diff options
author | Todd Malsbary <todd.malsbary@intel.com> | 2020-11-20 15:42:54 -0800 |
---|---|---|
committer | Todd Malsbary <todd.malsbary@intel.com> | 2020-12-09 15:08:21 -0800 |
commit | 5f99856b3cdc3c11e82f0f67b3da973d43e47fc7 (patch) | |
tree | eb70b409c7b70a3a248016790c361f27ff076db8 /kud/deployment_infra/playbooks/configure-onap4k8s.yml | |
parent | 7e06fbaa3d1293ca9b25aeb7ea7cb7be2179e30a (diff) |
Enable pod security policies
The intention with this change is to disable CAP_NET_RAW (which can be
a security vulnerability) for created Pods.
kubespray provides the podsecuritypolicy_enabled variable for enabling
privileged (for kube-system) and restricted (for everyone else)
policies. Enabling this requires binding the KUD_ADDONs to the
privileged policy and specifying the security context correctly for
Pods running in the default namespace.
As of this change, the only difference between the privileged and
restricted security policies is the dropping of CAP_NET_RAW in the
restricted policy. To use the default restricted policy provided with
kubespray, additional changes must be made to the Pods that are run in
the default namespace (such as runing as a non-root user, not
requesting privileged mode, etc.).
Issue-ID: MULTICLOUD-1256
Signed-off-by: Todd Malsbary <todd.malsbary@intel.com>
Change-Id: I7d6add122ad4046f9116ef03a249f5c9da1d7eec
Diffstat (limited to 'kud/deployment_infra/playbooks/configure-onap4k8s.yml')
-rw-r--r-- | kud/deployment_infra/playbooks/configure-onap4k8s.yml | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/kud/deployment_infra/playbooks/configure-onap4k8s.yml b/kud/deployment_infra/playbooks/configure-onap4k8s.yml index c016cf1c..48052225 100644 --- a/kud/deployment_infra/playbooks/configure-onap4k8s.yml +++ b/kud/deployment_infra/playbooks/configure-onap4k8s.yml @@ -36,8 +36,16 @@ - debug: var: make_all.stdout_lines + - name: Create onap4k8s-ns namespace + shell: "/usr/local/bin/kubectl create namespace onap4k8s-ns" + ignore_errors: True + + - name: Create pod security policy role bindings + shell: "/usr/local/bin/kubectl -n onap4k8s-ns create rolebinding psp:default:privileged --clusterrole=psp:privileged --serviceaccount=onap4k8s-ns:default" + ignore_errors: True + - name: Change the onap4k8s directory and run the command helm install - command: /usr/local/bin/helm install --namespace onap4k8s-ns --create-namespace --set service.type=NodePort multicloud-onap8ks dist/packages/multicloud-k8s-5.0.0.tgz + command: /usr/local/bin/helm install --namespace onap4k8s-ns --set service.type=NodePort multicloud-onap8ks dist/packages/multicloud-k8s-5.0.0.tgz register: helm_install args: chdir: /opt/multicloud/deployments/helm/onap4k8s |