kubernetes · k8s-github-robot · Nov 2, 2017 · Nov 1, 2017 · Nov 1, 2017 · Nov 1, 2017
diff --git a/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml b/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml
@@ -1,3 +1,13 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: metadata-proxy
+  namespace: kube-system
+  labels:
+    k8s-app: metadata-proxy
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+---
 apiVersion: extensions/v1beta1
 kind: DaemonSet
 metadata:
@@ -23,6 +33,7 @@ spec:
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
     spec:
+      serviceAccountName: metadata-proxy
       hostNetwork: true
       dnsPolicy: Default
       containers:

diff --git a/cluster/addons/podsecuritypolicies/privileged.yaml b/cluster/addons/podsecuritypolicies/privileged.yaml
diff --git a/cluster/common.sh b/cluster/common.sh
@@ -633,6 +633,7 @@ KUBE_PROXY_DAEMONSET: $(yaml-quote ${KUBE_PROXY_DAEMONSET:-false})
 KUBE_PROXY_TOKEN: $(yaml-quote ${KUBE_PROXY_TOKEN:-})
 NODE_PROBLEM_DETECTOR_TOKEN: $(yaml-quote ${NODE_PROBLEM_DETECTOR_TOKEN:-})
 ADMISSION_CONTROL: $(yaml-quote ${ADMISSION_CONTROL:-})
+ENABLE_POD_SECURITY_POLICY: $(yaml-quote ${ENABLE_POD_SECURITY_POLICY:-})
 MASTER_IP_RANGE: $(yaml-quote ${MASTER_IP_RANGE})
 RUNTIME_CONFIG: $(yaml-quote ${RUNTIME_CONFIG})
 CA_CERT: $(yaml-quote ${CA_CERT_BASE64:-})

diff --git a/cluster/gce/addons/podsecuritypolicies/event-exporter-binding.yaml b/cluster/gce/addons/podsecuritypolicies/event-exporter-binding.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gce:podsecuritypolicy:event-exporter
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/cluster-service: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: gce:podsecuritypolicy:event-exporter
+subjects:
+- kind: ServiceAccount
+  name: event-exporter-sa
+  namespace: kube-system
diff --git a/cluster/gce/addons/podsecuritypolicies/event-exporter-role.yaml b/cluster/gce/addons/podsecuritypolicies/event-exporter-role.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: gce:podsecuritypolicy:event-exporter
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - extensions
+  resourceNames:
+  - gce.event-exporter
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
diff --git a/cluster/gce/addons/podsecuritypolicies/event-exporter.yaml b/cluster/gce/addons/podsecuritypolicies/event-exporter.yaml
@@ -0,0 +1,38 @@
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: gce.event-exporter
+  annotations:
+    kubernetes.io/description: 'Policy used by the event-exporter addon.'
+    # TODO: event-exporter should run with the default seccomp profile
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+    # 'runtime/default' is already the default, but must be filled in on the
+    # pod to pass admission.
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+  labels:
+    kubernetes.io/cluster-service: 'true'
+    addonmanager.kubernetes.io/mode: Reconcile
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  volumes:
+  - 'hostPath'
+  - 'secret'
+  # TODO: This only needs a hostPath to read /etc/ssl/certs,
+  #   but it should be able to just include these in the image.
+  allowedHostPaths:
+    - pathPrefix: /etc/ssl/certs
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  # TODO: This doesn't need to run as root.
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false
diff --git a/cluster/gce/addons/podsecuritypolicies/fluentd-gcp-binding.yaml b/cluster/gce/addons/podsecuritypolicies/fluentd-gcp-binding.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gce:podsecuritypolicy:fluentd-gcp
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/cluster-service: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: gce:podsecuritypolicy:fluentd-gcp
+subjects:
+- kind: ServiceAccount
+  name: fluentd-gcp
+  namespace: kube-system
diff --git a/cluster/gce/addons/podsecuritypolicies/fluentd-gcp-role.yaml b/cluster/gce/addons/podsecuritypolicies/fluentd-gcp-role.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: gce:podsecuritypolicy:fluentd-gcp
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - extensions
+  resourceNames:
+  - gce.fluentd-gcp
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
diff --git a/cluster/gce/addons/podsecuritypolicies/fluentd-gcp.yaml b/cluster/gce/addons/podsecuritypolicies/fluentd-gcp.yaml
@@ -0,0 +1,38 @@
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: gce.fluentd-gcp
+  annotations:
+    kubernetes.io/description: 'Policy used by the fluentd-gcp addon.'
+    # TODO: fluentd-gcp should run with the default seccomp profile
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+    # 'runtime/default' is already the default, but must be filled in on the
+    # pod to pass admission.
