Fix ingress deployment issue with PSP enabled

2025-09-04 16:30:02 +00:00 · 2019-08-02 00:35:56 +02:00
parent b5d7f5dcd4
commit a3e7bef8cd
5 changed files with 19 additions and 10 deletions
--- a/authz/psp.go
+++ b/authz/psp.go
@@ -21,16 +21,16 @@ func ApplyDefaultPodSecurityPolicy(ctx context.Context, kubeConfigPath string, k
 	return nil
 }
-func ApplyDefaultPodSecurityPolicyRole(ctx context.Context, kubeConfigPath string, k8sWrapTransport k8s.WrapTransport) error {
+func ApplyDefaultPodSecurityPolicyRole(ctx context.Context, kubeConfigPath, namespace string, k8sWrapTransport k8s.WrapTransport) error {
-	log.Infof(ctx, "[authz] Applying default PodSecurityPolicy Role and RoleBinding")
+	log.Infof(ctx, "[authz] Applying default PodSecurityPolicy Role and RoleBinding in %s", namespace)
 	k8sClient, err := k8s.NewClient(kubeConfigPath, k8sWrapTransport)
 	if err != nil {
 		return err
 	}
-	if err := k8s.UpdateRoleFromYaml(k8sClient, templates.DefaultPodSecurityRole); err != nil {
+	if err := k8s.UpdateRoleFromYaml(k8sClient, templates.DefaultPodSecurityRole, namespace); err != nil {
 		return err
 	}
-	if err := k8s.UpdateRoleBindingFromYaml(k8sClient, templates.DefaultPodSecurityRoleBinding); err != nil {
+	if err := k8s.UpdateRoleBindingFromYaml(k8sClient, templates.DefaultPodSecurityRoleBinding, namespace); err != nil {
 		return err
 	}
 	log.Infof(ctx, "[authz] Default PodSecurityPolicy Role and RoleBinding applied successfully")
--- a/cluster/addons.go
+++ b/cluster/addons.go
@@ -13,8 +13,10 @@ import (
 	"strings"
 	"github.com/rancher/rke/addons"
 	"github.com/rancher/rke/authz"
 	"github.com/rancher/rke/k8s"
 	"github.com/rancher/rke/log"
 	"github.com/rancher/rke/services"
 	"github.com/rancher/rke/util"
 	"github.com/sirupsen/logrus"
 	"gopkg.in/yaml.v2"
@@ -490,6 +492,12 @@ func (c *Cluster) deployIngress(ctx context.Context, data map[string]interface{}
 	if err := c.doAddonDeploy(ctx, ingressYaml, IngressAddonResourceName, false); err != nil {
 		return err
 	}
 	// ingress runs in it's own namespace, so it needs it's own role/rolebinding for PSP
 	if c.Authorization.Mode == services.RBACAuthorizationMode && c.Services.KubeAPI.PodSecurityPolicy {
 		if err := authz.ApplyDefaultPodSecurityPolicyRole(ctx, c.LocalKubeConfigPath, NginxIngressAddonAppName, c.K8sWrapTransport); err != nil {
 			return fmt.Errorf("Failed to apply default PodSecurityPolicy ClusterRole and ClusterRoleBinding: %v", err)
 		}
 	}
 	log.Infof(ctx, "[ingress] ingress controller %s deployed successfully", c.Ingress.Provider)
 	return nil
 }
--- a/cluster/cluster.go
+++ b/cluster/cluster.go
@@ -84,6 +84,8 @@ const (
 	WorkerThreads = util.WorkerThreads
 	serviceAccountTokenFileParam = "service-account-key-file"
 	SystemNamespace = "kube-system"
 )
 func (c *Cluster) DeployControlPlane(ctx context.Context, svcOptions *v3.KubernetesServicesOptions) error {
@@ -325,7 +327,7 @@ func ApplyAuthzResources(ctx context.Context, rkeConfig v3.RancherKubernetesEngi
 		if err := authz.ApplyDefaultPodSecurityPolicy(ctx, kubeCluster.LocalKubeConfigPath, kubeCluster.K8sWrapTransport); err != nil {
 			return fmt.Errorf("Failed to apply default PodSecurityPolicy: %v", err)
 		}
-		if err := authz.ApplyDefaultPodSecurityPolicyRole(ctx, kubeCluster.LocalKubeConfigPath, kubeCluster.K8sWrapTransport); err != nil {
+		if err := authz.ApplyDefaultPodSecurityPolicyRole(ctx, kubeCluster.LocalKubeConfigPath, SystemNamespace, kubeCluster.K8sWrapTransport); err != nil {
 			return fmt.Errorf("Failed to apply default PodSecurityPolicy ClusterRole and ClusterRoleBinding: %v", err)
 		}
 	}
--- a/k8s/role.go
+++ b/k8s/role.go
@@ -6,11 +6,12 @@ import (
 	"k8s.io/client-go/kubernetes"
 )
-func UpdateRoleBindingFromYaml(k8sClient *kubernetes.Clientset, roleBindingYaml string) error {
+func UpdateRoleBindingFromYaml(k8sClient *kubernetes.Clientset, roleBindingYaml, namespace string) error {
 	roleBinding := rbacv1.RoleBinding{}
 	if err := decodeYamlResource(&roleBinding, roleBindingYaml); err != nil {
 		return err
 	}
 	roleBinding.Namespace = namespace
 	return retryTo(updateRoleBinding, k8sClient, roleBinding, DefaultRetries, DefaultSleepSeconds)
 }
@@ -27,11 +28,12 @@ func updateRoleBinding(k8sClient *kubernetes.Clientset, rb interface{}) error {
 	return nil
 }
-func UpdateRoleFromYaml(k8sClient *kubernetes.Clientset, roleYaml string) error {
+func UpdateRoleFromYaml(k8sClient *kubernetes.Clientset, roleYaml, namespace string) error {
 	role := rbacv1.Role{}
 	if err := decodeYamlResource(&role, roleYaml); err != nil {
 		return err
 	}
 	role.Namespace = namespace
 	return retryTo(updateRole, k8sClient, role, DefaultRetries, DefaultSleepSeconds)
 }
--- a/templates/authz.go
+++ b/templates/authz.go
@@ -69,7 +69,6 @@ apiVersion: extensions/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: default-psp
  namespace: kube-system
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
 spec:
@@ -99,7 +98,6 @@ kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: default-psp-role
  namespace: kube-system
 rules:
 - apiGroups: ['extensions']
  resources: ['podsecuritypolicies']
@@ -112,7 +110,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: default-psp-rolebinding
  namespace: kube-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role