From 2528e3d62dae96e06593f917e18be5d4c44e5c80 Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Thu, 20 Jun 2019 17:58:26 +0200 Subject: [PATCH] Make NET_ADMIN check a warning, add PSP check (#2958) `linkerd check` validates whether PSP's exist, and if the caller has the `NET_ADMIN` capability. This check was previously failing if `NET_ADMIN` was not found, even in the case where the PSP admission controller was not running. Related, `linkerd install` now includes a PSP, so `linkerd check` should also validate that the caller can create PSP's. Modify the `NET_ADMIN` check to warn, but not fail, if PSP's are found but the caller does not have `NET_ADMIN`. Update the warning message to mention that this is only a problem if the PSP admission controller is running (and will only be a problem during injection, since #2920 handles control plane installation by adding its own PSP). Also introduce a check to validate the caller can create PSP's. Fixes #2884, #2849 Signed-off-by: Andrew Seigner --- pkg/healthcheck/healthcheck.go | 14 +++++++++++--- pkg/healthcheck/healthcheck_test.go | 2 +- test/testdata/check.pre.golden | 1 + 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/pkg/healthcheck/healthcheck.go b/pkg/healthcheck/healthcheck.go index 72d80ada4434a..f736527f1a6f2 100644 --- a/pkg/healthcheck/healthcheck.go +++ b/pkg/healthcheck/healthcheck.go @@ -309,6 +309,13 @@ func (hc *HealthChecker) allCategories() []category { return hc.checkCanCreate("", "apiextensions.k8s.io", "v1beta1", "customresourcedefinitions") }, }, + { + description: "can create PodSecurityPolicies", + hintAnchor: "pre-k8s", + check: func(context.Context) error { + return hc.checkCanCreate(hc.ControlPlaneNamespace, "policy", "v1beta1", "podsecuritypolicies") + }, + }, { description: "can create ServiceAccounts", hintAnchor: "pre-k8s", @@ -352,6 +359,7 @@ func (hc *HealthChecker) allCategories() []category { { description: "has NET_ADMIN capability", hintAnchor: "pre-k8s-cluster-net-admin", + warning: true, check: func(context.Context) error { return hc.checkNetAdmin() }, @@ -408,7 +416,7 @@ func (hc *HealthChecker) allCategories() []category { checkers: []checker{ { description: "control plane components ready", - hintAnchor: "l5d-existence-psp", + hintAnchor: "l5d-existence-psp", // needs https://github.com/linkerd/website/issues/272 fatal: true, check: func(context.Context) error { controlPlaneReplicaSet, err := hc.kubeAPI.GetReplicaSets(hc.ControlPlaneNamespace) @@ -420,7 +428,7 @@ func (hc *HealthChecker) allCategories() []category { }, { description: "no unschedulable pods", - hintAnchor: "l5d-existence-unschedulable-pods", + hintAnchor: "l5d-existence-unschedulable-pods", // needs https://github.com/linkerd/website/issues/272 fatal: true, check: func(context.Context) error { // do not save this into hc.controlPlanePods, as this check may @@ -1005,7 +1013,7 @@ func (hc *HealthChecker) checkNetAdmin() error { } } - return fmt.Errorf("found %d PodSecurityPolicies, but none provide NET_ADMIN", len(pspList.Items)) + return fmt.Errorf("found %d PodSecurityPolicies, but none provide NET_ADMIN, proxy injection will fail if the PSP admission controller is running", len(pspList.Items)) } func (hc *HealthChecker) checkClockSkew() error { diff --git a/pkg/healthcheck/healthcheck_test.go b/pkg/healthcheck/healthcheck_test.go index 15d2f7c52154f..bd426dfae2853 100644 --- a/pkg/healthcheck/healthcheck_test.go +++ b/pkg/healthcheck/healthcheck_test.go @@ -404,7 +404,7 @@ spec: requiredDropCapabilities: - ALL`, }, - fmt.Errorf("found 1 PodSecurityPolicies, but none provide NET_ADMIN"), + fmt.Errorf("found 1 PodSecurityPolicies, but none provide NET_ADMIN, proxy injection will fail if the PSP admission controller is running"), }, } diff --git a/test/testdata/check.pre.golden b/test/testdata/check.pre.golden index d6a19efc05d1a..a621157788026 100644 --- a/test/testdata/check.pre.golden +++ b/test/testdata/check.pre.golden @@ -15,6 +15,7 @@ pre-kubernetes-setup √ can create ClusterRoles √ can create ClusterRoleBindings √ can create CustomResourceDefinitions +√ can create PodSecurityPolicies √ can create ServiceAccounts √ can create Services √ can create Deployments