From 455a260e6fcb5c8a620b1104ad5f130e9cb8016a Mon Sep 17 00:00:00 2001 From: George Angel Date: Wed, 7 Oct 2020 10:36:48 +0100 Subject: [PATCH 1/2] Add PSP for the controller Deployment --- .../base/controller/cluster_setup.yaml | 23 +++++++++++++++++++ .../base/controller/kustomization.yaml | 1 + deploy/kubernetes/base/controller/psp.yaml | 18 +++++++++++++++ 3 files changed, 42 insertions(+) create mode 100644 deploy/kubernetes/base/controller/psp.yaml diff --git a/deploy/kubernetes/base/controller/cluster_setup.yaml b/deploy/kubernetes/base/controller/cluster_setup.yaml index 7f045097a..191de34f2 100644 --- a/deploy/kubernetes/base/controller/cluster_setup.yaml +++ b/deploy/kubernetes/base/controller/cluster_setup.yaml @@ -152,6 +152,29 @@ roleRef: kind: ClusterRole name: csi-gce-pd-resizer-role apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-gce-pd-controller-deploy +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: + - csi-gce-pd-controller-psp +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-gce-pd-controller-deploy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-gce-pd-controller-deploy +subjects: + - kind: ServiceAccount + name: csi-gce-pd-controller-sa --- diff --git a/deploy/kubernetes/base/controller/kustomization.yaml b/deploy/kubernetes/base/controller/kustomization.yaml index 59640442a..b94b187f2 100644 --- a/deploy/kubernetes/base/controller/kustomization.yaml +++ b/deploy/kubernetes/base/controller/kustomization.yaml @@ -6,3 +6,4 @@ resources: - cluster_setup.yaml - controller.yaml - csidriver_info.yaml +- psp.yaml diff --git a/deploy/kubernetes/base/controller/psp.yaml b/deploy/kubernetes/base/controller/psp.yaml new file mode 100644 index 000000000..c01661b94 --- /dev/null +++ b/deploy/kubernetes/base/controller/psp.yaml @@ -0,0 +1,18 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: csi-gce-pd-controller-psp +spec: + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - "configMap" + - "emptyDir" + - "secret" + hostNetwork: true From 1b9bfe3146de5811d723886b4244dafcc160f6bd Mon Sep 17 00:00:00 2001 From: George Angel Date: Thu, 8 Oct 2020 09:44:50 +0100 Subject: [PATCH 2/2] Remove configMap from the PSP Controller does not mount any configMaps --- deploy/kubernetes/base/controller/psp.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/kubernetes/base/controller/psp.yaml b/deploy/kubernetes/base/controller/psp.yaml index c01661b94..2e3a18385 100644 --- a/deploy/kubernetes/base/controller/psp.yaml +++ b/deploy/kubernetes/base/controller/psp.yaml @@ -12,7 +12,6 @@ spec: fsGroup: rule: RunAsAny volumes: - - "configMap" - "emptyDir" - "secret" hostNetwork: true