diff --git a/Makefile b/Makefile old mode 100755 new mode 100644 diff --git a/cmd/minikube/cmd/root_test.go b/cmd/minikube/cmd/root_test.go index b0c29ca4b14b..8658fc9b10be 100644 --- a/cmd/minikube/cmd/root_test.go +++ b/cmd/minikube/cmd/root_test.go @@ -115,7 +115,7 @@ func hideEnv(t *testing.T) func(t *testing.T) { func TestPreRunDirectories(t *testing.T) { // Make sure we create the required directories. tempDir := tests.MakeTempDir() - defer os.RemoveAll(tempDir) + defer tests.RemoveTempDir(tempDir) runCommand(RootCmd.PersistentPreRun) diff --git a/cmd/minikube/cmd/start.go b/cmd/minikube/cmd/start.go index d5ef2cc43064..c875f0ebf3e7 100644 --- a/cmd/minikube/cmd/start.go +++ b/cmd/minikube/cmd/start.go @@ -898,6 +898,20 @@ func validateFlags(cmd *cobra.Command, drvName string) { } } + // validate kubeadm extra args + if invalidOpts := bsutil.FindInvalidExtraConfigFlags(config.ExtraOptions); len(invalidOpts) > 0 { + out.ErrT( + out.Warning, + "These --extra-config parameters are invalid: {{.invalid_extra_opts}}", + out.V{"invalid_extra_opts": invalidOpts}, + ) + exit.WithCodeT( + exit.Config, + "Valid components are: {{.valid_extra_opts}}", + out.V{"valid_extra_opts": bsutil.KubeadmExtraConfigOpts}, + ) + } + // check that kubeadm extra args contain only allowed parameters for param := range config.ExtraOptions.AsMap().Get(bsutil.Kubeadm) { if !config.ContainsParam(bsutil.KubeadmExtraArgsAllowed[bsutil.KubeadmCmdParam], param) && diff --git a/deploy/addons/pod-security-policy/pod-security-policy.yaml.tmpl b/deploy/addons/pod-security-policy/pod-security-policy.yaml.tmpl new file mode 100644 index 000000000000..fa4171fa91ef --- /dev/null +++ b/deploy/addons/pod-security-policy/pod-security-policy.yaml.tmpl @@ -0,0 +1,132 @@ +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: privileged + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" + labels: + addonmanager.kubernetes.io/mode: EnsureExists +spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: + - "*" + volumes: + - "*" + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: restricted + labels: + addonmanager.kubernetes.io/mode: EnsureExists +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: psp:privileged + labels: + addonmanager.kubernetes.io/mode: EnsureExists +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - privileged +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: psp:restricted + labels: + addonmanager.kubernetes.io/mode: EnsureExists +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - restricted +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: default:restricted + labels: + addonmanager.kubernetes.io/mode: EnsureExists +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp:restricted +subjects: +- kind: Group + name: system:authenticated + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: default:privileged + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: EnsureExists +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp:privileged +subjects: +- kind: Group + name: system:masters + apiGroup: rbac.authorization.k8s.io +- kind: Group + name: system:nodes + apiGroup: rbac.authorization.k8s.io +- kind: Group + name: system:serviceaccounts:kube-system + apiGroup: rbac.authorization.k8s.io diff --git a/pkg/addons/config.go b/pkg/addons/config.go index 96e2617efa66..7bdb1c22507c 100644 --- a/pkg/addons/config.go +++ b/pkg/addons/config.go @@ -156,4 +156,9 @@ var Addons = []*Addon{ set: SetBool, callbacks: []setFn{enableOrDisableAddon}, }, + { + name: "pod-security-policy", + set: SetBool, + callbacks: []setFn{enableOrDisableAddon}, + }, } diff --git a/pkg/drivers/common_test.go b/pkg/drivers/common_test.go index 98982b9b36ea..cc250e03de6f 100644 --- a/pkg/drivers/common_test.go +++ b/pkg/drivers/common_test.go @@ -27,7 +27,7 @@ import ( func Test_createDiskImage(t *testing.T) { tmpdir := tests.MakeTempDir() - defer os.RemoveAll(tmpdir) + defer tests.RemoveTempDir(tmpdir) sshPath := filepath.Join(tmpdir, "ssh") if err := ioutil.WriteFile(sshPath, []byte("mysshkey"), 0644); err != nil { diff --git a/pkg/drivers/hyperkit/network_test.go b/pkg/drivers/hyperkit/network_test.go index 3bd538a66bc9..ae97c5e660df 100644 --- a/pkg/drivers/hyperkit/network_test.go +++ b/pkg/drivers/hyperkit/network_test.go @@ -51,7 +51,7 @@ var validLeases = []byte(`{ func Test_getIpAddressFromFile(t *testing.T) { tmpdir := tests.MakeTempDir() - defer os.RemoveAll(tmpdir) + defer tests.RemoveTempDir(tmpdir) dhcpFile := filepath.Join(tmpdir, "dhcp") if err := ioutil.WriteFile(dhcpFile, validLeases, 0644); err != nil { diff --git a/pkg/minikube/assets/addons.go b/pkg/minikube/assets/addons.go index 67403a4c14d6..6d57174252c5 100644 --- a/pkg/minikube/assets/addons.go +++ b/pkg/minikube/assets/addons.go @@ -81,6 +81,14 @@ var Addons = map[string]*Addon{ "0640", false), }, true, "default-storageclass"), + "pod-security-policy": NewAddon([]*BinAsset{ + MustBinAsset( + "deploy/addons/pod-security-policy/pod-security-policy.yaml.tmpl", + vmpath.GuestAddonsDir, + "pod-security-policy.yaml", + "0640", + false), + }, false, "pod-security-policy"), "storage-provisioner": NewAddon([]*BinAsset{ MustBinAsset( "deploy/addons/storage-provisioner/storage-provisioner.yaml.tmpl", diff --git a/pkg/minikube/bootstrapper/bsutil/extraconfig.go b/pkg/minikube/bootstrapper/bsutil/extraconfig.go index 0f64b89f10db..946d087836d2 100644 --- a/pkg/minikube/bootstrapper/bsutil/extraconfig.go +++ b/pkg/minikube/bootstrapper/bsutil/extraconfig.go @@ -95,6 +95,21 @@ func CreateFlagsFromExtraArgs(extraOptions config.ExtraOptionSlice) string { return convertToFlags(kubeadmExtraOpts) } +// FindInvalidExtraConfigFlags returns all invalid 'extra-config' options +func FindInvalidExtraConfigFlags(opts config.ExtraOptionSlice) []string { + invalidOptsMap := make(map[string]struct{}) + var invalidOpts []string + for _, extraOpt := range opts { + if _, ok := componentToKubeadmConfigKey[extraOpt.Component]; !ok { + if _, ok := invalidOptsMap[extraOpt.Component]; !ok { + invalidOpts = append(invalidOpts, extraOpt.Component) + invalidOptsMap[extraOpt.Component] = struct{}{} + } + } + } + return invalidOpts +} + // extraConfigForComponent generates a map of flagname-value pairs for a k8s // component. func extraConfigForComponent(component string, opts config.ExtraOptionSlice, version semver.Version) (map[string]string, error) { @@ -133,20 +148,12 @@ func defaultOptionsForComponentAndVersion(component string, version semver.Versi // newComponentOptions creates a new componentOptions func newComponentOptions(opts config.ExtraOptionSlice, version semver.Version, featureGates string, cp config.Node) ([]componentOptions, error) { - var kubeadmExtraArgs []componentOptions - for _, extraOpt := range opts { - if _, ok := componentToKubeadmConfigKey[extraOpt.Component]; !ok { - return nil, fmt.Errorf("unknown component %q. valid components are: %v", componentToKubeadmConfigKey, componentToKubeadmConfigKey) - } - } - - keys := []string{} - for k := range componentToKubeadmConfigKey { - keys = append(keys, k) + if invalidOpts := FindInvalidExtraConfigFlags(opts); len(invalidOpts) > 0 { + return nil, fmt.Errorf("unknown components %v. valid components are: %v", invalidOpts, KubeadmExtraConfigOpts) } - sort.Strings(keys) - for _, component := range keys { + var kubeadmExtraArgs []componentOptions + for _, component := range KubeadmExtraConfigOpts { kubeadmComponentKey := componentToKubeadmConfigKey[component] if kubeadmComponentKey == "" { continue diff --git a/pkg/minikube/bootstrapper/bsutil/extraconfig_test.go b/pkg/minikube/bootstrapper/bsutil/extraconfig_test.go new file mode 100644 index 000000000000..cb43a77f1507 --- /dev/null +++ b/pkg/minikube/bootstrapper/bsutil/extraconfig_test.go @@ -0,0 +1,59 @@ +/* +Copyright 2016 The Kubernetes Authors All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package bsutil will eventually be renamed to kubeadm package after