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+  labels:
+    kubernetes.io/cluster-service: 'true'
+    addonmanager.kubernetes.io/mode: Reconcile
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  volumes:
+  - 'configMap'
+  - 'hostPath'
+  - 'secret'
+  allowedHostPaths:
+    - pathPrefix: /var/log
+    - pathPrefix: /var/lib/docker/containers
+    - pathPrefix: /usr/lib64
+  hostNetwork: true
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false
diff --git a/cluster/gce/addons/podsecuritypolicies/kube-proxy-binding.yaml b/cluster/gce/addons/podsecuritypolicies/kube-proxy-binding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gce:podsecuritypolicy:kube-proxy
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/cluster-service: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gce:podsecuritypolicy:privileged
+subjects:
+  - kind: ServiceAccount
+    name: kube-proxy
+    namespace: kube-system
diff --git a/cluster/gce/addons/podsecuritypolicies/kube-system-binding.yaml b/cluster/gce/addons/podsecuritypolicies/kube-system-binding.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gce:podsecuritypolicy:unprivileged-addon
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/cluster-service: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: gce:podsecuritypolicy:unprivileged-addon
+subjects:
+- kind: Group
+  # All service accounts in the kube-system namespace are allowed to use this.
+  name: system:serviceaccounts:kube-system
+  apiGroup: rbac.authorization.k8s.io
diff --git a/cluster/gce/addons/podsecuritypolicies/metadata-proxy-binding.yaml b/cluster/gce/addons/podsecuritypolicies/metadata-proxy-binding.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gce:podsecuritypolicy:metadata-proxy
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/cluster-service: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gce:podsecuritypolicy:privileged
+subjects:
+- kind: ServiceAccount
+  name: metadata-proxy
+  namespace: kube-system
diff --git a/cluster/gce/addons/podsecuritypolicies/node-binding.yaml b/cluster/gce/addons/podsecuritypolicies/node-binding.yaml
@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gce:podsecuritypolicy:nodes
+  namespace: kube-system
+  annotations:
+    kubernetes.io/description: 'Allow nodes to create privileged pods. Should
+      be used in combination with the NodeRestriction admission plugin to limit
+      nodes to mirror pods bound to themselves.'
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/cluster-service: 'true'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gce:podsecuritypolicy:privileged
+subjects:
+  - kind: Group
+    apiGroup: rbac.authorization.k8s.io
+    name: system:nodes
+  - kind: User
+    apiGroup: rbac.authorization.k8s.io
+    # Legacy node ID
+    name: kubelet
diff --git a/cluster/gce/addons/podsecuritypolicies/npd-binding.yaml b/cluster/gce/addons/podsecuritypolicies/npd-binding.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gce:podsecuritypolicy:npd
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/cluster-service: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gce:podsecuritypolicy:privileged
+subjects:
+- kind: ServiceAccount
+  name: node-problem-detector
+  namespace: kube-system
diff --git a/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder-binding.yaml b/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder-binding.yaml
@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+# The persistent volume binder creates recycler pods in the default namespace,
+# but the addon manager only creates namespaced objects in the kube-system
+# namespace, so this is a ClusterRoleBinding.
+kind: ClusterRoleBinding
+metadata:
+  name: gce:podsecuritypolicy:persistent-volume-binder
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/cluster-service: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gce:podsecuritypolicy:persistent-volume-binder
+subjects:
+- kind: ServiceAccount
+  name: persistent-volume-binder
+  namespace: kube-system
diff --git a/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder-role.yaml b/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder-role.yaml
@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+# The persistent volume binder creates recycler pods in the default namespace,
+# but the addon manager only creates namespaced objects in the kube-system
+# namespace, so this is a ClusterRole.
+kind: ClusterRole
+metadata:
+  name: gce:podsecuritypolicy:persistent-volume-binder
+  namespace: default
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - extensions
+  resourceNames:
+  - gce.persistent-volume-binder
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
diff --git a/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder.yaml b/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder.yaml
@@ -0,0 +1,29 @@
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: gce.persistent-volume-binder
+  annotations:
+    kubernetes.io/description: 'Policy used by the persistent-volume-binder
+      (a.k.a. persistentvolume-controller) to run recycler pods.'
+    # TODO: This should use the default seccomp profile.
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+  labels:
+    kubernetes.io/cluster-service: 'true'
+    addonmanager.kubernetes.io/mode: Reconcile
+spec:
+  privileged: false
+  volumes:
+  - 'nfs'
+  - 'secret'   # Required for service account credentials.
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false
diff --git a/cluster/gce/addons/podsecuritypolicies/privileged-role.yaml b/cluster/gce/addons/podsecuritypolicies/privileged-role.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gce:podsecuritypolicy:privileged
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - extensions
+  resourceNames:
+  - gce.privileged
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use