diff --git a/charts/internal/shoot-system-components/charts/csi-driver-node/templates/clusterrole-csi-driver.yaml b/charts/internal/shoot-system-components/charts/csi-driver-node/templates/clusterrole-csi-driver.yaml index 6751369d4..6e95666ee 100644 --- a/charts/internal/shoot-system-components/charts/csi-driver-node/templates/clusterrole-csi-driver.yaml +++ b/charts/internal/shoot-system-components/charts/csi-driver-node/templates/clusterrole-csi-driver.yaml @@ -16,7 +16,9 @@ rules: - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update", "patch"] +{{- if not .Values.pspDisabled }} - apiGroups: ["policy", "extensions"] resourceNames: ["{{ include "csi-driver-node.extensionsGroup" . }}.{{ include "csi-driver-node.name" . }}.csi-driver-node"] resources: ["podsecuritypolicies"] verbs: ["use"] +{{- end }} diff --git a/charts/internal/shoot-system-components/charts/csi-driver-node/templates/podsecuritypolicy.yaml b/charts/internal/shoot-system-components/charts/csi-driver-node/templates/podsecuritypolicy.yaml index b476d0f97..26f2beb7f 100644 --- a/charts/internal/shoot-system-components/charts/csi-driver-node/templates/podsecuritypolicy.yaml +++ b/charts/internal/shoot-system-components/charts/csi-driver-node/templates/podsecuritypolicy.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.pspDisabled }} --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy @@ -32,3 +33,4 @@ spec: fsGroup: rule: RunAsAny readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/internal/shoot-system-components/charts/csi-driver-node/values.yaml b/charts/internal/shoot-system-components/charts/csi-driver-node/values.yaml index 1813f1208..ed5637161 100644 --- a/charts/internal/shoot-system-components/charts/csi-driver-node/values.yaml +++ b/charts/internal/shoot-system-components/charts/csi-driver-node/values.yaml @@ -45,3 +45,5 @@ resources: memory: 32Mi limits: memory: 150Mi + +pspDisabled: false diff --git a/pkg/controller/controlplane/valuesprovider.go b/pkg/controller/controlplane/valuesprovider.go index 7caf18be8..84a5cf4a7 100644 --- a/pkg/controller/controlplane/valuesprovider.go +++ b/pkg/controller/controlplane/valuesprovider.go @@ -37,7 +37,6 @@ import ( "github.com/gardener/gardener/pkg/utils/chart" gutil "github.com/gardener/gardener/pkg/utils/gardener" kutil "github.com/gardener/gardener/pkg/utils/kubernetes" - "github.com/gardener/gardener/pkg/utils/secrets" secretutils "github.com/gardener/gardener/pkg/utils/secrets" secretsmanager "github.com/gardener/gardener/pkg/utils/secrets/manager" "github.com/gardener/gardener/pkg/utils/version" @@ -76,7 +75,7 @@ func secretConfigsFunc(namespace string) []extensionssecretsmanager.SecretConfig Name: cloudControllerManagerServerName, CommonName: azure.CloudControllerManagerName, DNSNames: kutil.DNSNamesForService(azure.CloudControllerManagerName, namespace), - CertType: secrets.ServerCert, + CertType: secretutils.ServerCert, SkipPublishingCACertificate: true, }, Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(caNameControlPlane)}, @@ -710,6 +709,7 @@ func getControlPlaneShootChartValues( "url": "https://" + azure.CSISnapshotValidation + "." + cp.Namespace + "/volumesnapshot", "caBundle": caBundle, }, + "pspDisabled": gardencorev1beta1helper.IsPSPDisabled(cluster.Shoot), }, azure.RemedyControllerName: map[string]interface{}{ "enabled": !disableRemedyController, diff --git a/pkg/controller/controlplane/valuesprovider_test.go b/pkg/controller/controlplane/valuesprovider_test.go index 6fd9c31ee..4e4f56600 100644 --- a/pkg/controller/controlplane/valuesprovider_test.go +++ b/pkg/controller/controlplane/valuesprovider_test.go @@ -38,6 +38,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/utils/pointer" "sigs.k8s.io/controller-runtime/pkg/client" fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake" "sigs.k8s.io/controller-runtime/pkg/runtime/inject" @@ -522,6 +523,7 @@ var _ = Describe("ValuesProvider", func() { "url": "https://" + azure.CSISnapshotValidation + "." + cp.Namespace + "/volumesnapshot", "caBundle": "", }, + "pspDisabled": false, }) values, err := vp.GetControlPlaneShootChartValues(ctx, cp, cluster, fakeSecretsManager, checksums) @@ -544,6 +546,7 @@ var _ = Describe("ValuesProvider", func() { "url": "https://" + azure.CSISnapshotValidation + "." + cp.Namespace + "/volumesnapshot", "caBundle": "", }, + "pspDisabled": false, }) values, err := vp.GetControlPlaneShootChartValues(ctx, cp, cluster, fakeSecretsManager, checksums) @@ -584,6 +587,7 @@ var _ = Describe("ValuesProvider", func() { "url": "https://" + azure.CSISnapshotValidation + "." + cp.Namespace + "/volumesnapshot", "caBundle": "", }, + "pspDisabled": false, }) values, err := vp.GetControlPlaneShootChartValues(ctx, cp, cluster, fakeSecretsManager, checksums) @@ -606,6 +610,7 @@ var _ = Describe("ValuesProvider", func() { "url": "https://" + azure.CSISnapshotValidation + "." + cp.Namespace + "/volumesnapshot", "caBundle": "", }, + "pspDisabled": false, }) values, err := vp.GetControlPlaneShootChartValues(ctx, cp, cluster, fakeSecretsManager, checksums) @@ -628,6 +633,7 @@ var _ = Describe("ValuesProvider", func() { "url": "https://" + azure.CSISnapshotValidation + "." + cp.Namespace + "/volumesnapshot", "caBundle": "", }, + "pspDisabled": false, }) values, err := vp.GetControlPlaneShootChartValues(ctx, cp, cluster, fakeSecretsManager, checksums) @@ -656,6 +662,7 @@ var _ = Describe("ValuesProvider", func() { "url": "https://" + azure.CSISnapshotValidation + "." + cp.Namespace + "/volumesnapshot", "caBundle": "", }, + "pspDisabled": false, }) values, err := vp.GetControlPlaneShootChartValues(ctx, cp, cluster, fakeSecretsManager, checksums) @@ -678,6 +685,7 @@ var _ = Describe("ValuesProvider", func() { "url": "https://" + azure.CSISnapshotValidation + "." + cp.Namespace + "/volumesnapshot", "caBundle": "", }, + "pspDisabled": false, }) values, err := vp.GetControlPlaneShootChartValues(ctx, cp, cluster, fakeSecretsManager, checksums) @@ -691,6 +699,65 @@ var _ = Describe("ValuesProvider", func() { })) }) }) + + Context("podSecurityPolicy", func() { + It("should return correct shoot control plane chart when PodSecurityPolicy admission plugin is not disabled in the shoot", func() { + cluster.Shoot.Spec.Kubernetes.KubeAPIServer = &gardencorev1beta1.KubeAPIServerConfig{ + AdmissionPlugins: []gardencorev1beta1.AdmissionPlugin{ + { + Name: "PodSecurityPolicy", + }, + }, + } + cp := generateControlPlane(controlPlaneConfig, infrastructureStatus) + csiNode := utils.MergeMaps(csiNodeNotEnabled, map[string]interface{}{ + "webhookConfig": map[string]interface{}{ + "url": "https://" + azure.CSISnapshotValidation + "." + cp.Namespace + "/volumesnapshot", + "caBundle": "", + }, + "pspDisabled": false, + }) + + values, err := vp.GetControlPlaneShootChartValues(ctx, cp, cluster, fakeSecretsManager, checksums) + Expect(err).NotTo(HaveOccurred()) + Expect(values).To(Equal(map[string]interface{}{ + "global": globalVpaDisabled, + azure.AllowEgressName: enabledTrue, + azure.CloudControllerManagerName: enabledTrue, + azure.CSINodeName: csiNode, + azure.RemedyControllerName: enabledTrue, + })) + }) + + It("should return correct shoot control plane chart when PodSecurityPolicy admission plugin is disabled in the shoot", func() { + cluster.Shoot.Spec.Kubernetes.KubeAPIServer = &gardencorev1beta1.KubeAPIServerConfig{ + AdmissionPlugins: []gardencorev1beta1.AdmissionPlugin{ + { + Name: "PodSecurityPolicy", + Disabled: pointer.Bool(true), + }, + }, + } + cp := generateControlPlane(controlPlaneConfig, infrastructureStatus) + csiNode := utils.MergeMaps(csiNodeNotEnabled, map[string]interface{}{ + "webhookConfig": map[string]interface{}{ + "url": "https://" + azure.CSISnapshotValidation + "." + cp.Namespace + "/volumesnapshot", + "caBundle": "", + }, + "pspDisabled": true, + }) + + values, err := vp.GetControlPlaneShootChartValues(ctx, cp, cluster, fakeSecretsManager, checksums) + Expect(err).NotTo(HaveOccurred()) + Expect(values).To(Equal(map[string]interface{}{ + "global": globalVpaDisabled, + azure.AllowEgressName: enabledTrue, + azure.CloudControllerManagerName: enabledTrue, + azure.CSINodeName: csiNode, + azure.RemedyControllerName: enabledTrue, + })) + }) + }) }) Describe("#GetControlPlaneShootCRDsChartValues", func() { diff --git a/test/integration/bastion/bastion_test.go b/test/integration/bastion/bastion_test.go index 7e9c7f3ae..0dc5e1334 100644 --- a/test/integration/bastion/bastion_test.go +++ b/test/integration/bastion/bastion_test.go @@ -186,7 +186,7 @@ var _ = BeforeSuite(func() { log = logf.Log.WithName("bastion-test") - log.Info("test environment client publicIP: ", myPublicIP) + log.Info("test environment client publicIP", "publicIP", myPublicIP) By("starting test environment") testEnv = &envtest.Environment{ @@ -397,7 +397,7 @@ func verifyPort42IsClosed(ctx context.Context, c client.Client, bastion *extensi } func prepareNewResourceGroup(ctx context.Context, log logr.Logger, az *azureClientSet, groupName, location string) error { - log.Info("generating new ResourceGroups: %s", groupName) + log.Info("generating new ResourceGroups", "groupName", groupName) _, err := az.groups.CreateOrUpdate(ctx, groupName, resources.Group{ Location: to.StringPtr(location), }) @@ -405,7 +405,7 @@ func prepareNewResourceGroup(ctx context.Context, log logr.Logger, az *azureClie } func prepareSecurityGroup(ctx context.Context, log logr.Logger, resourceGroupName string, securityGroupName string, az *azureClientSet, location string) (network.SecurityGroup, error) { - log.Info("generating new SecurityGroups: %s", securityGroupName) + log.Info("generating new SecurityGroups", "securityGroupName", securityGroupName) future, err := az.securityGroups.CreateOrUpdate(ctx, resourceGroupName, securityGroupName, network.SecurityGroup{ Location: to.StringPtr(location), }) @@ -418,7 +418,7 @@ func prepareSecurityGroup(ctx context.Context, log logr.Logger, resourceGroupNam } func prepareNewVNet(ctx context.Context, log logr.Logger, az *azureClientSet, resourceGroupName, vNetName, subnetName, location, cidr string, nsg network.SecurityGroup) error { - log.Info("generating new resource Group/VNet/subnetName: %s/%s/%s", resourceGroupName, vNetName, subnetName) + log.Info("generating new resource Group/VNet/subnetName", "resourceGroupName", resourceGroupName, " vNetName", vNetName, "subnetName", subnetName) vNetFuture, err := az.vnet.CreateOrUpdate(ctx, resourceGroupName, vNetName, network.VirtualNetwork{ VirtualNetworkPropertiesFormat: &network.VirtualNetworkPropertiesFormat{ AddressSpace: &network.AddressSpace{ diff --git a/test/integration/infrastructure/infrastructure_test.go b/test/integration/infrastructure/infrastructure_test.go index 1e1a48e61..533d793ee 100644 --- a/test/integration/infrastructure/infrastructure_test.go +++ b/test/integration/infrastructure/infrastructure_test.go @@ -496,7 +496,7 @@ func runTest( infra *extensionsv1alpha1.Infrastructure identifier azureIdentifier ) - log.Info("test running in namespace: %s", namespaceName) + log.Info("test running in namespace", "namespaceName", namespaceName) // Cleanup defer func() { @@ -742,7 +742,7 @@ func newInfrastructure(namespace string, providerConfig *azurev1alpha1.Infrastru } func prepareNewResourceGroup(ctx context.Context, log logr.Logger, az *azureClientSet, groupName, location string) error { - log.Info("generating new ResourceGroups: %s", groupName) + log.Info("generating new ResourceGroups", "groupName", groupName) _, err := az.groups.CreateOrUpdate(ctx, groupName, resources.Group{ Location: pointer.StringPtr(location), }) @@ -750,7 +750,7 @@ func prepareNewResourceGroup(ctx context.Context, log logr.Logger, az *azureClie } func prepareNewVNet(ctx context.Context, log logr.Logger, az *azureClientSet, groupName, vNetName, location, cidr string) error { - log.Info("generating new VNet: %s/%s", groupName, vNetName) + log.Info("generating new VNet", "groupName", groupName, "vNetName", vNetName) vNetFuture, err := az.vnet.CreateOrUpdate(ctx, groupName, vNetName, network.VirtualNetwork{ VirtualNetworkPropertiesFormat: &network.VirtualNetworkPropertiesFormat{ AddressSpace: &network.AddressSpace{ @@ -774,7 +774,7 @@ func prepareNewVNet(ctx context.Context, log logr.Logger, az *azureClientSet, gr } func prepareNewIdentity(ctx context.Context, log logr.Logger, az *azureClientSet, groupName, idName, location string) error { - log.Info("generating new Identity %s/%s", groupName, idName) + log.Info("generating new Identity", "groupName", groupName, "idName", idName) _, err := az.msi.CreateOrUpdate(ctx, groupName, idName, msi.Identity{ Location: pointer.StringPtr(location), }) @@ -782,7 +782,7 @@ func prepareNewIdentity(ctx context.Context, log logr.Logger, az *azureClientSet } func prepareNewNatIp(ctx context.Context, log logr.Logger, az *azureClientSet, groupName, pubIpName, location, zone string) error { - log.Info("generating new nat ip %s/%s", groupName, pubIpName) + log.Info("generating new nat ip", "groupName", groupName, "pubIpName", pubIpName) _, err := az.pubIp.CreateOrUpdate(ctx, groupName, pubIpName, network.PublicIPAddress{ Name: pointer.String(pubIpName), Sku: &network.PublicIPAddressSku{