Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New PSP and RBAC resources for the control plane #2892

Closed
alpeb opened this issue Jun 4, 2019 · 2 comments · Fixed by #2920
Closed

New PSP and RBAC resources for the control plane #2892

alpeb opened this issue Jun 4, 2019 · 2 comments · Fixed by #2920
Assignees
@ihcsim
Labels
area/install area/rbac priority/P0 Release Blocker

Comments

@alpeb
Copy link
Member

alpeb commented Jun 4, 2019
edited
Loading

In a cluster with PSP enabled, we need to grant enough privileges to the control plane components or else they won't be scheduled. The creation of these resources doesn't hurt even if the PSP admission controller is not enabled.

A PSP granting enough privileges for the Linkerd containers:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: linkerd
spec:
  allowPrivilegeEscalation: false
  allowedCapabilities:
  - NET_ADMIN
  fsGroup:
    rule: RunAsAny
  readOnlyRootFilesystem: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - ConfigMap
  - secret
  - emptyDir

A ClusterRole pointing to that PSP:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: psp:linkerd
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - linkerd

A ClusterRoleBinding binding that role to all the Linkerd ServiceAccounts:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: linkerd-rbac
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: psp:linkerd
subjects:
- kind: ServiceAccount
  name: linkerd-controller
  namespace: linkerd
- kind: ServiceAccount
  name: linkerd-grafana
  namespace: linkerd
- kind: ServiceAccount
  name: linkerd-identity
  namespace: linkerd
- kind: ServiceAccount
  name: linkerd-prometheus
  namespace: linkerd
- kind: ServiceAccount
  name: linkerd-proxy-injector
  namespace: linkerd
- kind: ServiceAccount
  name: linkerd-web
  namespace: linkerd
- kind: ServiceAccount
  name: linkerd-sp-validator
  namespace: linkerd
- kind: ServiceAccount
  name: linkerd-tap
  namespace: linkerd

For CNI, we also need to create a separate PSP, ClusteRole and ClusterRoleBinding, given the CNI pod requires a bit more privileges.
@grampelberg grampelberg added the priority/P0 Release Blocker label Jun 4, 2019
@ihcsim ihcsim self-assigned this Jun 10, 2019
@ihcsim
Copy link
Contributor

ihcsim commented Jun 10, 2019

@alpeb @grampelberg Do we have any opinion on whether we want to introduce a new install and upgrade option like (--enable-psp), or just always install the policies by default? The policies won't be in-effect until the PSP admission controller is enabled.

@grampelberg
Copy link
Contributor

I'm a +1 to always installing the policies by default.

@ihcsim ihcsim mentioned this issue Jun 11, 2019
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 17, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ihcsim ihcsim

Labels
area/install area/rbac priority/P0 Release Blocker
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Introduce Control Plane's PSP and RBAC resources into Helm templates linkerd/linkerd2
3 participants
@grampelberg @alpeb @ihcsim