getting rid of older one +package bsutil + +import ( + "reflect" + "testing" + + "k8s.io/minikube/pkg/minikube/config" +) + +func TestFindInvalidExtraConfigFlags(t *testing.T) { + defaultOpts := getExtraOpts() + badOption1 := config.ExtraOption{Component: "bad_option_1"} + badOption2 := config.ExtraOption{Component: "bad_option_2"} + tests := []struct { + name string + opts config.ExtraOptionSlice + want []string + }{ + { + name: "with valid options only", + opts: defaultOpts, + want: nil, + }, + { + name: "with invalid options", + opts: append(defaultOpts, badOption1, badOption2), + want: []string{"bad_option_1", "bad_option_2"}, + }, + { + name: "with invalid options and duplicates", + opts: append(defaultOpts, badOption2, badOption1, badOption1), + want: []string{"bad_option_2", "bad_option_1"}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := FindInvalidExtraConfigFlags(tt.opts); !reflect.DeepEqual(got, tt.want) { + t.Errorf("FindInvalidExtraConfigFlags() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/pkg/minikube/bootstrapper/bsutil/kubeadm.go b/pkg/minikube/bootstrapper/bsutil/kubeadm.go index 7fa1f157dfc9..db5e24485ff4 100644 --- a/pkg/minikube/bootstrapper/bsutil/kubeadm.go +++ b/pkg/minikube/bootstrapper/bsutil/kubeadm.go @@ -147,15 +147,26 @@ func GenerateKubeadmYAML(cc config.ClusterConfig, n config.Node, r cruntime.Mana // These are the components that can be configured // through the "extra-config" const ( - Kubelet = "kubelet" - Kubeadm = "kubeadm" Apiserver = "apiserver" - Scheduler = "scheduler" ControllerManager = "controller-manager" - Kubeproxy = "kube-proxy" + Scheduler = "scheduler" Etcd = "etcd" + Kubeadm = "kubeadm" + Kubeproxy = "kube-proxy" + Kubelet = "kubelet" ) +// KubeadmExtraConfigOpts is a list of allowed "extra-config" components +var KubeadmExtraConfigOpts = []string{ + Apiserver, + ControllerManager, + Scheduler, + Etcd, + Kubeadm, + Kubelet, + Kubeproxy, +} + // InvokeKubeadm returns the invocation command for Kubeadm func InvokeKubeadm(version string) string { return fmt.Sprintf("sudo env PATH=%s:$PATH kubeadm", binRoot(version)) diff --git a/pkg/minikube/bootstrapper/certs_test.go b/pkg/minikube/bootstrapper/certs_test.go index 4f93aad180e9..d4226283d93a 100644 --- a/pkg/minikube/bootstrapper/certs_test.go +++ b/pkg/minikube/bootstrapper/certs_test.go @@ -30,7 +30,7 @@ import ( func TestSetupCerts(t *testing.T) { tempDir := tests.MakeTempDir() - defer os.RemoveAll(tempDir) + defer tests.RemoveTempDir(tempDir) k8s := config.KubernetesConfig{ APIServerName: constants.APIServerName, diff --git a/pkg/minikube/kubeconfig/context_test.go b/pkg/minikube/kubeconfig/context_test.go index 7725294441d7..a7bcc4af30c0 100644 --- a/pkg/minikube/kubeconfig/context_test.go +++ b/pkg/minikube/kubeconfig/context_test.go @@ -26,6 +26,7 @@ import ( func TestDeleteContext(t *testing.T) { // See kubeconfig_test fn := tempFile(t, kubeConfigWithoutHTTPS) + defer os.Remove(fn) if err := DeleteContext("la-croix", fn); err != nil { t.Fatal(err) } diff --git a/pkg/minikube/kubeconfig/kubeconfig_test.go b/pkg/minikube/kubeconfig/kubeconfig_test.go index 8a0df1712011..54e585b5d5e8 100644 --- a/pkg/minikube/kubeconfig/kubeconfig_test.go +++ b/pkg/minikube/kubeconfig/kubeconfig_test.go @@ -263,6 +263,7 @@ func TestVerifyEndpoint(t *testing.T) { t.Run(test.description, func(t *testing.T) { t.Parallel() configFilename := tempFile(t, test.existing) + defer os.Remove(configFilename) err := VerifyEndpoint("minikube", test.hostname, test.port, configFilename) if err != nil && !test.err { t.Errorf("Got unexpected error: %v", err) @@ -330,6 +331,7 @@ func TestUpdateIP(t *testing.T) { t.Run(test.description, func(t *testing.T) { t.Parallel() configFilename := tempFile(t, test.existing) + defer os.Remove(configFilename) statusActual, err := UpdateEndpoint("minikube", test.hostname, test.port, configFilename) if err != nil && !test.err { t.Errorf("Got unexpected error: %v", err) @@ -419,6 +421,7 @@ func Test_Endpoint(t *testing.T) { for _, test := range tests { t.Run(test.description, func(t *testing.T) { configFilename := tempFile(t, test.cfg) + defer os.Remove(configFilename) hostname, port, err := Endpoint("minikube", configFilename) if err != nil && !test.err { t.Errorf("Got unexpected error: %v", err) diff --git a/pkg/minikube/machine/client_test.go b/pkg/minikube/machine/client_test.go index b2cafc9428b2..cb9091fb5173 100644 --- a/pkg/minikube/machine/client_test.go +++ b/pkg/minikube/machine/client_test.go @@ -19,18 +19,15 @@ package machine import ( "bufio" "fmt" - "io/ioutil" - "log" "net" "os" - "path/filepath" "testing" "github.com/docker/machine/libmachine/drivers/plugin/localbinary" "k8s.io/minikube/pkg/minikube/driver" - "k8s.io/minikube/pkg/minikube/localpath" _ "k8s.io/minikube/pkg/minikube/registry/drvs/virtualbox" + testutil "k8s.io/minikube/pkg/minikube/tests" ) const vboxConfig = ` @@ -113,24 +110,9 @@ func TestLocalClientNewHost(t *testing.T) { } } -func makeTempDir() string { - tempDir, err := ioutil.TempDir("", "minipath") - if err != nil { - log.Fatal(err) - } - tempDir = filepath.Join(tempDir, ".minikube") - os.Setenv(localpath.MinikubeHome, tempDir) - return localpath.MiniPath() -} - func TestRunNotDriver(t *testing.T) { - tempDir := makeTempDir() - defer func() { //clean up tempdir - err := os.RemoveAll(tempDir) - if err != nil { - t.Errorf("failed to clean up temp folder %q", tempDir) - } - }() + tempDir := testutil.MakeTempDir() + defer testutil.RemoveTempDir(tempDir) StartDriver() if !localbinary.CurrentBinaryIsDockerMachine { t.Fatal("CurrentBinaryIsDockerMachine not set. This will break driver initialization.") @@ -140,8 +122,8 @@ func TestRunNotDriver(t *testing.T) { func TestRunDriver(t *testing.T) { // This test is a bit complicated. It verifies that when the root command is // called with the proper environment variables, we setup the libmachine driver. - tempDir := makeTempDir() - defer os.RemoveAll(tempDir) + tempDir := testutil.MakeTempDir() + defer testutil.RemoveTempDir(tempDir) os.Setenv(localbinary.PluginEnvKey, localbinary.PluginEnvVal) os.Setenv(localbinary.PluginEnvDriverName, driver.VirtualBox) diff --git a/pkg/minikube/machine/filesync_test.go b/pkg/minikube/machine/filesync_test.go index a69be410f025..a766ce0f1e28 100644 --- a/pkg/minikube/machine/filesync_test.go +++ b/pkg/minikube/machine/filesync_test.go @@ -17,26 +17,16 @@ limitations under the License. package machine import ( - "io/ioutil" "os" "path/filepath" "testing" "github.com/google/go-cmp/cmp" "k8s.io/minikube/pkg/minikube/localpath" + testutil "k8s.io/minikube/pkg/minikube/tests" "k8s.io/minikube/pkg/minikube/vmpath" ) -func setupTestDir() (string, error) { - path, err := ioutil.TempDir("", "minipath") - if err != nil { - return "", err - } - - os.Setenv(localpath.MinikubeHome, path) - return path, err -} - func TestAssetsFromDir(t *testing.T) { tests := []struct { description string @@ -107,17 +97,8 @@ func TestAssetsFromDir(t *testing.T) { for _, test := range tests { t.Run(test.description, func(t *testing.T) { - testDir, err := setupTestDir() - defer func() { //clean up tempdir - err := os.RemoveAll(testDir) - if err != nil { - t.Errorf("failed to clean up temp folder %q", testDir) - } - }() - if err != nil { - t.Errorf("got unexpected error creating test dir: %v", err) - return - } + testDir := testutil.MakeTempDir() + defer testutil.RemoveTempDir(testDir) testDirs = append(testDirs, testDir) testFileBaseDir := filepath.Join(testDir, test.baseDir) diff --git a/pkg/minikube/notify/notify_test.go b/pkg/minikube/notify/notify_test.go index 8f926daea63a..46e44d558976 100644 --- a/pkg/minikube/notify/notify_test.go +++ b/pkg/minikube/notify/notify_test.go @@ -43,7 +43,7 @@ func TestMaybePrintUpdateTextFromGithub(t *testing.T) { func TestShouldCheckURL(t *testing.T) { tempDir := tests.MakeTempDir() - defer os.RemoveAll(tempDir) + defer tests.RemoveTempDir(tempDir) lastUpdateCheckFilePath := filepath.Join(tempDir, "last_update_check") @@ -152,7 +152,7 @@ func TestGetLatestVersionFromURLMalformed(t *testing.T) { func TestMaybePrintUpdateText(t *testing.T) { tempDir := tests.MakeTempDir() - defer os.RemoveAll(tempDir) + defer tests.RemoveTempDir(tempDir) outputBuffer := tests.NewFakeFile() out.SetErrFile(outputBuffer) diff --git a/pkg/minikube/tests/dir_utils.go b/pkg/minikube/tests/dir_utils.go index 361d4752acd9..795742b772fc 100644 --- a/pkg/minikube/tests/dir_utils.go +++ b/pkg/minikube/tests/dir_utils.go @@ -45,6 +45,13 @@ func MakeTempDir() string { return localpath.MiniPath() } +func RemoveTempDir(tempdir string) { + if filepath.Base(tempdir) == ".minikube" { + tempdir = filepath.Dir(tempdir) + } + os.RemoveAll(tempdir) +} + // FakeFile satisfies fdWriter type FakeFile struct { b bytes.Buffer diff --git a/site/content/en/docs/drivers/includes/podman_usage.inc b/site/content/en/docs/drivers/includes/podman_usage.inc index 22c71a96f8a1..63940a3c548c 100644 --- a/site/content/en/docs/drivers/includes/podman_usage.inc +++ b/site/content/en/docs/drivers/includes/podman_usage.inc @@ -1,20 +1,22 @@ -## experimental +## Experimental -This is an experimental driver. please use it only for experimental reasons. -for a better kubernetes in container experience, use docker [driver]({{< ref "/docs/drivers/docker/" >}}) +This is an experimental driver. Please use it only for experimental reasons until it has reached maturity. For a more reliable minikube experience, use a non-experimental driver, like [Docker]({{< ref "/docs/drivers/docker.md" >}}). -## Install Podman +## Usage -- [Podman](https://podman.io/getting-started/installation.html) +It's recommended to run minikube with the podman driver and [CRI-O container runtime](https://https://cri-o.io/): -## Usage +```shell +minikube start --driver=podman --container-runtime=cri-o +``` -Start a cluster using the podman driver: +Alternatively, start minikube with the podman driver only: ```shell -minikube start --driver=podman +minikube start --driver=podman ``` -To make docker the default driver: + +To make podman the default driver: ```shell minikube config set driver podman diff --git a/site/content/en/docs/drivers/kvm2.md b/site/content/en/docs/drivers/kvm2.md index 52f19be12bad..6ec2e8428d0d 100644 --- a/site/content/en/docs/drivers/kvm2.md +++ b/site/content/en/docs/drivers/kvm2.md @@ -37,6 +37,10 @@ The `minikube start` command supports 3 additional kvm specific flags: Also see [co/kvm2 open issues](https://github.com/kubernetes/minikube/labels/co%2Fkvm2) +### Nested Virtulization + +If you are running KVM in a nested virtualization environment ensure your config the kernel modules correctly follow either [this](https://stafwag.github.io/blog/blog/2018/06/04/nested-virtualization-in-kvm/) or [this](VM follow to config the kernel modules. also https://computingforgeeks.com/how-to-install-kvm-virtualization-on-debian/) tutorial. + ## Troubleshooting * Run `virt-host-validate` and check for the suggestions. * Run `minikube start --alsologtostderr -v=7` to debug crashes diff --git a/site/content/en/docs/drivers/podman.md b/site/content/en/docs/drivers/podman.md index 286429b0effc..d1e827130682 100644 --- a/site/content/en/docs/drivers/podman.md +++ b/site/content/en/docs/drivers/podman.md @@ -11,21 +11,36 @@ aliases: This driver is experimental and in active development. Help wanted! {{% /pageinfo %}} -The podman driver is another kubernetes in container driver for minikube. similar to [docker](https://minikube.sigs.k8s.io/docs/drivers/docker/) driver. The podman driver is experimental, and only supported on Linux and macOS (with a remote podman server). +The podman driver is an alternative container runtime to the [Docker]({{< ref "/docs/drivers/docker.md" >}}) driver. ## Requirements -- Install [Podman](https://podman.io/getting-started/installation) -- amd64 system +- Linux or macOS operating systems on amd64 architecture +- Install [podman](https://podman.io/getting-started/installation.html) -## Try it with CRI-O container runtime. - -```shell -minikube start --driver=podman --container-runtime=cri-o -``` {{% readfile file="/docs/drivers/includes/podman_usage.inc" %}} ## Known Issues - Podman driver is not supported on non-amd64 architectures such as arm yet. For non-amd64 archs please use [other drivers]({{< ref "/docs/drivers/_index.md" >}}) +- Podman requirements passwordless running of sudo. If you run into an error about sudo, do the following: + +```shell +$ sudo visudo +``` +Then append the following to the section *at the very bottom* of the file where `username` is your user account. + +```shell +username ALL=(ALL) NOPASSWD: /usr/bin/podman +``` + +Be sure this text is *after* `#includedir /etc/sudoers.d`. To confirm it worked, try: + +```shell +sudo -k -n podman version +``` + +## Troubleshooting + +- Run `minikube start --alsologtostderr -v=7` to debug errors and crashes diff --git a/site/content/en/docs/handbook/registry.md b/site/content/en/docs/handbook/registry.md index ff8c6b54a5e4..0b04a6f3644f 100644 --- a/site/content/en/docs/handbook/registry.md +++ b/site/content/en/docs/handbook/registry.md @@ -107,4 +107,4 @@ docker push localhost:5000/myimage After the image is pushed, refer to it by `localhost:5000/{name}` in kubectl specs. -## \ No newline at end of file +## diff --git a/site/content/en/docs/tutorials/using_psp.md b/site/content/en/docs/tutorials/using_psp.md index b77fc4c46f9c..38123c73c0af 100644 --- a/site/content/en/docs/tutorials/using_psp.md +++ b/site/content/en/docs/tutorials/using_psp.md @@ -13,18 +13,33 @@ This tutorial explains how to start minikube with Pod Security Policies (PSP) en ## Prerequisites -- Minikube 1.5.2 with Kubernetes 1.16.x or higher +- Minikube 1.11.1 with Kubernetes 1.16.x or higher ## Tutorial -Before starting minikube, you need to give it the PSP YAMLs in order to allow minikube to bootstrap. +Start minikube with the `PodSecurityPolicy` admission controller and the +`pod-security-policy` addon enabled. -Create the directory: +`minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy --addons=pod-security-policy` + +The `pod-security-policy` addon must be enabled along with the admission +controller to prevent issues during bootstrap. + +## Older versions of minikube + +Older versions of minikube do not ship with the `pod-security-policy` addon, so +the policies that addon enables must be separately applied to the cluster. + +## Minikube 1.5.2 through 1.6.2 + +Before starting minikube, you need to give it the PSP YAMLs in order to allow minikube to bootstrap. + +Create the directory: `mkdir -p ~/.minikube/files/etc/kubernetes/addons` Copy the YAML below into this file: `~/.minikube/files/etc/kubernetes/addons/psp.yaml` -Now start minikube: +Now start minikube: `minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy` ```yaml @@ -161,3 +176,24 @@ subjects: name: system:serviceaccounts:kube-system apiGroup: rbac.authorization.k8s.io ``` + +### Minikube between 1.6.2 and 1.11.1 + +With minikube versions greater than 1.6.2 and less than 1.11.1, the YAML files +shown above will not be automatically applied to the cluster. You may have +errors during bootstrap of the cluster if the admission controller is enabled. + +To use Pod Security Policies with these versions of minikube, first start a +cluster without the `PodSecurityPolicy` admission controller enabled. + +Next, apply the YAML shown above to the cluster. + +Finally, stop the cluster and then restart it with the admission controller +enabled. + +``` +minikube start +kubectl apply -f /path/to/psp.yaml +minikube stop +minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy +``` diff --git a/test.sh b/test.sh index 79a350164853..82b3cb2bf29a 100755 --- a/test.sh +++ b/test.sh @@ -67,6 +67,7 @@ then ${pkgs} \ && echo ok || ((exitcode += 32)) tail -n +2 "${cov_tmp}" >>"${COVERAGE_PATH}" + rm ${cov_tmp} fi exit "${exitcode}"