c); err != nil {
if err := validatePodSecurityPolicy(c); err != nil {
return err
}
// validate enabling Pod Security
if err := validatePodSecurity(c); err != nil {
return err
}
@@ -655,12 +659,13 @@ func validateCRIDockerdOption(c *Cluster) error {
return nil
}
func validatePSP(c *Cluster) error {
func validatePodSecurityPolicy(c *Cluster) error {
parsedVersion, err := getClusterVersion(c.Version)
if err != nil {
logrus.Warnf("Failed to parse semver range for validating Pod Security Policy")
return err
}
logrus.Debugf("Checking PodSecurityPolicy for cluster version [%s]", c.Version)
if c.Services.KubeAPI.PodSecurityPolicy {
if c.Authorization.Mode != services.RBACAuthorizationMode {
return errors.New("PodSecurityPolicy can't be enabled with RBAC support disabled")
@@ -672,6 +677,29 @@ func validatePSP(c *Cluster) error {
return nil
}
func validatePodSecurity(c *Cluster) error {
parsedVersion, err := getClusterVersion(c.Version)
if err != nil {
logrus.Warnf("Failed to parse semver range for validating Pod Security")
return err
}
logrus.Debugf("Checking PodSecurity for cluster version [%s]", c.Version)
level := c.Services.KubeAPI.PodSecurityConfiguration
if len(level) != 0 {
if c.Authorization.Mode != services.RBACAuthorizationMode {
return errors.New("PodSecurity can't be enabled with RBAC support disabled")
}
if !parsedRangeAtLeast123(parsedVersion) {
return errors.New("cluster version must be at least v1.23 to use PodSecurity in RKE")
}
if level != PodSecurityPrivileged && level != PodSecurityRestricted {
return fmt.Errorf("invalid pod_security_configuration [%s]. Supported values: [%s, %s]",
level, PodSecurityPrivileged, PodSecurityRestricted)
}
}
return nil
}
func getClusterVersion(version string) (semver.Version, error) {
var parsedVersion semver.Version
if len(version) <= 1 || !strings.HasPrefix(version, "v") {