From 8d34bd9bfd65a9aae4efa70801f8dbf74fbdcabd Mon Sep 17 00:00:00 2001 From: Simon Emms Date: Tue, 7 Dec 2021 08:56:31 +0000 Subject: [PATCH] [installer]: fix incorrectly configured pod security policies This now makes Gitpod work in a cluster with pod security policies enabled. --- installer/pkg/common/constants.go | 2 +- installer/pkg/components/components.go | 1 + .../components/database/cloudsql/objects.go | 1 + .../database/cloudsql/rolebinding.go | 33 +++++++++++++++++ .../components/database/incluster/objects.go | 1 + .../database/incluster/rolebinding.go | 37 +++++++++++++++++++ .../pkg/components/database/init/objects.go | 1 + .../components/database/init/rolebinding.go | 33 +++++++++++++++++ .../image-builder-mk3/clusterrole.go | 2 +- .../image-builder-mk3/rolebinding.go | 2 +- installer/pkg/components/minio/objects.go | 15 ++++++++ installer/pkg/components/minio/rolebinding.go | 35 ++++++++++++++++++ installer/pkg/components/rabbitmq/helm.go | 1 + .../components/registry-facade/clusterrole.go | 4 +- .../components/registry-facade/rolebinding.go | 2 +- .../pkg/components/server/rolebinding.go | 2 +- .../charts/jaeger-operator/values.yaml | 4 +- 17 files changed, 168 insertions(+), 8 deletions(-) create mode 100644 installer/pkg/components/database/cloudsql/rolebinding.go create mode 100644 installer/pkg/components/database/incluster/rolebinding.go create mode 100644 installer/pkg/components/database/init/rolebinding.go create mode 100644 installer/pkg/components/minio/objects.go create mode 100644 installer/pkg/components/minio/rolebinding.go diff --git a/installer/pkg/common/constants.go b/installer/pkg/common/constants.go index 4848a17d222281..536dfab76afd99 100644 --- a/installer/pkg/common/constants.go +++ b/installer/pkg/common/constants.go @@ -34,7 +34,7 @@ const ( RegistryAuthSecret = "builtin-registry-auth" RegistryTLSCertSecret = "builtin-registry-certs" RegistryFacadeComponent = "registry-facade" - RegistryFacadeServicePort = 3000 + RegistryFacadeServicePort = 30000 RegistryFacadeTLSCertSecret = "builtin-registry-facade-cert" ServerComponent = "server" SystemNodeCritical = "system-node-critical" diff --git a/installer/pkg/components/components.go b/installer/pkg/components/components.go index f4fa318a11c633..d95af948968aa1 100644 --- a/installer/pkg/components/components.go +++ b/installer/pkg/components/components.go @@ -38,6 +38,7 @@ var MetaObjects = common.CompositeRenderFunc( database.Objects, imagebuildermk3.Objects, migrations.Objects, + minio.Objects, openvsxproxy.Objects, rabbitmq.Objects, server.Objects, diff --git a/installer/pkg/components/database/cloudsql/objects.go b/installer/pkg/components/database/cloudsql/objects.go index d984ac91c78846..cc8ddf07c01c8b 100644 --- a/installer/pkg/components/database/cloudsql/objects.go +++ b/installer/pkg/components/database/cloudsql/objects.go @@ -12,6 +12,7 @@ import ( var Objects = common.CompositeRenderFunc( deployment, dbinit.Objects, + rolebinding, common.DefaultServiceAccount(Component), common.GenerateService(Component, map[string]common.ServicePort{ Component: { diff --git a/installer/pkg/components/database/cloudsql/rolebinding.go b/installer/pkg/components/database/cloudsql/rolebinding.go new file mode 100644 index 00000000000000..2843bc287eff20 --- /dev/null +++ b/installer/pkg/components/database/cloudsql/rolebinding.go @@ -0,0 +1,33 @@ +// Copyright (c) 2021 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package cloudsql + +import ( + "fmt" + "github.com/gitpod-io/gitpod/installer/pkg/common" + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { + return []runtime.Object{&rbacv1.RoleBinding{ + TypeMeta: common.TypeMetaRoleBinding, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: ctx.Namespace, + Labels: common.DefaultLabels(Component), + }, + RoleRef: rbacv1.RoleRef{ + Kind: "ClusterRole", + Name: fmt.Sprintf("%s-ns-psp:restricted-root-user", ctx.Namespace), + APIGroup: "rbac.authorization.k8s.io", + }, + Subjects: []rbacv1.Subject{{ + Kind: "ServiceAccount", + Name: Component, + }}, + }}, nil +} diff --git a/installer/pkg/components/database/incluster/objects.go b/installer/pkg/components/database/incluster/objects.go index 1719c7f02b9be8..a56b844c80ea9b 100644 --- a/installer/pkg/components/database/incluster/objects.go +++ b/installer/pkg/components/database/incluster/objects.go @@ -10,6 +10,7 @@ import ( var Objects = common.CompositeRenderFunc( configmap, + rolebinding, secrets, service, common.DefaultServiceAccount(Component), diff --git a/installer/pkg/components/database/incluster/rolebinding.go b/installer/pkg/components/database/incluster/rolebinding.go new file mode 100644 index 00000000000000..cb8a76454fb5de --- /dev/null +++ b/installer/pkg/components/database/incluster/rolebinding.go @@ -0,0 +1,37 @@ +// Copyright (c) 2021 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package incluster + +import ( + "fmt" + "github.com/gitpod-io/gitpod/installer/pkg/common" + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { + return []runtime.Object{ + &rbacv1.RoleBinding{ + TypeMeta: common.TypeMetaRoleBinding, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: ctx.Namespace, + Labels: common.DefaultLabels(Component), + }, + RoleRef: rbacv1.RoleRef{ + Kind: "ClusterRole", + Name: fmt.Sprintf("%s-ns-psp:restricted-root-user", ctx.Namespace), + APIGroup: "rbac.authorization.k8s.io", + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Name: Component, + }, + }, + }, + }, nil +} diff --git a/installer/pkg/components/database/init/objects.go b/installer/pkg/components/database/init/objects.go index 2a17284edff4d0..f9d09981e9bb89 100644 --- a/installer/pkg/components/database/init/objects.go +++ b/installer/pkg/components/database/init/objects.go @@ -11,5 +11,6 @@ import ( var Objects = common.CompositeRenderFunc( configmap, job, + rolebinding, common.DefaultServiceAccount(Component), ) diff --git a/installer/pkg/components/database/init/rolebinding.go b/installer/pkg/components/database/init/rolebinding.go new file mode 100644 index 00000000000000..1be6c87ef8339b --- /dev/null +++ b/installer/pkg/components/database/init/rolebinding.go @@ -0,0 +1,33 @@ +// Copyright (c) 2021 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package init + +import ( + "fmt" + "github.com/gitpod-io/gitpod/installer/pkg/common" + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { + return []runtime.Object{&rbacv1.RoleBinding{ + TypeMeta: common.TypeMetaRoleBinding, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: ctx.Namespace, + Labels: common.DefaultLabels(Component), + }, + RoleRef: rbacv1.RoleRef{ + Kind: "ClusterRole", + Name: fmt.Sprintf("%s-ns-psp:restricted-root-user", ctx.Namespace), + APIGroup: "rbac.authorization.k8s.io", + }, + Subjects: []rbacv1.Subject{{ + Kind: "ServiceAccount", + Name: Component, + }}, + }}, nil +} diff --git a/installer/pkg/components/image-builder-mk3/clusterrole.go b/installer/pkg/components/image-builder-mk3/clusterrole.go index 40a9226358fc83..1c6961d895feee 100644 --- a/installer/pkg/components/image-builder-mk3/clusterrole.go +++ b/installer/pkg/components/image-builder-mk3/clusterrole.go @@ -18,7 +18,7 @@ func clusterrole(ctx *common.RenderContext) ([]runtime.Object, error) { return []runtime.Object{&rbacv1.ClusterRole{ TypeMeta: common.TypeMetaClusterRole, ObjectMeta: metav1.ObjectMeta{ - Name: Component, + Name: fmt.Sprintf("%s-ns-%s", ctx.Namespace, Component), Namespace: ctx.Namespace, Labels: common.DefaultLabels(Component), }, diff --git a/installer/pkg/components/image-builder-mk3/rolebinding.go b/installer/pkg/components/image-builder-mk3/rolebinding.go index 6b52c93c6bb56b..ecb480f94351d5 100644 --- a/installer/pkg/components/image-builder-mk3/rolebinding.go +++ b/installer/pkg/components/image-builder-mk3/rolebinding.go @@ -27,7 +27,7 @@ func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { }, RoleRef: rbacv1.RoleRef{ Kind: "ClusterRole", - Name: fmt.Sprintf("%s-ns-image-builder-mk3", ctx.Namespace), + Name: fmt.Sprintf("%s-ns-%s", ctx.Namespace, Component), APIGroup: "rbac.authorization.k8s.io", }, Subjects: []rbacv1.Subject{{ diff --git a/installer/pkg/components/minio/objects.go b/installer/pkg/components/minio/objects.go new file mode 100644 index 00000000000000..68ebb2d1439554 --- /dev/null +++ b/installer/pkg/components/minio/objects.go @@ -0,0 +1,15 @@ +// Copyright (c) 2021 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package minio + +import ( + "github.com/gitpod-io/gitpod/installer/pkg/common" +) + +const Component = "minio" + +var Objects = common.CompositeRenderFunc( + rolebinding, +) diff --git a/installer/pkg/components/minio/rolebinding.go