Skip to content
This repository has been archived by the owner on Oct 24, 2023. It is now read-only.

refactor: make pod-security-policy addon user-configurable #2463

Merged
merged 6 commits into from Dec 17, 2019
Merged

refactor: make pod-security-policy addon user-configurable #2463

merged 6 commits into from Dec 17, 2019

Conversation

jackfrancis
Copy link
Member

@jackfrancis jackfrancis commented Dec 16, 2019
edited

Reason for Change:

This PR makes the pod-security-policy component a user-configurable addon, exposed via the existing kubernetesConfig.addons interface.

As an outcome, we officially deprecate the enablePodSecurityPolicy kubernetesConfig option, as it is functionally equivalent to:

...
    "addons": [
        {
            "name": "pod-security-policy",
            "enabled": true
        }
    ]
...

The deprecation behavior for new cluster creates is to essentially ignore the enablePodSecurityPolicy property (i.e., we don't throw a validation error). We also maintain pre-existing back-compat scenarios, and move the enablePodSecurityPolicy setting into the pod-security-policy addon, as appropriate, during upgrade.

Issue Fixed:

Requirements:

Notes:

@acs-bot acs-bot removed the size/L label Dec 17, 2019
@jackfrancis jackfrancis changed the title [WIP] refactor: make pod-security-policy addon user-configurable refactor: make pod-security-policy addon user-configurable Dec 17, 2019
jackfrancis
jackfrancis commented Dec 17, 2019
View reviewed changes
pkg/api/addons.go
@@ -752,6 +758,13 @@ func (cs *ContainerService) setAddonsConfig(isUpgrade bool) {
// Remove deprecated "kube-proxy-daemonset addon"
o.KubernetesConfig.Addons = append(o.KubernetesConfig.Addons[:i], o.KubernetesConfig.Addons[i+1:]...)
}

// Enable pod-security-policy addon during upgrade to 1.15 or greater scenarios, unless explicitly disabled
if isUpgrade && common.IsKubernetesVersionGe(o.OrchestratorVersion, "1.15.0") && !o.KubernetesConfig.IsAddonDisabled(common.PodSecurityPolicyAddonName) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Being a bit conservative here to allow folks who definitely don't want the aks-engine PodSecurityPolicy implementation to explicitly disable it, and for upgrade to honor that.

jackfrancis
jackfrancis commented Dec 17, 2019
View reviewed changes
pkg/api/addons_test.go
o.KubernetesConfig.EnablePodSecurityPolicy = to.BoolPtr(true)
o.KubernetesConfig.PodSecurityPolicyConfig = map[string]string{
"data": base64DataPSP,
o.KubernetesConfig.Addons = []KubernetesAddon{
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Slightly academic, but keeping this UT around and converting it to make sense in the new pod-security-policy addons context

jackfrancis
jackfrancis commented Dec 17, 2019
View reviewed changes
pkg/api/addons_test.go
@@ -3428,4 +3507,13 @@ func getDefaultAddons(version string) []KubernetesAddon {
},
},
}

if common.IsKubernetesVersionGe(version, "1.15.0") {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yay w/ the new addons UT interfaces we just add default addons in one place and get that coverage everywhere

jackfrancis
jackfrancis commented Dec 17, 2019
View reviewed changes
pkg/api/defaults-apiserver.go
@@ -166,7 +166,7 @@ func getDefaultAdmissionControls(cs *ContainerService) (string, string) {
admissionControlValues := "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,ValidatingAdmissionWebhook,ResourceQuota,ExtendedResourceToleration"

// Pod Security Policy configuration
if to.Bool(o.KubernetesConfig.EnablePodSecurityPolicy) {
if o.KubernetesConfig.IsAddonEnabled(common.PodSecurityPolicyAddonName) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

validated that this apiserver defaults flow comes after the addons defaults flow (feel free to do so yourself, otherwise this would not work)

jackfrancis
jackfrancis commented Dec 17, 2019
View reviewed changes
pkg/api/defaults.go
@@ -345,10 +345,6 @@ func (cs *ContainerService) setOrchestratorDefaults(isUpgrade, isScale bool) {
a.OrchestratorProfile.KubernetesConfig.ExcludeMasterFromStandardLB = to.BoolPtr(DefaultExcludeMasterFromStandardLB)
}

if common.IsKubernetesVersionGe(a.OrchestratorProfile.OrchestratorVersion, "1.15.0-beta.1") {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the concrete deprecation of the EnablePodSecurityPolicy flag for new cluster creates (i.e., we are basically ignoring it)

jackfrancis
jackfrancis commented Dec 17, 2019
View reviewed changes
pkg/api/defaults_test.go
@@ -3175,7 +3175,7 @@ func TestDefaultEnablePodSecurityPolicy(t *testing.T) {
MasterProfile: &MasterProfile{},
},
},
expected: true,
expected: false,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these UT changes reflect that EnablePodSecurityPolicy is now functionally deprecated

jackfrancis
jackfrancis commented Dec 17, 2019
View reviewed changes
pkg/api/vlabs/validate.go
if !o.KubernetesConfig.IsRBACEnabled() {
return errors.Errorf("enablePodSecurityPolicy requires the enableRbac feature as a prerequisite")
}
minVersion, err := semver.Make("1.8.0")
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cleaning up this old validation while I'm here

@codecov
Copy link

codecov bot commented Dec 17, 2019

Codecov Report

Merging #2463 into master will increase coverage by <.01%.
The diff coverage is 33.89%.

@@            Coverage Diff             @@
##           master    #2463      +/-   ##
==========================================
+ Coverage   72.57%   72.57%   +<.01%     
==========================================
  Files         130      130              
  Lines       23913    23916       +3     
==========================================
+ Hits        17354    17358       +4     
  Misses       5530     5530              
+ Partials     1029     1028       -1

mboersma
mboersma suggested changes Dec 17, 2019
View reviewed changes
Copy link
Member

@mboersma mboersma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, just had some minor doc comments.

docs/topics/clusterdefinitions.md Outdated Show resolved Hide resolved
docs/topics/clusterdefinitions.md Outdated Show resolved Hide resolved
mboersma
mboersma approved these changes Dec 17, 2019
View reviewed changes
Copy link
Member

@mboersma mboersma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@acs-bot acs-bot added the lgtm label Dec 17, 2019
@acs-bot
Copy link

acs-bot commented Dec 17, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jackfrancis, mboersma

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [jackfrancis,mboersma]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jackfrancis jackfrancis merged commit e0b7f9a into Azure:master Dec 17, 2019
@jackfrancis jackfrancis deleted the addons-psp branch December 17, 2019 19:41
@jackfrancis
Copy link
Member Author

Related to #2251

@mboersma mboersma added this to the v0.46.0 milestone Jan 7, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mboersma mboersma mboersma approved these changes

Assignees

@mboersma mboersma

Labels
approved lgtm size/XXL
Projects
None yet
Milestone
v0.46.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jackfrancis @acs-bot @mboersma