Skip to content

Commit

Permalink
Fix PodSecurityPolicy issues (#586)
Browse files Browse the repository at this point in the history
  • Loading branch information
@edeNFed
edeNFed committed Oct 4, 2023
1 parent f33d40d commit 43fdd3d
Show file tree
Hide file tree
Showing 5 changed files with 55 additions and 6 deletions.
7 changes: 7 additions & 0 deletions autoscaler/controllers/gateway/deployment.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,9 @@ func getDesiredDeployment(dests *odigosv1.DestinationList, configData string,
Image: utils.GetContainerImage(containerImage),
Command: []string{containerCommand, fmt.Sprintf("--config=%s/%s.yaml", confDir, configKey)},
EnvFrom: getSecretsFromDests(dests),
SecurityContext: &corev1.SecurityContext{
RunAsUser: int64Ptr(10000),
},
VolumeMounts: []corev1.VolumeMount{
{
Name: configKey,
Expand Down Expand Up @@ -204,3 +207,7 @@ func getSecretsFromDests(destList *odigosv1.DestinationList) []corev1.EnvFromSou
func intPtr(n int32) *int32 {
return &n
}

func int64Ptr(n int64) *int64 {
return &n
}
6 changes: 4 additions & 2 deletions cli/cmd/install.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ var (
skipWait bool
telemetryEnabled bool
sidecarInstrumentation bool
psp bool
ignoredNamespaces []string
DefaultIgnoredNamespaces = []string{"odigos-system", "kube-system", "local-path-storage", "istio-system", "linkerd"}
)
Expand Down Expand Up @@ -130,7 +131,7 @@ func createDataCollectionRBAC(ctx context.Context, cmd *cobra.Command, client *k
return err
}

_, err = client.RbacV1().ClusterRoles().Create(ctx, resources.NewDataCollectionClusterRole(), metav1.CreateOptions{})
_, err = client.RbacV1().ClusterRoles().Create(ctx, resources.NewDataCollectionClusterRole(psp), metav1.CreateOptions{})
if err != nil {
return err
}
Expand Down Expand Up @@ -230,7 +231,7 @@ func createOdiglet(ctx context.Context, cmd *cobra.Command, client *kube.Client,
return err
}

_, err = client.RbacV1().ClusterRoles().Create(ctx, resources.NewOdigletClusterRole(), metav1.CreateOptions{})
_, err = client.RbacV1().ClusterRoles().Create(ctx, resources.NewOdigletClusterRole(psp), metav1.CreateOptions{})
if err != nil {
return err
}
Expand Down Expand Up @@ -301,4 +302,5 @@ func init() {
installCmd.Flags().StringVar(&resources.OdigletImage, "odiglet-image", "keyval/odigos-odiglet", "odiglet container image")
installCmd.Flags().StringVar(&resources.InstrumentorImage, "instrumentor-image", "keyval/odigos-instrumentor", "instrumentor container image")
installCmd.Flags().StringVar(&containers.ImagePrefix, "image-prefix", "", "Prefix for all container images")
installCmd.Flags().BoolVar(&psp, "psp", false, "Enable pod security policy")
}
23 changes: 21 additions & 2 deletions cli/cmd/resources/datacollection.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ func NewDataCollectionServiceAccount() *corev1.ServiceAccount {
}
}

func NewDataCollectionClusterRole() *rbacv1.ClusterRole {
return &rbacv1.ClusterRole{
func NewDataCollectionClusterRole(psp bool) *rbacv1.ClusterRole {
clusterrole := &rbacv1.ClusterRole{
TypeMeta: metav1.TypeMeta{
Kind: "ClusterRole",
APIVersion: "rbac.authorization.k8s.io/v1",
Expand Down Expand Up @@ -60,6 +60,25 @@ func NewDataCollectionClusterRole() *rbacv1.ClusterRole {
},
},
}

if psp {
clusterrole.Rules = append(clusterrole.Rules, rbacv1.PolicyRule{
Verbs: []string{
"use",
},
APIGroups: []string{
"policy",
},
Resources: []string{
"podsecuritypolicies",
},
ResourceNames: []string{
"privileged",
},
})
}

return clusterrole
}

func NewDataCollectionClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding {
Expand Down
23 changes: 21 additions & 2 deletions cli/cmd/resources/odiglet.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,8 @@ func NewOdigletServiceAccount() *corev1.ServiceAccount {
}
}

func NewOdigletClusterRole() *rbacv1.ClusterRole {
return &rbacv1.ClusterRole{
func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole {
clusterrole := &rbacv1.ClusterRole{
TypeMeta: metav1.TypeMeta{
Kind: "ClusterRole",
APIVersion: "rbac.authorization.k8s.io/v1",
Expand Down Expand Up @@ -161,6 +161,25 @@ func NewOdigletClusterRole() *rbacv1.ClusterRole {
},
},
}

if psp {
clusterrole.Rules = append(clusterrole.Rules, rbacv1.PolicyRule{
Verbs: []string{
"use",
},
APIGroups: []string{
"policy",
},
Resources: []string{
"podsecuritypolicies",
},
ResourceNames: []string{
"privileged",
},
})
}

return clusterrole
}

func NewOdigletClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding {
Expand Down
2 changes: 2 additions & 0 deletions frontend/kube/client.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ package kube
import (
"github.com/keyval-dev/odigos/frontend/generated/clientset/versioned/typed/odigos/v1alpha1"
"k8s.io/client-go/kubernetes"
_ "k8s.io/client-go/plugin/pkg/client/auth"
_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
"k8s.io/client-go/tools/clientcmd"
)

Expand Down

0 comments on commit 43fdd3d

Please sign in to comment.