Create a podsecuritypolicies addon

Create a new addon, `podsecuritypolicies` that applies the PodSecurityPolicy and related RBAC configuration from the https://minikube.sigs.k8s.io/docs/tutorials/using_psp/ tutorial. Apparently, recent work on the addons system has invalidated the procedure shown in that tutorial, as the configuration is no longer automatically applied. The last known working version is `1.6.2`. This allows clusters started with `--extra-configs=apiserver.enable-admission-plugins=PodSecurityPolicy` to succeed, so long as they also include `--addons=podsecuritypolicies`.
kubernetes · Jun 11, 2020 · b32cb5e · b32cb5e
1 parent 6cdffd8
commit b32cb5e
Show file tree

Hide file tree

Showing 3 changed files with 145 additions and 0 deletions.
diff --git a/deploy/addons/podsecuritypolicies/podsecuritypolicies.yaml.tmpl b/deploy/addons/podsecuritypolicies/podsecuritypolicies.yaml.tmpl
@@ -0,0 +1,132 @@
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: privileged
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+spec:
+  privileged: true
+  allowPrivilegeEscalation: true
+  allowedCapabilities:
+  - "*"
+  volumes:
+  - "*"
+  hostNetwork: true
+  hostPorts:
+  - min: 0
+    max: 65535
+  hostIPC: true
+  hostPID: true
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: restricted
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  requiredDropCapabilities:
+    - ALL
+  volumes:
+    - 'configMap'
+    - 'emptyDir'
+    - 'projected'
+    - 'secret'
+    - 'downwardAPI'
+    - 'persistentVolumeClaim'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: psp:privileged
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - privileged
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: psp:restricted
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - restricted
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: default:restricted
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp:restricted
+subjects:
+- kind: Group
+  name: system:authenticated
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: default:privileged
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp:privileged
+subjects:
+- kind: Group
+  name: system:masters
+  apiGroup: rbac.authorization.k8s.io
+- kind: Group
+  name: system:nodes
+  apiGroup: rbac.authorization.k8s.io
+- kind: Group
+  name: system:serviceaccounts:kube-system
+  apiGroup: rbac.authorization.k8s.io
diff --git a/pkg/addons/config.go b/pkg/addons/config.go
@@ -149,4 +149,9 @@ var Addons = []*Addon{
 		set:       SetBool,
 		callbacks: []setFn{enableOrDisableAddon},
 	},
+	{
+		name:      "podsecuritypolicies",
+		set:       SetBool,
+		callbacks: []setFn{enableOrDisableAddon},
+	},
 }
diff --git a/pkg/minikube/assets/addons.go b/pkg/minikube/assets/addons.go
@@ -81,6 +81,14 @@ var Addons = map[string]*Addon{
 			"0640",
 			false),
 	}, true, "default-storageclass"),
+	"podsecuritypolicies": NewAddon([]*BinAsset{
+		MustBinAsset(
+			"deploy/addons/podsecuritypolicies/podsecuritypolicies.yaml.tmpl",
+			vmpath.GuestAddonsDir,
+			"podsecuritypolicies.yaml",
+			"0640",
+			false),
+	}, false, "podsecuritypolicies"),
 	"storage-provisioner": NewAddon([]*BinAsset{
 		MustBinAsset(
 			"deploy/addons/storage-provisioner/storage-provisioner.yaml.tmpl",