b/installer/pkg/components/minio/rolebinding.go new file mode 100644 index 00000000000000..493618b3ce3be9 --- /dev/null +++ b/installer/pkg/components/minio/rolebinding.go @@ -0,0 +1,35 @@ +// Copyright (c) 2021 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License-AGPL.txt in the project root for license information. + +package minio + +import ( + "fmt" + "github.com/gitpod-io/gitpod/installer/pkg/common" + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { + return []runtime.Object{ + &rbacv1.RoleBinding{ + TypeMeta: common.TypeMetaRoleBinding, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: ctx.Namespace, + Labels: common.DefaultLabels(Component), + }, + RoleRef: rbacv1.RoleRef{ + Kind: "ClusterRole", + Name: fmt.Sprintf("%s-ns-psp:unprivileged", ctx.Namespace), + APIGroup: "rbac.authorization.k8s.io", + }, + Subjects: []rbacv1.Subject{{ + Kind: "ServiceAccount", + Name: Component, + }}, + }, + }, nil +} diff --git a/installer/pkg/components/rabbitmq/helm.go b/installer/pkg/components/rabbitmq/helm.go index 409926641b1326..9b32238eb9ce34 100644 --- a/installer/pkg/components/rabbitmq/helm.go +++ b/installer/pkg/components/rabbitmq/helm.go @@ -277,6 +277,7 @@ var Helm = common.CompositeHelmFunc( helm.KeyValue("rabbitmq.auth.password", password), helm.KeyValue("rabbitmq.auth.existingErlangSecret", CookieSecret), helm.KeyValue("rabbitmq.auth.tls.existingSecret", TLSSecret), + helm.KeyValue("rabbitmq.serviceAccount.name", Component), helm.KeyValue(fmt.Sprintf("rabbitmq.extraSecrets.%s.username", InClusterDbSecret), username), helm.KeyValue(fmt.Sprintf("rabbitmq.extraSecrets.%s.password", InClusterDbSecret), password), helm.ImagePullSecrets("rabbitmq.image.pullSecrets", cfg), diff --git a/installer/pkg/components/registry-facade/clusterrole.go b/installer/pkg/components/registry-facade/clusterrole.go index 5107479e85f014..873c521d79821e 100644 --- a/installer/pkg/components/registry-facade/clusterrole.go +++ b/installer/pkg/components/registry-facade/clusterrole.go @@ -19,7 +19,7 @@ func clusterrole(ctx *common.RenderContext) ([]runtime.Object, error) { &rbacv1.ClusterRole{ TypeMeta: common.TypeMetaClusterRole, ObjectMeta: metav1.ObjectMeta{ - Name: Component, + Name: fmt.Sprintf("%s-ns-%s", ctx.Namespace, Component), Namespace: ctx.Namespace, Labels: common.DefaultLabels(Component), }, @@ -27,7 +27,7 @@ func clusterrole(ctx *common.RenderContext) ([]runtime.Object, error) { APIGroups: []string{"policy"}, Resources: []string{"podsecuritypolicies"}, Verbs: []string{"use"}, - ResourceNames: []string{fmt.Sprintf("%s-ns-registry-facade", ctx.Namespace)}, + ResourceNames: []string{fmt.Sprintf("%s-ns-%s", ctx.Namespace, Component)}, }}, }, }, nil diff --git a/installer/pkg/components/registry-facade/rolebinding.go b/installer/pkg/components/registry-facade/rolebinding.go index 751669a5c593ad..c89bbe2efd35c1 100644 --- a/installer/pkg/components/registry-facade/rolebinding.go +++ b/installer/pkg/components/registry-facade/rolebinding.go @@ -27,7 +27,7 @@ func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { }, RoleRef: rbacv1.RoleRef{ Kind: "ClusterRole", - Name: fmt.Sprintf("%s-ns-registry-facade", ctx.Namespace), + Name: fmt.Sprintf("%s-ns-%s", ctx.Namespace, Component), APIGroup: "rbac.authorization.k8s.io", }, Subjects: []rbacv1.Subject{{ diff --git a/installer/pkg/components/server/rolebinding.go b/installer/pkg/components/server/rolebinding.go index 196714621d6289..23f227c9fca3bc 100644 --- a/installer/pkg/components/server/rolebinding.go +++ b/installer/pkg/components/server/rolebinding.go @@ -61,7 +61,7 @@ func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { }, RoleRef: rbacv1.RoleRef{ Kind: "ClusterRole", - Name: Component, + Name: fmt.Sprintf("%s-ns-psp:unprivileged", ctx.Namespace), APIGroup: "rbac.authorization.k8s.io", }, Subjects: []rbacv1.Subject{{ diff --git a/installer/third_party/charts/jaeger-operator/values.yaml b/installer/third_party/charts/jaeger-operator/values.yaml index fd547e4b3a7046..304cacde883fa6 100644 --- a/installer/third_party/charts/jaeger-operator/values.yaml +++ b/installer/third_party/charts/jaeger-operator/values.yaml @@ -2,4 +2,6 @@ # Licensed under the GNU Affero General Public License (AGPL). # See License-AGPL.txt in the project root for license information. -jaeger-operator: {} +jaeger-operator: + rbac: + pspEnabled: true