aboutsummaryrefslogtreecommitdiffstats
path: root/kud/hosting_providers
diff options
context:
space:
mode:
Diffstat (limited to 'kud/hosting_providers')
-rwxr-xr-xkud/hosting_providers/containerized/installer.sh4
-rw-r--r--kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml36
-rw-r--r--kud/hosting_providers/vagrant/inventory/group_vars/k8s-cluster.yml34
3 files changed, 70 insertions, 4 deletions
diff --git a/kud/hosting_providers/containerized/installer.sh b/kud/hosting_providers/containerized/installer.sh
index 226f4568..db6b224c 100755
--- a/kud/hosting_providers/containerized/installer.sh
+++ b/kud/hosting_providers/containerized/installer.sh
@@ -122,7 +122,7 @@ function install_addons {
tee $cluster_log/setup-kud.log
# The order of KUD_ADDONS is important: some plugins (sriov, qat)
# require nfd to be enabled.
- for addon in ${KUD_ADDONS:-virtlet ovn4nfv nfd sriov cmk $plugins_name}; do
+ for addon in ${KUD_ADDONS:-virtlet ovn4nfv nfd sriov qat cmk $plugins_name}; do
echo "Deploying $addon using configure-$addon.yml playbook.."
ansible-playbook $verbose -i \
$kud_inventory $kud_playbooks/configure-${addon}.yml | \
@@ -131,7 +131,7 @@ function install_addons {
echo "Run the test cases if testing_enabled is set to true."
if [[ "${testing_enabled}" == "true" ]]; then
- for addon in ${KUD_ADDONS:-virtlet ovn4nfv nfd sriov cmk $plugins_name}; do
+ for addon in ${KUD_ADDONS:-virtlet ovn4nfv nfd sriov qat cmk $plugins_name}; do
pushd $kud_tests
bash ${addon}.sh
case $addon in
diff --git a/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml b/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml
index 0a2953ce..18a55035 100644
--- a/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml
+++ b/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml
@@ -52,8 +52,6 @@ local_volume_provisioner_enabled: true
# Helm deployment
helm_enabled: true
-docker_version: 'latest'
-
# Kube-proxy proxyMode configuration.
# NOTE: Ipvs is based on netfilter hook function, but uses hash table as the underlying data structure and
# works in the kernel space
@@ -81,3 +79,37 @@ kube_pods_subnet: 10.244.64.0/18
# disable localdns cache
enable_nodelocaldns: false
+
+# pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled)
+podsecuritypolicy_enabled: true
+# The restricted spec is identical to the kubespray podsecuritypolicy_privileged_spec, with the replacement of
+# allowedCapabilities:
+# - '*'
+# by
+# requiredDropCapabilities:
+# - NET_RAW
+podsecuritypolicy_restricted_spec:
+ privileged: true
+ allowPrivilegeEscalation: true
+ volumes:
+ - '*'
+ hostNetwork: true
+ hostPorts:
+ - min: 0
+ max: 65535
+ hostIPC: true
+ hostPID: true
+ requiredDropCapabilities:
+ - NET_RAW
+ runAsUser:
+ rule: 'RunAsAny'
+ seLinux:
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'RunAsAny'
+ fsGroup:
+ rule: 'RunAsAny'
+ readOnlyRootFilesystem: false
+ # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
+ allowedUnsafeSysctls:
+ - '*'
diff --git a/kud/hosting_providers/vagrant/inventory/group_vars/k8s-cluster.yml b/kud/hosting_providers/vagrant/inventory/group_vars/k8s-cluster.yml
index ba79b4b9..5b06b788 100644
--- a/kud/hosting_providers/vagrant/inventory/group_vars/k8s-cluster.yml
+++ b/kud/hosting_providers/vagrant/inventory/group_vars/k8s-cluster.yml
@@ -76,3 +76,37 @@ download_localhost: True
kube_service_addresses: 10.244.0.0/18
# Subnet for Pod IPs
kube_pods_subnet: 10.244.64.0/18
+
+# pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled)
+podsecuritypolicy_enabled: true
+# The restricted spec is identical to the kubespray podsecuritypolicy_privileged_spec, with the replacement of
+# allowedCapabilities:
+# - '*'
+# by
+# requiredDropCapabilities:
+# - NET_RAW
+podsecuritypolicy_restricted_spec:
+ privileged: true
+ allowPrivilegeEscalation: true
+ volumes:
+ - '*'
+ hostNetwork: true
+ hostPorts:
+ - min: 0
+ max: 65535
+ hostIPC: true
+ hostPID: true
+ requiredDropCapabilities:
+ - NET_RAW
+ runAsUser:
+ rule: 'RunAsAny'
+ seLinux:
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'RunAsAny'
+ fsGroup:
+ rule: 'RunAsAny'
+ readOnlyRootFilesystem: false
+ # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
+ allowedUnsafeSysctls:
+ - '*'