From 65a1a0dcc79f6b0691dcef963cccd950857406b3 Mon Sep 17 00:00:00 2001 From: Robin Wallace Date: Mon, 25 Apr 2022 13:13:44 +0200 Subject: [PATCH] [PodSecurityPolicy] Move the install of psp --- .../cluster_roles/tasks/main.yml | 47 ------------------ .../control-plane/tasks/kubeadm-setup.yml | 5 ++ .../control-plane/tasks/psp-install.yml | 49 +++++++++++++++++++ .../control-plane}/templates/psp-cr.yml.j2 | 0 .../control-plane}/templates/psp-crb.yml.j2 | 0 .../control-plane}/templates/psp.yml.j2 | 0 6 files changed, 54 insertions(+), 47 deletions(-) create mode 100644 roles/kubernetes/control-plane/tasks/psp-install.yml rename roles/{kubernetes-apps/cluster_roles => kubernetes/control-plane}/templates/psp-cr.yml.j2 (100%) rename roles/{kubernetes-apps/cluster_roles => kubernetes/control-plane}/templates/psp-crb.yml.j2 (100%) rename roles/{kubernetes-apps/cluster_roles => kubernetes/control-plane}/templates/psp.yml.j2 (100%) diff --git a/roles/kubernetes-apps/cluster_roles/tasks/main.yml b/roles/kubernetes-apps/cluster_roles/tasks/main.yml index c477c2a4198..ddbddba4b11 100644 --- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml +++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml @@ -11,53 +11,6 @@ delay: 6 when: inventory_hostname == groups['kube_control_plane'][0] -- name: Kubernetes Apps | Check AppArmor status - command: which apparmor_parser - register: apparmor_status - when: - - podsecuritypolicy_enabled - - inventory_hostname == groups['kube_control_plane'][0] - failed_when: false - -- name: Kubernetes Apps | Set apparmor_enabled - set_fact: - apparmor_enabled: "{{ apparmor_status.rc == 0 }}" - when: - - podsecuritypolicy_enabled - - inventory_hostname == groups['kube_control_plane'][0] - -- name: Kubernetes Apps | Render templates for PodSecurityPolicy - template: - src: "{{ item.file }}.j2" - dest: "{{ kube_config_dir }}/{{ item.file }}" - mode: 0640 - register: psp_manifests - with_items: - - {file: psp.yml, type: psp, name: psp} - - {file: psp-cr.yml, type: clusterrole, name: psp-cr} - - {file: psp-crb.yml, type: rolebinding, name: psp-crb} - when: - - podsecuritypolicy_enabled - - inventory_hostname == groups['kube_control_plane'][0] - -- name: Kubernetes Apps | Add policies, roles, bindings for PodSecurityPolicy - kube: - name: "{{ item.item.name }}" - kubectl: "{{ bin_dir }}/kubectl" - resource: "{{ item.item.type }}" - filename: "{{ kube_config_dir }}/{{ item.item.file }}" - state: "latest" - register: result - until: result is succeeded - retries: 10 - delay: 6 - with_items: "{{ psp_manifests.results }}" - when: - - inventory_hostname == groups['kube_control_plane'][0] - - not item is skipped - loop_control: - label: "{{ item.item.file }}" - - name: Kubernetes Apps | Add ClusterRoleBinding to admit nodes template: src: "node-crb.yml.j2" diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml index 23f798d649c..83353a5d0fe 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml @@ -182,6 +182,11 @@ tags: - kubeadm_token +- name: PodSecurityPolicy | install PodSecurityPolicy + include_tasks: psp-install.yml + when: + - podsecuritypolicy_enabled + - name: kubeadm | Join other masters include_tasks: kubeadm-secondary.yml diff --git a/roles/kubernetes/control-plane/tasks/psp-install.yml b/roles/kubernetes/control-plane/tasks/psp-install.yml new file mode 100644 index 00000000000..ea551551a42 --- /dev/null +++ b/roles/kubernetes/control-plane/tasks/psp-install.yml @@ -0,0 +1,49 @@ +--- +- name: Check AppArmor status + command: which apparmor_parser + register: apparmor_status + when: + - podsecuritypolicy_enabled + - inventory_hostname == groups['kube_control_plane'][0] + failed_when: false + +- name: Set apparmor_enabled + set_fact: + apparmor_enabled: "{{ apparmor_status.rc == 0 }}" + when: + - podsecuritypolicy_enabled + - inventory_hostname == groups['kube_control_plane'][0] + +- name: Render templates for PodSecurityPolicy + template: + src: "{{ item.file }}.j2" + dest: "{{ kube_config_dir }}/{{ item.file }}" + mode: 0640 + register: psp_manifests + with_items: + - {file: psp.yml, type: psp, name: psp} + - {file: psp-cr.yml, type: clusterrole, name: psp-cr} + - {file: psp-crb.yml, type: rolebinding, name: psp-crb} + when: + - podsecuritypolicy_enabled + - inventory_hostname == groups['kube_control_plane'][0] + +- name: Add policies, roles, bindings for PodSecurityPolicy + kube: + name: "{{ item.item.name }}" + kubectl: "{{ bin_dir }}/kubectl" + resource: "{{ item.item.type }}" + filename: "{{ kube_config_dir }}/{{ item.item.file }}" + state: "latest" + register: result + until: result is succeeded + retries: 10 + delay: 6 + with_items: "{{ psp_manifests.results }}" + environment: + KUBECONFIG: "{{ kube_config_dir }}/admin.conf" + when: + - inventory_hostname == groups['kube_control_plane'][0] + - not item is skipped + loop_control: + label: "{{ item.item.file }}" \ No newline at end of file diff --git a/roles/kubernetes-apps/cluster_roles/templates/psp-cr.yml.j2 b/roles/kubernetes/control-plane/templates/psp-cr.yml.j2 similarity index 100% rename from roles/kubernetes-apps/cluster_roles/templates/psp-cr.yml.j2 rename to roles/kubernetes/control-plane/templates/psp-cr.yml.j2 diff --git a/roles/kubernetes-apps/cluster_roles/templates/psp-crb.yml.j2 b/roles/kubernetes/control-plane/templates/psp-crb.yml.j2 similarity index 100% rename from roles/kubernetes-apps/cluster_roles/templates/psp-crb.yml.j2 rename to roles/kubernetes/control-plane/templates/psp-crb.yml.j2 diff --git a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 b/roles/kubernetes/control-plane/templates/psp.yml.j2 similarity index 100% rename from roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 rename to roles/kubernetes/control-plane/templates/psp.yml.j2