Introduce Control Plane's PSP and RBAC resources into Helm templates #2920
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
June 10, 2019 21:05
Signed-off-by: Ivan Sim <[email protected]>
Signed-off-by: Ivan Sim <[email protected]>
grampelberg
reviewed
Jun 11, 2019
alpeb
approved these changes
Jun 11, 2019
|
Integration test results for b4c188f: fail 😕 |
The |
ihcsim
force-pushed
the
isim/control-plane-psp
branch
4 times, most recently
from
cc2e48b to
841c442
Compare
|
Integration test results for 841c442: fail 😕 |
ihcsim
force-pushed
the
isim/control-plane-psp
branch
6 times, most recently
from
2064f57 to
994e420
Compare
|
Integration test results for 994e420: fail 😕 |
ihcsim
force-pushed
the
isim/control-plane-psp
branch
from
994e420 to
95e447f
Compare
|
Integration test results for 95e447f: success 🎉 |
Signed-off-by: Ivan Sim <[email protected]>
ihcsim
force-pushed
the
isim/control-plane-psp
branch
from
95e447f to
5d7f6b8
Compare
|
Integration test results for 5d7f6b8: success 🎉 |
…mmands This flag ensures that the NET_ADMIN capability is omitted from the control plane's PSP during 'install config' and the proxy-init containers aren't injected during 'install control-plane'. Signed-off-by: Ivan Sim <[email protected]>
|
Integration test results for 2ff22ff: success 🎉 |
siggy
added a commit
that referenced
this pull request
Jun 18, 2019
The change in #2920 introduced a PodSecurityPolicy, providing `NET_ADMIN` capability to Linkerd. This eliminated the need for a `NET_ADMIN` capability check in `linkerd check`, as the default `linkerd install` now guarantees `NET_ADMIN` capability. At the same time, this added a requirement on that `linkerd install` create a PodSecurityPolicy. Remove the `NET_ADMIN` capability check from `linkerd check`. Introduce a check to validate the user can create a PodSecurityPolicy. Fixes #2884, #2849. Signed-off-by: Andrew Seigner <[email protected]>
siggy
added a commit
that referenced
this pull request
Jun 18, 2019
The change in #2920 introduced a PodSecurityPolicy, providing `NET_ADMIN` capability to Linkerd. This eliminated the need for a `NET_ADMIN` capability check in `linkerd check`, as the default `linkerd install` now guarantees `NET_ADMIN` capability. At the same time, this added a requirement that `linkerd install` create a PodSecurityPolicy. Remove the `NET_ADMIN` capability check from `linkerd check`. Introduce a check to validate the user can create a PodSecurityPolicy. Fixes #2884, #2849. Signed-off-by: Andrew Seigner <[email protected]>
siggy
added a commit
that referenced
this pull request
Jun 18, 2019
The change in #2920 introduced a PodSecurityPolicy, providing `NET_ADMIN` capability to Linkerd. This eliminated the need for a `NET_ADMIN` capability check in `linkerd check`, as the default `linkerd install` now guarantees `NET_ADMIN` capability. At the same time, this added a requirement that `linkerd install` create a PodSecurityPolicy. Remove the `NET_ADMIN` capability check from `linkerd check`. Introduce a check to validate the user can create a PodSecurityPolicy. Fixes #2884, #2849. Signed-off-by: Andrew Seigner <[email protected]>
siggy
added a commit
that referenced
this pull request
Jun 18, 2019
The change in #2920 introduced a PodSecurityPolicy, providing `NET_ADMIN` capability to Linkerd. This eliminated the need for a `NET_ADMIN` capability check in `linkerd check`, as the default `linkerd install` now guarantees `NET_ADMIN` capability. At the same time, this added a requirement that `linkerd install` create a PodSecurityPolicy. Remove the `NET_ADMIN` capability check from `linkerd check`. Introduce a check to validate the user can create a PodSecurityPolicy. Fixes #2884, #2849 Signed-off-by: Andrew Seigner <[email protected]>
siggy
added a commit
that referenced
this pull request
Jun 19, 2019
`linkerd check` validates whether PSP's exist, and if the caller has the `NET_ADMIN` capability. This check was previously failing if `NET_ADMIN` was not found, even in the case where the PSP admission controller was not running. Related, `linkerd install` now includes a PSP, so `linkerd check` should also validate that the caller can create PSP's. Modify the `NET_ADMIN` check to warn, but not fail, if PSP's are found but the caller does not have `NET_ADMIN`. Update the warning message to mention that this is only a problem if the PSP admission controller is running (and will only be a problem during injection, since #2920 handles control plane installation by adding its own PSP). Also introduce a check to validate the caller can create PSP's. Fixes #2884, #2849 Signed-off-by: Andrew Seigner <[email protected]>
siggy
added a commit
that referenced
this pull request
Jun 20, 2019
`linkerd check` validates whether PSP's exist, and if the caller has the `NET_ADMIN` capability. This check was previously failing if `NET_ADMIN` was not found, even in the case where the PSP admission controller was not running. Related, `linkerd install` now includes a PSP, so `linkerd check` should also validate that the caller can create PSP's. Modify the `NET_ADMIN` check to warn, but not fail, if PSP's are found but the caller does not have `NET_ADMIN`. Update the warning message to mention that this is only a problem if the PSP admission controller is running (and will only be a problem during injection, since #2920 handles control plane installation by adding its own PSP). Also introduce a check to validate the caller can create PSP's. Fixes #2884, #2849 Signed-off-by: Andrew Seigner <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates
linkerd installto always install the control plane's PSP and RBAC resources. These policies are only in-effect if the PSP admission controller is enabled. Only the Helm templates are changed.Test cases:
Signed-off-by: Ivan Sim [email protected]
Fixes #2892