diff --git a/cluster/addons/calico-policy-controller/podsecuritypolicies/calico-node-psp-binding.yaml b/cluster/addons/calico-policy-controller/podsecuritypolicies/calico-node-psp-binding.yaml new file mode 100644 index 0000000000000..9394d1d273466 --- /dev/null +++ b/cluster/addons/calico-policy-controller/podsecuritypolicies/calico-node-psp-binding.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gce:podsecuritypolicy:calico + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: Reconcile + kubernetes.io/cluster-service: "true" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gce:podsecuritypolicy:privileged +subjects: +- kind: ServiceAccount + name: calico + namespace: kube-system diff --git a/cluster/addons/cluster-monitoring/google/heapster-controller.yaml b/cluster/addons/cluster-monitoring/google/heapster-controller.yaml index e0386f33ef40f..9e3e207181d3b 100644 --- a/cluster/addons/cluster-monitoring/google/heapster-controller.yaml +++ b/cluster/addons/cluster-monitoring/google/heapster-controller.yaml @@ -58,26 +58,12 @@ spec: - /heapster - --source=kubernetes.summary_api:'' - --sink=gcm - volumeMounts: - - name: ssl-certs - mountPath: /etc/ssl/certs - readOnly: true - - name: usr-ca-certs - mountPath: /usr/share/ca-certificates - readOnly: true - image: gcr.io/google_containers/heapster-amd64:v1.4.3 name: eventer command: - /eventer - --source=kubernetes:'' - --sink=gcl - volumeMounts: - - name: ssl-certs - mountPath: /etc/ssl/certs - readOnly: true - - name: usr-ca-certs - mountPath: /usr/share/ca-certificates - readOnly: true - image: gcr.io/google_containers/addon-resizer:1.7 name: heapster-nanny resources: @@ -136,13 +122,6 @@ spec: - --container=eventer - --poll-period=300000 - --estimator=exponential - volumes: - - name: ssl-certs - hostPath: - path: "/etc/ssl/certs" - - name: usr-ca-certs - hostPath: - path: "/usr/share/ca-certificates" serviceAccountName: heapster tolerations: - key: "CriticalAddonsOnly" diff --git a/cluster/addons/cluster-monitoring/googleinfluxdb/heapster-controller-combined.yaml b/cluster/addons/cluster-monitoring/googleinfluxdb/heapster-controller-combined.yaml index a022f65a95bef..ff6e7db5ed7cd 100644 --- a/cluster/addons/cluster-monitoring/googleinfluxdb/heapster-controller-combined.yaml +++ b/cluster/addons/cluster-monitoring/googleinfluxdb/heapster-controller-combined.yaml @@ -59,26 +59,12 @@ spec: - --source=kubernetes.summary_api:'' - --sink=influxdb:http://monitoring-influxdb:8086 - --sink=gcm:?metrics=autoscaling - volumeMounts: - - name: ssl-certs - mountPath: /etc/ssl/certs - readOnly: true - - name: usr-ca-certs - mountPath: /usr/share/ca-certificates - readOnly: true - image: gcr.io/google_containers/heapster-amd64:v1.4.3 name: eventer command: - /eventer - --source=kubernetes:'' - --sink=gcl - volumeMounts: - - name: ssl-certs - mountPath: /etc/ssl/certs - readOnly: true - - name: usr-ca-certs - mountPath: /usr/share/ca-certificates - readOnly: true - image: gcr.io/google_containers/addon-resizer:1.7 name: heapster-nanny resources: @@ -137,13 +123,6 @@ spec: - --container=eventer - --poll-period=300000 - --estimator=exponential - volumes: - - name: ssl-certs - hostPath: - path: "/etc/ssl/certs" - - name: usr-ca-certs - hostPath: - path: "/usr/share/ca-certificates" serviceAccountName: heapster tolerations: - key: "CriticalAddonsOnly" diff --git a/cluster/addons/cluster-monitoring/stackdriver/heapster-controller.yaml b/cluster/addons/cluster-monitoring/stackdriver/heapster-controller.yaml index b9eb1673a37e9..b69d3f6beaf55 100644 --- a/cluster/addons/cluster-monitoring/stackdriver/heapster-controller.yaml +++ b/cluster/addons/cluster-monitoring/stackdriver/heapster-controller.yaml @@ -56,13 +56,6 @@ spec: - /heapster - --source=kubernetes.summary_api:'' - --sink=stackdriver:?cluster_name={{ cluster_name }}&min_interval_sec=100&batch_export_timeout_sec=110 - volumeMounts: - - name: ssl-certs - mountPath: /etc/ssl/certs - readOnly: true - - name: usr-ca-certs - mountPath: /usr/share/ca-certificates - readOnly: true # BEGIN_PROMETHEUS_TO_SD - name: prom-to-sd image: gcr.io/google-containers/prometheus-to-sd:v0.2.2 @@ -112,13 +105,6 @@ spec: - --container=heapster - --poll-period=300000 - --estimator=exponential - volumes: - - name: ssl-certs - hostPath: - path: "/etc/ssl/certs" - - name: usr-ca-certs - hostPath: - path: "/usr/share/ca-certificates" serviceAccountName: heapster tolerations: - key: "CriticalAddonsOnly" diff --git a/cluster/addons/etcd-empty-dir-cleanup/etcd-empty-dir-cleanup.yaml b/cluster/addons/etcd-empty-dir-cleanup/etcd-empty-dir-cleanup.yaml index cf7e5b5f5156a..05943c8c4161c 100644 --- a/cluster/addons/etcd-empty-dir-cleanup/etcd-empty-dir-cleanup.yaml +++ b/cluster/addons/etcd-empty-dir-cleanup/etcd-empty-dir-cleanup.yaml @@ -1,4 +1,14 @@ apiVersion: v1 +kind: ServiceAccount +metadata: + name: etcd-empty-dir-cleanup + namespace: kube-system + labels: + k8s-app: etcd-empty-dir-cleanup + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +--- +apiVersion: v1 kind: Pod metadata: name: etcd-empty-dir-cleanup @@ -8,6 +18,7 @@ metadata: labels: k8s-app: etcd-empty-dir-cleanup spec: + serviceAccountName: etcd-empty-dir-cleanup hostNetwork: true dnsPolicy: Default containers: diff --git a/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp-binding.yaml b/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp-binding.yaml new file mode 100644 index 0000000000000..77003f69c5ffa --- /dev/null +++ b/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp-binding.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gce:podsecuritypolicy:etcd-empty-dir-cleanup + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: Reconcile + kubernetes.io/cluster-service: "true" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: gce:podsecuritypolicy:etcd-empty-dir-cleanup +subjects: +- kind: ServiceAccount + name: etcd-empty-dir-cleanup + namespace: kube-system diff --git a/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp-role.yaml b/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp-role.yaml new file mode 100644 index 0000000000000..6b577479d590c --- /dev/null +++ b/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp-role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gce:podsecuritypolicy:etcd-empty-dir-cleanup + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +rules: +- apiGroups: + - extensions + resourceNames: + - gce.etcd-empty-dir-cleanup + resources: + - podsecuritypolicies + verbs: + - use diff --git a/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp.yaml b/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp.yaml new file mode 100644 index 0000000000000..d51c4781148c2 --- /dev/null +++ b/cluster/addons/etcd-empty-dir-cleanup/podsecuritypolicies/etcd-empty-dir-cleanup-psp.yaml @@ -0,0 +1,31 @@ +apiVersion: extensions/v1beta1 +kind: PodSecurityPolicy +metadata: + name: gce.etcd-empty-dir-cleanup + annotations: + kubernetes.io/description: 'Policy used by the etcd-empty-dir-cleanup addon.' + # TODO: etcd-empty-dir-cleanup should run with the default seccomp profile + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # 'runtime/default' is already the default, but must be filled in on the + # pod to pass admission. + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + labels: + kubernetes.io/cluster-service: 'true' + addonmanager.kubernetes.io/mode: Reconcile +spec: + privileged: false + volumes: + - 'secret' + hostNetwork: true + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false diff --git a/cluster/addons/fluentd-elasticsearch/podsecuritypolicies/es-psp-binding.yaml b/cluster/addons/fluentd-elasticsearch/podsecuritypolicies/es-psp-binding.yaml new file mode 100644 index 0000000000000..fbe06861ce73d --- /dev/null +++ b/cluster/addons/fluentd-elasticsearch/podsecuritypolicies/es-psp-binding.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gce:podsecuritypolicy:elasticsearch-logging + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: Reconcile + kubernetes.io/cluster-service: "true" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gce:podsecuritypolicy:privileged +subjects: +- kind: ServiceAccount + name: elasticsearch-logging + namespace: kube-system diff --git a/cluster/gce/addons/podsecuritypolicies/event-exporter-binding.yaml b/cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp-binding.yaml similarity index 100% rename from cluster/gce/addons/podsecuritypolicies/event-exporter-binding.yaml rename to cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp-binding.yaml diff --git a/cluster/gce/addons/podsecuritypolicies/event-exporter-role.yaml b/cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp-role.yaml similarity index 100% rename from cluster/gce/addons/podsecuritypolicies/event-exporter-role.yaml rename to cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp-role.yaml diff --git a/cluster/gce/addons/podsecuritypolicies/event-exporter.yaml b/cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp.yaml similarity index 100% rename from cluster/gce/addons/podsecuritypolicies/event-exporter.yaml rename to cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp.yaml diff --git a/cluster/gce/addons/podsecuritypolicies/fluentd-gcp-binding.yaml b/cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp-binding.yaml similarity index 100% rename from cluster/gce/addons/podsecuritypolicies/fluentd-gcp-binding.yaml rename to cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp-binding.yaml diff --git a/cluster/gce/addons/podsecuritypolicies/fluentd-gcp-role.yaml b/cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp-role.yaml similarity index 100% rename from cluster/gce/addons/podsecuritypolicies/fluentd-gcp-role.yaml rename to cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp-role.yaml diff --git a/cluster/gce/addons/podsecuritypolicies/fluentd-gcp.yaml b/cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp.yaml similarity index 100% rename from cluster/gce/addons/podsecuritypolicies/fluentd-gcp.yaml rename to cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp.yaml diff --git a/cluster/addons/ip-masq-agent/ip-masq-agent.yaml b/cluster/addons/ip-masq-agent/ip-masq-agent.yaml index 02152357fb4f2..f6bb21c01b933 100644 --- a/cluster/addons/ip-masq-agent/ip-masq-agent.yaml +++ b/cluster/addons/ip-masq-agent/ip-masq-agent.yaml @@ -1,3 +1,13 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ip-masq-agent + namespace: kube-system + labels: + k8s-app: ip-masq-agent + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +--- # https://github.com/kubernetes-incubator/ip-masq-agent/blob/v2.0.0/README.md apiVersion: extensions/v1beta1 kind: DaemonSet @@ -14,6 +24,7 @@ spec: annotations: scheduler.alpha.kubernetes.io/critical-pod: '' spec: + serviceAccountName: ip-masq-agent hostNetwork: true containers: - name: ip-masq-agent diff --git a/cluster/addons/ip-masq-agent/podsecuritypolicies/ip-masq-agent-psp-binding.yaml b/cluster/addons/ip-masq-agent/podsecuritypolicies/ip-masq-agent-psp-binding.yaml new file mode 100644 index 0000000000000..95f056ef755e9 --- /dev/null +++ b/cluster/addons/ip-masq-agent/podsecuritypolicies/ip-masq-agent-psp-binding.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gce:podsecuritypolicy:ip-masq-agent + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: Reconcile + kubernetes.io/cluster-service: "true" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gce:podsecuritypolicy:privileged +subjects: +- kind: ServiceAccount + name: ip-masq-agent + namespace: kube-system diff --git a/cluster/gce/addons/podsecuritypolicies/metadata-proxy-binding.yaml b/cluster/addons/metadata-proxy/gce/podsecuritypolicies/metadata-proxy-psp-binding.yaml similarity index 100% rename from cluster/gce/addons/podsecuritypolicies/metadata-proxy-binding.yaml rename to cluster/addons/metadata-proxy/gce/podsecuritypolicies/metadata-proxy-psp-binding.yaml diff --git a/cluster/gce/addons/podsecuritypolicies/npd-binding.yaml b/cluster/addons/node-problem-detector/podsecuritypolicies/npd-psp-binding.yaml similarity index 100% rename from cluster/gce/addons/podsecuritypolicies/npd-binding.yaml rename to cluster/addons/node-problem-detector/podsecuritypolicies/npd-psp-binding.yaml diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index ebd1a07580699..8d3e8a46e8bae 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -1681,14 +1681,35 @@ function start-cluster-autoscaler { fi } -# A helper function for copying addon manifests and set dir/files -# permissions. +# A helper function for setting up addon manifests. # # $1: addon category under /etc/kubernetes # $2: manifest source dir +# $3: (optional) auxilary manifest source dir function setup-addon-manifests { - local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty/$2" + local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty" local -r dst_dir="/etc/kubernetes/$1/$2" + + copy-manifests "${src_dir}/$2" "${dst_dir}" + + # If the PodSecurityPolicy admission controller is enabled, + # set up the corresponding addon policies. + if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then + local -r psp_dir="${src_dir}/${3:-$2}/podsecuritypolicies" + if [[ -d "${psp_dir}" ]]; then + copy-manifests "${psp_dir}" "${dst_dir}" + fi + fi +} + +# A helper function for copying manifests and setting dir/files +# permissions. +# +# $1: absolute source dir +# $2: absolute destination dir +function copy-manifests { + local -r src_dir="$1" + local -r dst_dir="$2" if [[ ! -d "${dst_dir}" ]]; then mkdir -p "${dst_dir}" fi @@ -1753,7 +1774,7 @@ function start-kube-addons { setup-addon-manifests "addons" "rbac" if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then - setup-addon-manifests "addons" "podsecuritypolicies" + setup-addon-manifests "addons" "podsecuritypolicies" fi # Set up manifests of other addons. @@ -1850,7 +1871,7 @@ function start-kube-addons { fi if [[ "${ENABLE_NODE_PROBLEM_DETECTOR:-}" == "standalone" ]]; then # Setup role binding for standalone node problem detector. - setup-addon-manifests "addons" "node-problem-detector/standalone" + setup-addon-manifests "addons" "node-problem-detector/standalone" "node-problem-detector" fi if echo "${ADMISSION_CONTROL:-}" | grep -q "LimitRanger"; then setup-addon-manifests "admission-controls" "limit-range"