Skip to content
This repository has been archived by the owner on Jun 24, 2020. It is now read-only.

Support for PodSecurityPolicy #171

Open
yu2003w opened this issue Sep 18, 2019 · 0 comments
Open

Support for PodSecurityPolicy #171

yu2003w opened this issue Sep 18, 2019 · 0 comments

Comments

@yu2003w
Copy link
Contributor

yu2003w commented Sep 18, 2019
edited
Loading

If PodSecurityPolicy is enabled in k8s cluster, deployment autoscaler and activator will not be available without proper PSP.

Currently we could inject PSP when creating CR as below,

apiVersion: v1
kind: Namespace
metadata:
 name: knative-serving
---
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: knative-serving-psp
  labels:
    serving.knative.dev/release: devel
    serving.knative.dev/controller: "true"
spec:
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - 'NET_ADMIN'
  fsGroup:
    rule: RunAsAny
  privileged: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
    - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: knative-serving-psp
  labels:
    serving.knative.dev/controller: "true"
rules:
- apiGroups:
  - extensions
  resourceNames:
  - knative-serving-psp
  resources:
  - podsecuritypolicies
  verbs:
  - use
---
apiVersion: v1
kind: Secret
metadata:
  name: regsec
  namespace: knative-serving
data:
  .dockerconfigjson: eyJhdXRocyI6IHsiaWNwZGV2LmljcDo4NTAwIjogeyJhdXRoIjogIllXUnRhVzQ2WVdSdGFXND0ifX19Cg==
type: kubernetes.io/dockerconfigjson
---
apiVersion: serving.knative.dev/v1alpha1
kind: KnativeServing
metadata:
  name: knative-serving
  namespace: knative-serving
spec:
  registry:
    override:
    imagePullSecrets:

Could serving-operator support PodSecurityPolicy?
If so, user only need to enable PSP support when they create CR and PSP related stuff could be created by serving-operator automatically.

Proposal:

apiVersion: serving.knative.dev/v1alpha1
kind: KnativeServing
metadata:
  name: knative-serving
  namespace: knative-serving
spec:
  registry:
    override:
    imagePullSecrets:
  podSecurityPolicySupport: false
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yu2003w