diff --git a/chart/templates/psp.yaml b/chart/templates/psp.yaml new file mode 100644 index 0000000000000..4ab840dc1a5c7 --- /dev/null +++ b/chart/templates/psp.yaml @@ -0,0 +1,77 @@ +{{with .Values -}} +--- +### +### Control Plane PSP +### +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-{{.Namespace}}-control-plane +spec: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + {{- if not .NoInitContainer }} + allowedCapabilities: + - NET_ADMIN + {{- end}} + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - configMap + - emptyDir + - secret +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: {{.Namespace}} +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-{{.Namespace}}-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: {{.Namespace}} +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-grafana + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-identity + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-prometheus + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-tap + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-web + namespace: {{.Namespace}} +{{end -}} diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 78b52c5a9f2f4..0416238b2dfd1 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -229,7 +229,7 @@ func newInstallIdentityOptionsWithDefaults() *installIdentityOptions { } // newCmdInstallConfig is a subcommand for `linkerd install config` -func newCmdInstallConfig(options *installOptions) *cobra.Command { +func newCmdInstallConfig(options *installOptions, parentFlags *pflag.FlagSet) *cobra.Command { cmd := &cobra.Command{ Use: "config [flags]", Args: cobra.NoArgs, @@ -245,15 +245,18 @@ resources for the Linkerd control plane. This command should be followed by # Install Linkerd into a non-default namespace. linkerd install config -l linkerdtest | kubectl apply -f -`, RunE: func(cmd *cobra.Command, args []string) error { - return installRunE(options, configStage, nil) + return installRunE(options, configStage, parentFlags) }, } + cniEnabledFlag := parentFlags.Lookup("linkerd-cni-enabled") + cmd.Flags().AddFlag(cniEnabledFlag) + return cmd } // newCmdInstallControlPlane is a subcommand for `linkerd install control-plane` -func newCmdInstallControlPlane(options *installOptions) *cobra.Command { +func newCmdInstallControlPlane(options *installOptions, parentFlags *pflag.FlagSet) *cobra.Command { // The base flags are recorded separately so that they can be serialized into // the configuration in validateAndBuild. flags := options.recordableFlagSet() @@ -281,6 +284,9 @@ control plane. It should be run after "linkerd install config".`, }, } + cniEnabledFlag := parentFlags.Lookup("linkerd-cni-enabled") + cmd.Flags().AddFlag(cniEnabledFlag) + cmd.PersistentFlags().BoolVar( &options.skipChecks, "skip-checks", options.skipChecks, `Skip checks for namespace existence`, @@ -328,8 +334,8 @@ control plane.`, cmd.Flags().AddFlagSet(installOnlyFlags) cmd.PersistentFlags().AddFlagSet(installPersistentFlags) - cmd.AddCommand(newCmdInstallConfig(options)) - cmd.AddCommand(newCmdInstallControlPlane(options)) + cmd.AddCommand(newCmdInstallConfig(options, flags)) + cmd.AddCommand(newCmdInstallControlPlane(options, flags)) return cmd } @@ -400,7 +406,7 @@ func (options *installOptions) recordableFlagSet() *pflag.FlagSet { ) flags.BoolVar(&options.noInitContainer, "linkerd-cni-enabled", options.noInitContainer, - "Experimental: Omit the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed", + "Experimental: Omit the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed", ) flags.StringVar( @@ -645,6 +651,7 @@ func (values *installValues) render(w io.Writer, configs *pb.All) error { {Name: "templates/proxy_injector-rbac.yaml"}, {Name: "templates/sp_validator-rbac.yaml"}, {Name: "templates/tap-rbac.yaml"}, + {Name: "templates/psp.yaml"}, }...) } diff --git a/cli/cmd/testdata/install-cni-plugin_default.golden b/cli/cmd/testdata/install-cni-plugin_default.golden index 05d924dec91bd..35e97ef6a409c 100644 --- a/cli/cmd/testdata/install-cni-plugin_default.golden +++ b/cli/cmd/testdata/install-cni-plugin_default.golden @@ -4,12 +4,57 @@ apiVersion: v1 metadata: name: linkerd --- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-linkerd-cni +spec: + allowPrivilegeEscalation: false + fsGroup: + rule: RunAsAny + hostNetwork: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - hostPath + - secret +--- apiVersion: v1 kind: ServiceAccount metadata: name: linkerd-cni namespace: linkerd --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-cni + namespace: linkerd +rules: +- apiGroups: ['extensions', 'policy'] + resources: ['podsecuritypolicies'] + resourceNames: + - linkerd-linkerd-cni + verbs: ['use'] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-cni + namespace: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: linkerd-cni +subjects: +- kind: ServiceAccount + name: linkerd-cni + namespace: linkerd +--- # Include a clusterrole for the linkerd CNI DaemonSet, # and bind it to the linkerd-cni serviceaccount. kind: ClusterRole diff --git a/cli/cmd/testdata/install-cni-plugin_fully_configured.golden b/cli/cmd/testdata/install-cni-plugin_fully_configured.golden index b88d8bd9d02ef..99ce2b22db118 100644 --- a/cli/cmd/testdata/install-cni-plugin_fully_configured.golden +++ b/cli/cmd/testdata/install-cni-plugin_fully_configured.golden @@ -4,12 +4,57 @@ apiVersion: v1 metadata: name: other --- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-other-cni +spec: + allowPrivilegeEscalation: false + fsGroup: + rule: RunAsAny + hostNetwork: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - hostPath + - secret +--- apiVersion: v1 kind: ServiceAccount metadata: name: linkerd-cni namespace: other --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-cni + namespace: other +rules: +- apiGroups: ['extensions', 'policy'] + resources: ['podsecuritypolicies'] + resourceNames: + - linkerd-other-cni + verbs: ['use'] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-cni + namespace: other +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: linkerd-cni +subjects: +- kind: ServiceAccount + name: linkerd-cni + namespace: other +--- # Include a clusterrole for the linkerd CNI DaemonSet, # and bind it to the linkerd-cni serviceaccount. kind: ClusterRole diff --git a/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden b/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden index 881e7cfcfd070..17a2f423f2b12 100644 --- a/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden +++ b/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden @@ -4,12 +4,57 @@ apiVersion: v1 metadata: name: other --- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-other-cni +spec: + allowPrivilegeEscalation: false + fsGroup: + rule: RunAsAny + hostNetwork: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - hostPath + - secret +--- apiVersion: v1 kind: ServiceAccount metadata: name: linkerd-cni namespace: other --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-cni + namespace: other +rules: +- apiGroups: ['extensions', 'policy'] + resources: ['podsecuritypolicies'] + resourceNames: + - linkerd-other-cni + verbs: ['use'] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-cni + namespace: other +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: linkerd-cni +subjects: +- kind: ServiceAccount + name: linkerd-cni + namespace: other +--- # Include a clusterrole for the linkerd CNI DaemonSet, # and bind it to the linkerd-cni serviceaccount. kind: ClusterRole diff --git a/cli/cmd/testdata/install_config.golden b/cli/cmd/testdata/install_config.golden index 9290b50fffce8..4a7d07a42af57 100644 --- a/cli/cmd/testdata/install_config.golden +++ b/cli/cmd/testdata/install_config.golden @@ -424,3 +424,76 @@ metadata: name: linkerd-tap namespace: linkerd --- +### +### Control Plane PSP +### +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-linkerd-control-plane +spec: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + allowedCapabilities: + - NET_ADMIN + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - configMap + - emptyDir + - secret +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: linkerd +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-linkerd-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: linkerd +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: linkerd +- kind: ServiceAccount + name: linkerd-grafana + namespace: linkerd +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: linkerd +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index dee629e5d15a0..db994f4ac17ac 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -424,6 +424,79 @@ metadata: name: linkerd-tap namespace: linkerd --- +### +### Control Plane PSP +### +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-linkerd-control-plane +spec: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + allowedCapabilities: + - NET_ADMIN + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - configMap + - emptyDir + - secret +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: linkerd +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-linkerd-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: linkerd +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: linkerd +- kind: ServiceAccount + name: linkerd-grafana + namespace: linkerd +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: linkerd +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- kind: ConfigMap apiVersion: v1 metadata: diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index 638f2c01248c7..1bedf592e09f3 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -424,6 +424,79 @@ metadata: name: linkerd-tap namespace: linkerd --- +### +### Control Plane PSP +### +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-linkerd-control-plane +spec: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + allowedCapabilities: + - NET_ADMIN + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - configMap + - emptyDir + - secret +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: linkerd +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-linkerd-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: linkerd +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: linkerd +- kind: ServiceAccount + name: linkerd-grafana + namespace: linkerd +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: linkerd +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- kind: ConfigMap apiVersion: v1 metadata: diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index 1ff114e1f6478..5c9d3a4bfdb3c 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -424,6 +424,79 @@ metadata: name: linkerd-tap namespace: linkerd --- +### +### Control Plane PSP +### +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-linkerd-control-plane +spec: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + allowedCapabilities: + - NET_ADMIN + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - configMap + - emptyDir + - secret +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: linkerd +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-linkerd-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: linkerd +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: linkerd +- kind: ServiceAccount + name: linkerd-grafana + namespace: linkerd +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: linkerd +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- kind: ConfigMap apiVersion: v1 metadata: diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index 41dcc15f5b232..a263b1d63e8d6 