summaryrefslogtreecommitdiffstats
path: root/kud/deployment_infra/playbooks/configure-emco.yml
diff options
context:
space:
mode:
authorTodd Malsbary <todd.malsbary@intel.com>2020-11-20 15:42:54 -0800
committerTodd Malsbary <todd.malsbary@intel.com>2020-12-09 15:08:21 -0800
commit5f99856b3cdc3c11e82f0f67b3da973d43e47fc7 (patch)
treeeb70b409c7b70a3a248016790c361f27ff076db8 /kud/deployment_infra/playbooks/configure-emco.yml
parent7e06fbaa3d1293ca9b25aeb7ea7cb7be2179e30a (diff)
Enable pod security policies
The intention with this change is to disable CAP_NET_RAW (which can be a security vulnerability) for created Pods. kubespray provides the podsecuritypolicy_enabled variable for enabling privileged (for kube-system) and restricted (for everyone else) policies. Enabling this requires binding the KUD_ADDONs to the privileged policy and specifying the security context correctly for Pods running in the default namespace. As of this change, the only difference between the privileged and restricted security policies is the dropping of CAP_NET_RAW in the restricted policy. To use the default restricted policy provided with kubespray, additional changes must be made to the Pods that are run in the default namespace (such as runing as a non-root user, not requesting privileged mode, etc.). Issue-ID: MULTICLOUD-1256 Signed-off-by: Todd Malsbary <todd.malsbary@intel.com> Change-Id: I7d6add122ad4046f9116ef03a249f5c9da1d7eec
Diffstat (limited to 'kud/deployment_infra/playbooks/configure-emco.yml')
-rw-r--r--kud/deployment_infra/playbooks/configure-emco.yml10
1 files changed, 9 insertions, 1 deletions
diff --git a/kud/deployment_infra/playbooks/configure-emco.yml b/kud/deployment_infra/playbooks/configure-emco.yml
index 7a4cf926..96b4a23d 100644
--- a/kud/deployment_infra/playbooks/configure-emco.yml
+++ b/kud/deployment_infra/playbooks/configure-emco.yml
@@ -36,12 +36,20 @@
- debug:
var: make_all.stdout_lines
+ - name: Create emco namespace
+ shell: "/usr/local/bin/kubectl create namespace emco"
+ ignore_errors: True
+
+ - name: Create pod security policy role bindings
+ shell: "/usr/local/bin/kubectl -n emco create rolebinding psp:default:privileged --clusterrole=psp:privileged --serviceaccount=emco:default --serviceaccount=emco:emco-fluentd"
+ ignore_errors: True
+
- name: Get cluster name
shell: "kubectl -n kube-system get configmap/kubeadm-config -o yaml | grep clusterName: | awk '{print $2}'"
register: cluster_name
- name: Change the emco directory and run the command helm install
- command: /usr/local/bin/helm install --namespace emco --create-namespace --set emco-tools.fluentd.clusterDomain={{ cluster_name.stdout }} emco dist/packages/emco-0.1.0.tgz
+ command: /usr/local/bin/helm install --namespace emco --set emco-tools.fluentd.clusterDomain={{ cluster_name.stdout }} emco dist/packages/emco-0.1.0.tgz
register: helm_install
args:
chdir: /opt/multicloud/deployments/helm/v2/emco