diff --git a/terraform/aptos-node-testnet/aws/addons.tf b/terraform/aptos-node-testnet/aws/addons.tf index 4c82d2d47373e..29e61afe391dc 100644 --- a/terraform/aptos-node-testnet/aws/addons.tf +++ b/terraform/aptos-node-testnet/aws/addons.tf @@ -94,14 +94,20 @@ data "aws_iam_policy_document" "cluster-autoscaler" { } } + # Recommended config https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md statement { sid = "DescribeAutoscaling" actions = [ - "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeAutoScalingGroups", - "ec2:DescribeLaunchTemplateVersions", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeScalingActivities", "autoscaling:DescribeTags", - "autoscaling:DescribeLaunchConfigurations" + "ec2:DescribeInstanceTypes", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeImages", + "ec2:GetInstanceTypesFromInstanceRequirements", + "eks:DescribeNodegroup" ] resources = ["*"] } @@ -150,7 +156,6 @@ resource "helm_release" "chaos-mesh" { } chaos-mesh = { chaosDaemon = { - podSecurityPolicy = true # tolerate pod assignment on nodes in the validator nodegroup tolerations = [{ key = "aptos.org/nodepool" diff --git a/terraform/aptos-node-testnet/gcp/addons.tf b/terraform/aptos-node-testnet/gcp/addons.tf index 1568a00f2141a..d6bd280b6dc13 100644 --- a/terraform/aptos-node-testnet/gcp/addons.tf +++ b/terraform/aptos-node-testnet/gcp/addons.tf @@ -24,7 +24,6 @@ resource "helm_release" "chaos-mesh" { jsonencode({ chaos-mesh = { chaosDaemon = { - podSecurityPolicy = true } } }) diff --git a/terraform/helm/aptos-node/README.md b/terraform/helm/aptos-node/README.md index d515c00c02a49..d2583baaa61c9 100644 --- a/terraform/helm/aptos-node/README.md +++ b/terraform/helm/aptos-node/README.md @@ -127,10 +127,6 @@ ServiceAccounts: * `-validator` - The validator service account * `-fullnode` - The fullnode service account -[optional] PodSecurityPolicy: -* `` - The default PodSecurityPolicy for validators and fullnodes -* `-haproxy` - The PodSecurityPolicy for HAProxy - ## Common Operations ### Check Pod Status diff --git a/terraform/helm/aptos-node/templates/haproxy.yaml b/terraform/helm/aptos-node/templates/haproxy.yaml index a8768bb1e712c..ff93bee17a356 100644 --- a/terraform/helm/aptos-node/templates/haproxy.yaml +++ b/terraform/helm/aptos-node/templates/haproxy.yaml @@ -168,7 +168,6 @@ spec: drop: - ALL add: - - SYS_RESOURCE - SETUID {{- with .nodeSelector }} nodeSelector: diff --git a/terraform/helm/aptos-node/templates/securitypolicy.yaml b/terraform/helm/aptos-node/templates/securitypolicy.yaml deleted file mode 100644 index d32388b12c848..0000000000000 --- a/terraform/helm/aptos-node/templates/securitypolicy.yaml +++ /dev/null @@ -1,187 +0,0 @@ -{{- if .Values.podSecurityPolicy }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "aptos-validator.fullname" . }} - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default -spec: - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - requiredDropCapabilities: - - ALL - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - supplementalGroups: - rule: MayRunAs - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: MayRunAs - ranges: - - min: 1 - max: 65535 - seLinux: - rule: RunAsAny - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "aptos-validator.fullname" . }}-psp -rules: -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: - - {{ include "aptos-validator.fullname" . }} - ---- - -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "aptos-validator.fullname" . }}-haproxy - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default -spec: - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - requiredDropCapabilities: - - ALL - allowedCapabilities: - - SYS_RESOURCE - - SETUID - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: RunAsAny - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - supplementalGroups: - rule: MayRunAs - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: MayRunAs - ranges: - - min: 1 - max: 65535 - seLinux: - rule: RunAsAny - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "aptos-validator.fullname" . }}-psp-haproxy -rules: -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: - - {{ include "aptos-validator.fullname" . }}-haproxy - -{{- end }} ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "aptos-validator.fullname" . }}-psp -roleRef: - kind: ClusterRole - name: {{ include "aptos-validator.fullname" . }}-psp - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ include "aptos-validator.serviceAccountName" . }} -- kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ include "aptos-validator.fullname" . }}-validator -- kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ include "aptos-validator.fullname" . }}-fullnode - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "aptos-validator.fullname" . }}-psp-haproxy -roleRef: - kind: ClusterRole - name: {{ include "aptos-validator.fullname" . }}-psp-haproxy - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ include "aptos-validator.fullname" . }}-haproxy - ---- -{{- if .Values.enablePrivilegedMode }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "aptos-validator.fullname" . }}-psp-privileged-aws -roleRef: - kind: ClusterRole - name: eks:podsecuritypolicy:privileged - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ include "aptos-validator.fullname" . }}-validator -- kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ include "aptos-validator.fullname" . }}-fullnode ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "aptos-validator.fullname" . }}-psp-privileged-gcp -roleRef: - kind: ClusterRole - name: gce:podsecuritypolicy:privileged - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ include "aptos-validator.fullname" . }}-validator -- kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ include "aptos-validator.fullname" . }}-fullnode -{{- end }} diff --git a/terraform/helm/aptos-node/values.yaml b/terraform/helm/aptos-node/values.yaml index 3348792c18fc4..980e3dcc75534 100644 --- a/terraform/helm/aptos-node/values.yaml +++ b/terraform/helm/aptos-node/values.yaml @@ -175,9 +175,6 @@ serviceAccount: # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template name: -# -- LEGACY: create PodSecurityPolicy, which exists at the cluster-level -podSecurityPolicy: true - # -- Load test-data for starting a test network loadTestGenesis: false diff --git a/terraform/helm/autoscaling/values.yaml b/terraform/helm/autoscaling/values.yaml index dc3a7aeed5d2e..4cec0a80935ff 100644 --- a/terraform/helm/autoscaling/values.yaml +++ b/terraform/helm/autoscaling/values.yaml @@ -17,7 +17,7 @@ autoscaler: scaleDownDelayAfterAdd: 5m image: repo: k8s.gcr.io/autoscaling/cluster-autoscaler - tag: v1.21.0 + tag: v1.23.0 resources: requests: cpu: 1 diff --git a/terraform/helm/chaos/templates/psp.yaml b/terraform/helm/chaos/templates/roles.yaml similarity index 50% rename from terraform/helm/chaos/templates/psp.yaml rename to terraform/helm/chaos/templates/roles.yaml index 833edc2dc7fef..63a9dca7a0ea7 100644 --- a/terraform/helm/chaos/templates/psp.yaml +++ b/terraform/helm/chaos/templates/roles.yaml @@ -41,49 +41,3 @@ subjects: namespace: {{ .Release.Namespace }} --- -# Grant some basic permissions to the dashboard and controller manager -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "chaos.fullname" . }} -spec: - privileged: false # Don't allow privileged pods! - # The rest fills in some required fields. - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - runAsUser: - rule: RunAsAny - fsGroup: - rule: RunAsAny - volumes: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "chaos.fullname" . }}-psp -rules: -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: - - {{ include "chaos.fullname" . }} ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "chaos.fullname" . }}-psp -roleRef: - kind: ClusterRole - name: {{ include "chaos.fullname" . }}-psp - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: chaos-controller-manager -- kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: chaos-dashboard diff --git a/terraform/helm/forge/templates/psp.yaml b/terraform/helm/forge/templates/roles.yaml similarity index 100% rename from terraform/helm/forge/templates/psp.yaml rename to terraform/helm/forge/templates/roles.yaml diff --git a/terraform/helm/fullnode/templates/psp.yaml b/terraform/helm/fullnode/templates/psp.yaml deleted file mode 100644 index 571162891d638..0000000000000 --- a/terraform/helm/fullnode/templates/psp.yaml +++ /dev/null @@ -1,71 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "aptos-fullnode.fullname" . }} - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default -spec: - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - requiredDropCapabilities: - - ALL - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: RunAsAny - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - supplementalGroups: - rule: MayRunAs - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: MayRunAs - ranges: - - min: 1 - max: 65535 - seLinux: - rule: RunAsAny - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "aptos-fullnode.fullname" . }}-psp -rules: -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: - - {{ include "aptos-fullnode.fullname" . }} - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "aptos-fullnode.fullname" . }}-psp -roleRef: - kind: ClusterRole - name: {{ include "aptos-fullnode.fullname" . }}-psp - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ include "aptos-fullnode.serviceAccountName" . }} - -{{- end -}} \ No newline at end of file diff --git a/terraform/helm/genesis/README.md b/terraform/helm/genesis/README.md index 47ac56a70f52c..8d5cf82696e68 100644 --- a/terraform/helm/genesis/README.md +++ b/terraform/helm/genesis/README.md @@ -44,7 +44,6 @@ Aptos blockchain automated genesis ceremony for testnets | genesis.validator.larger_stake_amount | string | `"1000000000000000"` | Stake amount for each validator in this testnet. Defaults to 1M APTOS coins with 8 decimals | | imageTag | string | `"testnet"` | Default image tag to use for all tools images | | labels | string | `nil` | | -| podSecurityPolicy | bool | `true` | LEGACY: create PodSecurityPolicy, which exists at the cluster-level | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.name | string | `nil` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | diff --git a/terraform/helm/genesis/templates/securitypolicy.yaml b/terraform/helm/genesis/templates/securitypolicy.yaml deleted file mode 100644 index 7f6a376257234..0000000000000 --- a/terraform/helm/genesis/templates/securitypolicy.yaml +++ /dev/null @@ -1,71 +0,0 @@ -{{- if .Values.podSecurityPolicy }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "aptos-genesis.fullname" . }} - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default -spec: - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - requiredDropCapabilities: - - ALL - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - supplementalGroups: - rule: MayRunAs - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: MayRunAs - ranges: - - min: 1 - max: 65535 - seLinux: - rule: RunAsAny - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "aptos-genesis.fullname" . }}-psp -rules: -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: - - {{ include "aptos-genesis.fullname" . }} - -{{- end }} ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "aptos-genesis.fullname" . }}-psp -roleRef: - kind: ClusterRole - name: {{ include "aptos-genesis.fullname" . }}-psp - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ include "aptos-genesis.serviceAccountName" . }} diff --git a/terraform/helm/genesis/values.yaml b/terraform/helm/genesis/values.yaml index 9c98927446a51..79d53b4879c2e 100644 --- a/terraform/helm/genesis/values.yaml +++ b/terraform/helm/genesis/values.yaml @@ -76,8 +76,5 @@ serviceAccount: # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template name: -# -- LEGACY: create PodSecurityPolicy, which exists at the cluster-level -podSecurityPolicy: true - # Additional labels labels: diff --git a/terraform/helm/monitoring/templates/psp.yaml b/terraform/helm/monitoring/templates/psp.yaml deleted file mode 100644 index 5f37da559a80c..0000000000000 --- a/terraform/helm/monitoring/templates/psp.yaml +++ /dev/null @@ -1,72 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "aptos-monitoring.fullname" . }} - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default -spec: - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - requiredDropCapabilities: - - ALL - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - supplementalGroups: - rule: MayRunAs - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: MayRunAs - ranges: - - min: 1 - max: 65535 - seLinux: - rule: RunAsAny - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "aptos-monitoring.fullname" . }}-psp -rules: -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: - - {{ include "aptos-monitoring.fullname" . }} - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "aptos-monitoring.fullname" . }}-psp -roleRef: - kind: ClusterRole - name: {{ include "aptos-monitoring.fullname" . }}-psp - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ include "aptos-monitoring.serviceAccountName" . }} -- kind: ServiceAccount - namespace: {{ .Release.Namespace }} - name: {{ include "aptos-monitoring.fullname" . }}-prometheus diff --git a/terraform/helm/testnet-addons/templates/psp.yaml b/terraform/helm/testnet-addons/templates/psp.yaml deleted file mode 100644 index d8eaab3a45dce..0000000000000 --- a/terraform/helm/testnet-addons/templates/psp.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "testnet-addons.fullname" . }} -roleRef: - kind: ClusterRole - name: eks:podsecuritypolicy:privileged - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: {{ include "testnet-addons.serviceAccountName" . }} - namespace: {{ .Release.Namespace }}