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -424,6 +424,77 @@ metadata: name: linkerd-tap namespace: linkerd --- +### +### Control Plane PSP +### +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-linkerd-control-plane +spec: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - configMap + - emptyDir + - secret +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: linkerd +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-linkerd-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: linkerd +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: linkerd +- kind: ServiceAccount + name: linkerd-grafana + namespace: linkerd +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: linkerd +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- kind: ConfigMap apiVersion: v1 metadata: diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index 53c1a6e14031f..f973700889266 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -424,6 +424,79 @@ metadata: name: linkerd-tap namespace: Namespace --- +### +### Control Plane PSP +### +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-Namespace-control-plane +spec: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + allowedCapabilities: + - NET_ADMIN + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - configMap + - emptyDir + - secret +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: Namespace +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-Namespace-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: Namespace +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: Namespace +- kind: ServiceAccount + name: linkerd-grafana + namespace: Namespace +- kind: ServiceAccount + name: linkerd-identity + namespace: Namespace +- kind: ServiceAccount + name: linkerd-prometheus + namespace: Namespace +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: Namespace +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: Namespace +- kind: ServiceAccount + name: linkerd-tap + namespace: Namespace +- kind: ServiceAccount + name: linkerd-web + namespace: Namespace +--- kind: ConfigMap apiVersion: v1 metadata: diff --git a/cli/cmd/testdata/upgrade_default.golden b/cli/cmd/testdata/upgrade_default.golden index d2e6ea8fbd189..aa7c53023af26 100644 --- a/cli/cmd/testdata/upgrade_default.golden +++ b/cli/cmd/testdata/upgrade_default.golden @@ -424,6 +424,79 @@ metadata: name: linkerd-tap namespace: linkerd --- +### +### Control Plane PSP +### +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-linkerd-control-plane +spec: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + allowedCapabilities: + - NET_ADMIN + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - configMap + - emptyDir + - secret +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: linkerd +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-linkerd-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: linkerd +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: linkerd +- kind: ServiceAccount + name: linkerd-grafana + namespace: linkerd +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: linkerd +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- kind: ConfigMap apiVersion: v1 metadata: diff --git a/cli/cmd/testdata/upgrade_ha.golden b/cli/cmd/testdata/upgrade_ha.golden index bf3af9422f62f..6ef1bb02a2885 100644 --- a/cli/cmd/testdata/upgrade_ha.golden +++ b/cli/cmd/testdata/upgrade_ha.golden @@ -424,6 +424,79 @@ metadata: name: linkerd-tap namespace: linkerd --- +### +### Control Plane PSP +### +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-linkerd-control-plane +spec: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + allowedCapabilities: + - NET_ADMIN + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - configMap + - emptyDir + - secret +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: linkerd +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-linkerd-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: linkerd +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: linkerd +- kind: ServiceAccount + name: linkerd-grafana + namespace: linkerd +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: linkerd +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- kind: ConfigMap apiVersion: v1 metadata: diff --git a/cli/install/cni-template.go b/cli/install/cni-template.go index 9c9fec3158a29..17fd08e5b4eab 100644 --- a/cli/install/cni-template.go +++ b/cli/install/cni-template.go @@ -18,19 +18,65 @@ package install -// CNITemplate provides the base template for the `linkerd install-cni-plugin` command. -const CNITemplate = `### Namespace ### +const ( + // CNITemplate provides the base template for the `linkerd install-cni-plugin` command. + CNITemplate = `### Namespace ### kind: Namespace apiVersion: v1 metadata: name: {{.Namespace}} --- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-{{.Namespace}}-cni +spec: + allowPrivilegeEscalation: false + fsGroup: + rule: RunAsAny + hostNetwork: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - hostPath + - secret +--- apiVersion: v1 kind: ServiceAccount metadata: name: linkerd-cni namespace: {{.Namespace}} --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-cni + namespace: {{.Namespace}} +rules: +- apiGroups: ['extensions', 'policy'] + resources: ['podsecuritypolicies'] + resourceNames: + - linkerd-{{.Namespace}}-cni + verbs: ['use'] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-cni + namespace: {{.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: linkerd-cni +subjects: +- kind: ServiceAccount + name: linkerd-cni + namespace: {{.Namespace}} +--- # Include a clusterrole for the linkerd CNI DaemonSet, # and bind it to the linkerd-cni serviceaccount. kind: ClusterRole @@ -207,3 +253,4 @@ spec: path: {{.DestCNINetDir}} {{- end }} ` +)