linkerd check should check for PodSecurityPolicy admission controller #2849
Comments
|
@jamessthompson Can you take a look at the Linkerd deployments to see whether the Also speaking of RBAC, I think you need to make sure all the Linkerd service accounts have the correct RBAC to |
|
That annotation does not exist, which matches what we determined yesterday. This ticket is more about providing clarity during installs for people like me that have never used the PSP admissions controller but have 3rd party charts installed that added PSPs. I thought I had a broken install and reached out on slack looking for an example of a valid linkerd PSP. |
|
When #2920 merges, we'll provide a PSP for Linkerd's control plane that will grant the NET_ADMIN capability for non-CNI installs, which will probably render this particular check moot. |
The change in #2920 introduced a PodSecurityPolicy, providing `NET_ADMIN` capability to Linkerd. This eliminated the need for a `NET_ADMIN` capability check in `linkerd check`, as the default `linkerd install` now guarantees `NET_ADMIN` capability. At the same time, this added a requirement on that `linkerd install` create a PodSecurityPolicy. Remove the `NET_ADMIN` capability check from `linkerd check`. Introduce a check to validate the user can create a PodSecurityPolicy. Fixes #2884, #2849. Signed-off-by: Andrew Seigner <[email protected]>
The change in #2920 introduced a PodSecurityPolicy, providing `NET_ADMIN` capability to Linkerd. This eliminated the need for a `NET_ADMIN` capability check in `linkerd check`, as the default `linkerd install` now guarantees `NET_ADMIN` capability. At the same time, this added a requirement that `linkerd install` create a PodSecurityPolicy. Remove the `NET_ADMIN` capability check from `linkerd check`. Introduce a check to validate the user can create a PodSecurityPolicy. Fixes #2884, #2849. Signed-off-by: Andrew Seigner <[email protected]>
The change in #2920 introduced a PodSecurityPolicy, providing `NET_ADMIN` capability to Linkerd. This eliminated the need for a `NET_ADMIN` capability check in `linkerd check`, as the default `linkerd install` now guarantees `NET_ADMIN` capability. At the same time, this added a requirement that `linkerd install` create a PodSecurityPolicy. Remove the `NET_ADMIN` capability check from `linkerd check`. Introduce a check to validate the user can create a PodSecurityPolicy. Fixes #2884, #2849. Signed-off-by: Andrew Seigner <[email protected]>
The change in #2920 introduced a PodSecurityPolicy, providing `NET_ADMIN` capability to Linkerd. This eliminated the need for a `NET_ADMIN` capability check in `linkerd check`, as the default `linkerd install` now guarantees `NET_ADMIN` capability. At the same time, this added a requirement that `linkerd install` create a PodSecurityPolicy. Remove the `NET_ADMIN` capability check from `linkerd check`. Introduce a check to validate the user can create a PodSecurityPolicy. Fixes #2884, #2849 Signed-off-by: Andrew Seigner <[email protected]>
`linkerd check` validates whether PSP's exist, and if the caller has the `NET_ADMIN` capability. This check was previously failing if `NET_ADMIN` was not found, even in the case where the PSP admission controller was not running. Related, `linkerd install` now includes a PSP, so `linkerd check` should also validate that the caller can create PSP's. Modify the `NET_ADMIN` check to warn, but not fail, if PSP's are found but the caller does not have `NET_ADMIN`. Update the warning message to mention that this is only a problem if the PSP admission controller is running (and will only be a problem during injection, since #2920 handles control plane installation by adding its own PSP). Also introduce a check to validate the caller can create PSP's. Fixes #2884, #2849 Signed-off-by: Andrew Seigner <[email protected]>
`linkerd check` validates whether PSP's exist, and if the caller has the `NET_ADMIN` capability. This check was previously failing if `NET_ADMIN` was not found, even in the case where the PSP admission controller was not running. Related, `linkerd install` now includes a PSP, so `linkerd check` should also validate that the caller can create PSP's. Modify the `NET_ADMIN` check to warn, but not fail, if PSP's are found but the caller does not have `NET_ADMIN`. Update the warning message to mention that this is only a problem if the PSP admission controller is running (and will only be a problem during injection, since #2920 handles control plane installation by adding its own PSP). Also introduce a check to validate the caller can create PSP's. Fixes #2884, #2849 Signed-off-by: Andrew Seigner <[email protected]>
|
Closed via #2958. |
Background
Linkerd user @jamessthompson reported a failing
linkerd check --pre, due to PodSecurityPolicy:$ linkerd check --pre --verbose ... pre-kubernetes-capability ------------------------- × has NET_ADMIN capability found 7 PodSecurityPolicies, but none provide NET_ADMIN see https://linkerd.io/checks/#pre-k8s-cluster-net-admin for hintsDespite the failed check, Linkerd successfully installed. This is likely due to the PodSecurityPolicy admission controller not running.
Reproduction
Proposal
Modify
linkerd check --preto validate whether thePodSecurityPolicyis running, in addition to check the actualPodSecurityPolicy's.If the admission controller is not running, but
PodSecurityPolicy's still exist that would disallowNET_ADMIN, issue a warning.Additionally, if the admission controller is running, and no
PodSecurityPolicy's are found, this check should fail. This is not the case in the current implementation.Relevant code:
linkerd2/pkg/healthcheck/healthcheck.go
Lines 985 to 988 in bd4c278
The text was updated successfully, but these errors were encountered: