From f50b5dc1f7d53f66202a11058a39b1a7f2573a7d Mon Sep 17 00:00:00 2001 From: Mauren Berti Date: Fri, 27 Jan 2023 14:41:08 -0500 Subject: [PATCH] Add new PSP flag + add validation for capabilities. * Remove previously added capabilities check. * Add new validation file validate-psp-install.yaml with capabilities and switch check to verify PSPs are installable in the target cluster. * Remove old PSP flags and replace them with the standardized global.cattle.psp.enabled. * Add explanation of the changes for Kubernetes v1.25 to app-readme.md. --- .../generated-changes/overlay/app-readme.md | 18 ++++++++++++++++++ .../templates/validate-psp-install.yaml | 7 +++++++ .../patch/templates/_helpers.tpl.patch | 4 ++-- ...tekeeper-admin-podsecuritypolicy.yaml.patch | 8 ++++++++ ...ekeeper-manager-role-clusterrole.yaml.patch | 11 +++++++++++ .../generated-changes/patch/values.yaml.patch | 10 ++++++++-- .../templates/crd-template/templates/rbac.yaml | 4 ++-- .../templates/validate-psp-install.yaml | 7 +++++++ .../templates/crd-template/values.yaml | 2 ++ release.yaml | 2 ++ 10 files changed, 67 insertions(+), 6 deletions(-) create mode 100644 packages/rancher-gatekeeper/generated-changes/overlay/templates/validate-psp-install.yaml create mode 100644 packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-admin-podsecuritypolicy.yaml.patch create mode 100644 packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-role-clusterrole.yaml.patch create mode 100644 packages/rancher-gatekeeper/templates/crd-template/templates/validate-psp-install.yaml diff --git a/packages/rancher-gatekeeper/generated-changes/overlay/app-readme.md b/packages/rancher-gatekeeper/generated-changes/overlay/app-readme.md index d44cf7b2b..dff688f51 100644 --- a/packages/rancher-gatekeeper/generated-changes/overlay/app-readme.md +++ b/packages/rancher-gatekeeper/generated-changes/overlay/app-readme.md @@ -12,3 +12,21 @@ The chart installs the following components: - [Constraint](https://github.com/open-policy-agent/gatekeeper#constraints) - A constraint is a custom resource that defines the scope of resources which a specific constraint template should apply to. The complete policy is defined by a combination of `ConstraintTemplates` (i.e. what the policy is) and `Constraints` (i.e. what resource to apply the policy to). For more information on how to configure the Helm chart, refer to the Helm README. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/packages/rancher-gatekeeper/generated-changes/overlay/templates/validate-psp-install.yaml b/packages/rancher-gatekeeper/generated-changes/overlay/templates/validate-psp-install.yaml new file mode 100644 index 000000000..a30c59d3b --- /dev/null +++ b/packages/rancher-gatekeeper/generated-changes/overlay/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch index 5a1adfe4d..3efbbf353 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch @@ -12,7 +12,7 @@ +{{- end -}} +{{- end -}} + -+{{/* + {{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} @@ -27,7 +27,7 @@ +kubernetes.io/os: linux +{{- end -}} + - {{/* ++{{/* Output post install webhook probe container entry */}} {{- define "gatekeeper.postInstallWebhookProbeContainer" -}} diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-admin-podsecuritypolicy.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-admin-podsecuritypolicy.yaml.patch new file mode 100644 index 000000000..258ea1897 --- /dev/null +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-admin-podsecuritypolicy.yaml.patch @@ -0,0 +1,8 @@ +--- charts-original/templates/gatekeeper-admin-podsecuritypolicy.yaml ++++ charts/templates/gatekeeper-admin-podsecuritypolicy.yaml +@@ -1,4 +1,4 @@ +-{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} ++{{- if .Values.global.cattle.psp.enabled }} + apiVersion: policy/v1beta1 + kind: PodSecurityPolicy + metadata: diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-role-clusterrole.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-role-clusterrole.yaml.patch new file mode 100644 index 000000000..032b83679 --- /dev/null +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-role-clusterrole.yaml.patch @@ -0,0 +1,11 @@ +--- charts-original/templates/gatekeeper-manager-role-clusterrole.yaml ++++ charts/templates/gatekeeper-manager-role-clusterrole.yaml +@@ -99,7 +99,7 @@ + - patch + - update + - watch +-{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} ++{{- if .Values.global.cattle.psp.enabled }} + - apiGroups: + - policy + resourceNames: diff --git a/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch index 7b024d104..1c821099f 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch @@ -74,16 +74,22 @@ resources: limits: cpu: 1000m -@@ -232,6 +235,12 @@ +@@ -232,10 +235,16 @@ pdb: controllerManager: minAvailable: 1 +global: + cattle: + systemDefaultRegistry: "" ++ psp: ++ enabled: false + kubectl: + repository: rancher/kubectl + tag: v1.20.2 service: {} disabledBuiltins: ["{http.send}"] - psp: +-psp: +- enabled: true + upgradeCRDs: + enabled: true + extraRules: [] diff --git a/packages/rancher-gatekeeper/templates/crd-template/templates/rbac.yaml b/packages/rancher-gatekeeper/templates/crd-template/templates/rbac.yaml index f8c3644fc..d1df38961 100644 --- a/packages/rancher-gatekeeper/templates/crd-template/templates/rbac.yaml +++ b/packages/rancher-gatekeeper/templates/crd-template/templates/rbac.yaml @@ -10,7 +10,7 @@ rules: resources: - customresourcedefinitions verbs: ['create', 'get', 'patch', 'delete'] -{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} +{{- if .Values.global.cattle.psp.enabled }} - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] @@ -41,7 +41,7 @@ metadata: labels: app: {{ .Chart.Name }}-manager --- -{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} +{{- if .Values.global.cattle.psp.enabled }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/packages/rancher-gatekeeper/templates/crd-template/templates/validate-psp-install.yaml b/packages/rancher-gatekeeper/templates/crd-template/templates/validate-psp-install.yaml new file mode 100644 index 000000000..a30c59d3b --- /dev/null +++ b/packages/rancher-gatekeeper/templates/crd-template/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/packages/rancher-gatekeeper/templates/crd-template/values.yaml b/packages/rancher-gatekeeper/templates/crd-template/values.yaml index 657ccacf8..adc0696d8 100644 --- a/packages/rancher-gatekeeper/templates/crd-template/values.yaml +++ b/packages/rancher-gatekeeper/templates/crd-template/values.yaml @@ -5,6 +5,8 @@ global: cattle: systemDefaultRegistry: "" + psp: + enabled: false image: repository: rancher/kubectl diff --git a/release.yaml b/release.yaml index defc61291..ccaf4088f 100644 --- a/release.yaml +++ b/release.yaml @@ -42,8 +42,10 @@ rancher-eks-operator-crd: - 101.2.0+up1.2.0-rc2 rancher-gatekeeper: - 101.1.0+up3.10.0 +- 102.0.0+up3.10.0 rancher-gatekeeper-crd: - 101.1.0+up3.10.0 +- 102.0.0+up3.10.0 rancher-gke-operator: - 101.0.1+up1.1.5 rancher-gke-operator-crd: