mirror of
https://github.com/rancher/rke.git
synced 2025-09-05 17:00:20 +00:00
Fix ingress deployment issue with PSP enabled
This commit is contained in:
moelsayed
Craig Jellick
@@ -21,16 +21,16 @@ func ApplyDefaultPodSecurityPolicy(ctx context.Context, kubeConfigPath string, k
|
||||
return nil
|
||||
}
|
||||
|
||||
func ApplyDefaultPodSecurityPolicyRole(ctx context.Context, kubeConfigPath string, k8sWrapTransport k8s.WrapTransport) error {
|
||||
log.Infof(ctx, "[authz] Applying default PodSecurityPolicy Role and RoleBinding")
|
||||
func ApplyDefaultPodSecurityPolicyRole(ctx context.Context, kubeConfigPath, namespace string, k8sWrapTransport k8s.WrapTransport) error {
|
||||
log.Infof(ctx, "[authz] Applying default PodSecurityPolicy Role and RoleBinding in %s", namespace)
|
||||
k8sClient, err := k8s.NewClient(kubeConfigPath, k8sWrapTransport)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := k8s.UpdateRoleFromYaml(k8sClient, templates.DefaultPodSecurityRole); err != nil {
|
||||
if err := k8s.UpdateRoleFromYaml(k8sClient, templates.DefaultPodSecurityRole, namespace); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := k8s.UpdateRoleBindingFromYaml(k8sClient, templates.DefaultPodSecurityRoleBinding); err != nil {
|
||||
if err := k8s.UpdateRoleBindingFromYaml(k8sClient, templates.DefaultPodSecurityRoleBinding, namespace); err != nil {
|
||||
return err
|
||||
}
|
||||
log.Infof(ctx, "[authz] Default PodSecurityPolicy Role and RoleBinding applied successfully")
|
||||
|
||||
@@ -13,8 +13,10 @@ import (
|
||||
"strings"
|
||||
|
||||
"github.com/rancher/rke/addons"
|
||||
"github.com/rancher/rke/authz"
|
||||
"github.com/rancher/rke/k8s"
|
||||
"github.com/rancher/rke/log"
|
||||
"github.com/rancher/rke/services"
|
||||
"github.com/rancher/rke/util"
|
||||
"github.com/sirupsen/logrus"
|
||||
"gopkg.in/yaml.v2"
|
||||
@@ -490,6 +492,12 @@ func (c *Cluster) deployIngress(ctx context.Context, data map[string]interface{}
|
||||
if err := c.doAddonDeploy(ctx, ingressYaml, IngressAddonResourceName, false); err != nil {
|
||||
return err
|
||||
}
|
||||
// ingress runs in it's own namespace, so it needs it's own role/rolebinding for PSP
|
||||
if c.Authorization.Mode == services.RBACAuthorizationMode && c.Services.KubeAPI.PodSecurityPolicy {
|
||||
if err := authz.ApplyDefaultPodSecurityPolicyRole(ctx, c.LocalKubeConfigPath, NginxIngressAddonAppName, c.K8sWrapTransport); err != nil {
|
||||
return fmt.Errorf("Failed to apply default PodSecurityPolicy ClusterRole and ClusterRoleBinding: %v", err)
|
||||
}
|
||||
}
|
||||
log.Infof(ctx, "[ingress] ingress controller %s deployed successfully", c.Ingress.Provider)
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -84,6 +84,8 @@ const (
|
||||
WorkerThreads = util.WorkerThreads
|
||||
|
||||
serviceAccountTokenFileParam = "service-account-key-file"
|
||||
|
||||
SystemNamespace = "kube-system"
|
||||
)
|
||||
|
||||
func (c *Cluster) DeployControlPlane(ctx context.Context, svcOptions *v3.KubernetesServicesOptions) error {
|
||||
@@ -325,7 +327,7 @@ func ApplyAuthzResources(ctx context.Context, rkeConfig v3.RancherKubernetesEngi
|
||||
if err := authz.ApplyDefaultPodSecurityPolicy(ctx, kubeCluster.LocalKubeConfigPath, kubeCluster.K8sWrapTransport); err != nil {
|
||||
return fmt.Errorf("Failed to apply default PodSecurityPolicy: %v", err)
|
||||
}
|
||||
if err := authz.ApplyDefaultPodSecurityPolicyRole(ctx, kubeCluster.LocalKubeConfigPath, kubeCluster.K8sWrapTransport); err != nil {
|
||||
if err := authz.ApplyDefaultPodSecurityPolicyRole(ctx, kubeCluster.LocalKubeConfigPath, SystemNamespace, kubeCluster.K8sWrapTransport); err != nil {
|
||||
return fmt.Errorf("Failed to apply default PodSecurityPolicy ClusterRole and ClusterRoleBinding: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,11 +6,12 @@ import (
|
||||
"k8s.io/client-go/kubernetes"
|
||||
)
|
||||
|
||||
func UpdateRoleBindingFromYaml(k8sClient *kubernetes.Clientset, roleBindingYaml string) error {
|
||||
func UpdateRoleBindingFromYaml(k8sClient *kubernetes.Clientset, roleBindingYaml, namespace string) error {
|
||||
roleBinding := rbacv1.RoleBinding{}
|
||||
if err := decodeYamlResource(&roleBinding, roleBindingYaml); err != nil {
|
||||
return err
|
||||
}
|
||||
roleBinding.Namespace = namespace
|
||||
return retryTo(updateRoleBinding, k8sClient, roleBinding, DefaultRetries, DefaultSleepSeconds)
|
||||
}
|
||||
|
||||
@@ -27,11 +28,12 @@ func updateRoleBinding(k8sClient *kubernetes.Clientset, rb interface{}) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func UpdateRoleFromYaml(k8sClient *kubernetes.Clientset, roleYaml string) error {
|
||||
func UpdateRoleFromYaml(k8sClient *kubernetes.Clientset, roleYaml, namespace string) error {
|
||||
role := rbacv1.Role{}
|
||||
if err := decodeYamlResource(&role, roleYaml); err != nil {
|
||||
return err
|
||||
}
|
||||
role.Namespace = namespace
|
||||
return retryTo(updateRole, k8sClient, role, DefaultRetries, DefaultSleepSeconds)
|
||||
}
|
||||
|
||||
|
||||
@@ -69,7 +69,6 @@ apiVersion: extensions/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: default-psp
|
||||
namespace: kube-system
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
|
||||
spec:
|
||||
@@ -99,7 +98,6 @@ kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: default-psp-role
|
||||
namespace: kube-system
|
||||
rules:
|
||||
- apiGroups: ['extensions']
|
||||
resources: ['podsecuritypolicies']
|
||||
@@ -112,7 +110,6 @@ apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: default-psp-rolebinding
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
|
||||
Reference in New Issue
Block a user