rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-09-10 19:39:14 +00:00
Code Issues Releases Wiki Activity

improve the validation for PSP

Browse Source
This commit is contained in:
Jiaqi Luo
2022-10-31 12:47:43 -07:00
parent c4a521de08
commit 9244d9ffae
2 changed files with 27 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
cluster/plan.go
View File

@@ -67,6 +67,7 @@ const (
var ( var (
admissionControlOptionNames = []string{"enable-admission-plugins", "admission-control"} admissionControlOptionNames = []string{"enable-admission-plugins", "admission-control"}
parsedRangeAtLeast124 = semver.MustParseRange(">= 1.24.0-rancher0") parsedRangeAtLeast124 = semver.MustParseRange(">= 1.24.0-rancher0")
parsedRangeAtLeast125 = semver.MustParseRange(">= 1.25.0-rancher0")
) )
func GetServiceOptionData(data map[string]interface{}) map[string]*v3.KubernetesServicesOptions { func GetServiceOptionData(data map[string]interface{}) map[string]*v3.KubernetesServicesOptions {

30
cluster/validation.go
View File

@@ -54,6 +54,11 @@ func (c *Cluster) ValidateCluster(ctx context.Context) error {
return err return err
} }
// validate enabling Pod Security Policy
if err := validatePSP(c); err != nil {
return err
}
// validate services options // validate services options
return validateServicesOptions(c) return validateServicesOptions(c)
} }
@@ -234,7 +239,7 @@ func validateNetworkOptions(c *Cluster) error {
} }
if c.Network.Plugin == AciNetworkPlugin { if c.Network.Plugin == AciNetworkPlugin {
//Skip cloud options and throw an error. // Skip cloud options and throw an error.
cloudOptionsList := []string{AciEpRegistry, AciOpflexMode, AciUseHostNetnsVolume, AciUseOpflexServerVolume, cloudOptionsList := []string{AciEpRegistry, AciOpflexMode, AciUseHostNetnsVolume, AciUseOpflexServerVolume,
AciSubnetDomainName, AciKafkaClientCrt, AciKafkaClientKey, AciCApic, UseAciAnywhereCRD, AciSubnetDomainName, AciKafkaClientCrt, AciKafkaClientKey, AciCApic, UseAciAnywhereCRD,
AciOverlayVRFName, AciGbpPodSubnet, AciRunGbpContainer, AciRunOpflexServerContainer, AciOpflexServerPort} AciOverlayVRFName, AciGbpPodSubnet, AciRunGbpContainer, AciRunOpflexServerContainer, AciOpflexServerPort}
@@ -550,9 +555,9 @@ func validateNetworkImages(c *Cluster) error {
if len(c.SystemImages.AciControllerContainer) == 0 { if len(c.SystemImages.AciControllerContainer) == 0 {
return errors.New("aci controller image is not populated") return errors.New("aci controller image is not populated")
} }
//Skipping Cloud image validation. // Skipping Cloud image validation.
//c.SystemImages.AciOpflexServerContainer // c.SystemImages.AciOpflexServerContainer
//c.SystemImages.AciGbpServerContainer // c.SystemImages.AciGbpServerContainer
} }
return nil return nil
} }
@@ -650,6 +655,23 @@ func validateCRIDockerdOption(c *Cluster) error {
return nil return nil
} }
func validatePSP(c *Cluster) error {
parsedVersion, err := getClusterVersion(c.Version)
if err != nil {
logrus.Warnf("Failed to parse semver range for validating Pod Security Policy")
return err
}
if c.Services.KubeAPI.PodSecurityPolicy {
if c.Authorization.Mode != services.RBACAuthorizationMode {
return errors.New("PodSecurityPolicy can't be enabled with RBAC support disabled")
}
if parsedRangeAtLeast125(parsedVersion) {
return errors.New("PodSecurityPolicy has been removed and can not be enabled since k8s v1.25")
}
}
return nil
}
func getClusterVersion(version string) (semver.Version, error) { func getClusterVersion(version string) (semver.Version, error) {
var parsedVersion semver.Version var parsedVersion semver.Version
if len(version) <= 1 || !strings.HasPrefix(version, "v") { if len(version) <= 1 || !strings.HasPrefix(version, "v") {