From 4fc295dec4737a56730d46b3a7033fb1ba7a3ad0 Mon Sep 17 00:00:00 2001 From: jasonBirchall Date: Wed, 12 May 2021 15:56:29 +0100 Subject: [PATCH 1/3] Add AWS-node serviceaccount to priv psp --- .../vpc/eks/components/resources/psp/pod-security-policy.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/resources/psp/pod-security-policy.yaml b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/resources/psp/pod-security-policy.yaml index 5e5efdc20..d3cf5fc90 100644 --- a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/resources/psp/pod-security-policy.yaml +++ b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/resources/psp/pod-security-policy.yaml @@ -125,6 +125,9 @@ roleRef: kind: ClusterRole name: psp:privileged subjects: +- kind: ServiceAccount + name: aws-node + namespace: kube-system - kind: ServiceAccount name: metrics-server namespace: kube-system From 81ba53ddf6786d5c11fd672842720e6ebb26cc79 Mon Sep 17 00:00:00 2001 From: jasonBirchall Date: Wed, 12 May 2021 16:08:19 +0100 Subject: [PATCH 2/3] Remove capability drop of `NET_RAW` and remove additional sa --- .../eks/components/resources/psp/pod-security-policy.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/resources/psp/pod-security-policy.yaml b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/resources/psp/pod-security-policy.yaml index d3cf5fc90..8b9dc018a 100644 --- a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/resources/psp/pod-security-policy.yaml +++ b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/resources/psp/pod-security-policy.yaml @@ -15,8 +15,6 @@ spec: allowedCapabilities: - NET_BIND_SERVICE - NET_ADMIN - requiredDropCapabilities: - - NET_RAW volumes: - '*' hostNetwork: true @@ -125,9 +123,6 @@ roleRef: kind: ClusterRole name: psp:privileged subjects: -- kind: ServiceAccount - name: aws-node - namespace: kube-system - kind: ServiceAccount name: metrics-server namespace: kube-system From bf06493e72264a56f286626923e72ccd77af0a68 Mon Sep 17 00:00:00 2001 From: jasonBirchall Date: Wed, 12 May 2021 16:43:32 +0100 Subject: [PATCH 3/3] Add aws-node pod security policy The aws-node component requires the `NET_RAW` capability. This was dropped by all resources as part of https://github.com/ministryofjustice/cloud-platform-infrastructure/pull/943 and should remain dropped. As the component requires it and there is no sight of when it'll be amended, it was suggested that a separate PSP is created and maintained supporting only `aws-node`. --- .../resources/psp/pod-security-policy.yaml | 63 ++++++++++++++++++- 1 file changed, 60 insertions(+), 3 deletions(-) diff --git a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/resources/psp/pod-security-policy.yaml b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/resources/psp/pod-security-policy.yaml index 8b9dc018a..2c6c0dcd4 100644 --- a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/resources/psp/pod-security-policy.yaml +++ b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/components/resources/psp/pod-security-policy.yaml @@ -15,6 +15,8 @@ spec: allowedCapabilities: - NET_BIND_SERVICE - NET_ADMIN + requiredDropCapabilities: + - NET_RAW volumes: - '*' hostNetwork: true @@ -79,6 +81,40 @@ spec: max: 65535 readOnlyRootFilesystem: false --- +# aws-node requires the NET_RAW capability. To ensure this is restricted to one deployment this PSP +# was created. +# Relevant until https://github.com/aws/amazon-vpc-cni-k8s/issues/796 is merged. +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: aws-node + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + labels: + kubernetes.io/cluster-service: "true" +spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: + - NET_BIND_SERVICE + - NET_ADMIN + volumes: + - '*' + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -102,6 +138,17 @@ rules: - restricted --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: psp:aws-node +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - aws-node +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: default:restricted @@ -132,9 +179,6 @@ subjects: - kind: ServiceAccount name: kube-proxy namespace: kube-system -- kind: ServiceAccount - name: aws-node - namespace: kube-system - kind: ServiceAccount name: sonarqube-sonarqube namespace: sonarqube @@ -168,3 +212,16 @@ subjects: - kind: Group name: system:serviceaccounts:opa apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: default:aws-node +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp:aws-node +subjects: +- kind: ServiceAccount + name: aws-node + namespace: kube-system