From 23ba8ac948dd2164b4517578de9d77d31452fe01 Mon Sep 17 00:00:00 2001 From: Miecio Date: Sat, 30 Jan 2021 18:22:52 +0100 Subject: [PATCH] Fix for missing PSP for bookie initialize and other (#101) ### Motivation When using standard bookkeeper installation on PSP cluster initialization fails because has to be started as root ### Modifications Add same ServiceAccount and SecurityContext for bookkeeper-cluster-initialize as in bookkeeper specyfication. UPDATE: Seems that when using in cluster TLS encryption other components also require RW access to root FS, I added PSP for proxy, zookeepe, broker and toolset ### Verifying this change - [x] Make sure that the change passes the CI checks. --- .../bookkeeper-cluster-initialize.yaml | 7 ++ charts/pulsar/templates/broker-rbac.yaml | 67 ++++++++++++++ .../pulsar/templates/broker-statefulset.yaml | 12 +++ charts/pulsar/templates/proxy-rbac.yaml | 89 +++++++++++++++++++ .../pulsar/templates/proxy-statefulset.yaml | 7 ++ charts/pulsar/templates/toolset-rbac.yaml | 89 +++++++++++++++++++ .../pulsar/templates/toolset-statefulset.yaml | 7 ++ charts/pulsar/templates/zookeeper-rbac.yaml | 89 +++++++++++++++++++ .../templates/zookeeper-statefulset.yaml | 7 ++ 9 files changed, 374 insertions(+) create mode 100644 charts/pulsar/templates/proxy-rbac.yaml create mode 100644 charts/pulsar/templates/toolset-rbac.yaml create mode 100644 charts/pulsar/templates/zookeeper-rbac.yaml diff --git a/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml b/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml index 4c12bae..10a3a53 100644 --- a/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml +++ b/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml @@ -29,6 +29,9 @@ metadata: spec: template: spec: + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + {{- end }} initContainers: - name: wait-zookeeper-ready image: "{{ .Values.images.bookie.repository }}:{{ .Values.images.bookie.tag }}" @@ -66,6 +69,10 @@ spec: {{- end }} bin/bookkeeper shell initnewcluster; fi + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + securityContext: + readOnlyRootFilesystem: false + {{- end }} envFrom: - configMapRef: name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" diff --git a/charts/pulsar/templates/broker-rbac.yaml b/charts/pulsar/templates/broker-rbac.yaml index fc26c04..dc8fd0c 100644 --- a/charts/pulsar/templates/broker-rbac.yaml +++ b/charts/pulsar/templates/broker-rbac.yaml @@ -58,3 +58,70 @@ subjects: name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}" namespace: {{ template "pulsar.namespace" . }} {{- end }} + +{{- if and .Values.rbac.enabled .Values.rbac.psp }} +--- + + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp" + namespace: {{ template "pulsar.namespace" . }} +rules: + - apiGroups: + - policy + resourceNames: + - "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" + resources: + - podsecuritypolicies + verbs: + - use +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp" + namespace: {{ template "pulsar.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp" +subjects: +- kind: ServiceAccount + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-acct" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + readOnlyRootFilesystem: false + privileged: false + allowPrivilegeEscalation: false + runAsUser: + rule: 'RunAsAny' + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + seLinux: + rule: 'RunAsAny' + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end}} diff --git a/charts/pulsar/templates/broker-statefulset.yaml b/charts/pulsar/templates/broker-statefulset.yaml index 08a93bd..c85e747 100644 --- a/charts/pulsar/templates/broker-statefulset.yaml +++ b/charts/pulsar/templates/broker-statefulset.yaml @@ -120,6 +120,10 @@ spec: {{- end }} echo "pulsar cluster {{ template "pulsar.cluster.name" . }} isn't initialized yet ... check in 3 seconds ..." && sleep 3; done; + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + securityContext: + readOnlyRootFilesystem: false + {{- end }} volumeMounts: {{- include "pulsar.broker.certs.volumeMounts" . | nindent 8 }} # This init container will wait for bookkeeper to be ready before @@ -147,6 +151,10 @@ spec: envFrom: - configMapRef: name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + securityContext: + readOnlyRootFilesystem: false + {{- end }} volumeMounts: {{- include "pulsar.broker.certs.volumeMounts" . | nindent 10 }} containers: @@ -228,6 +236,10 @@ spec: {{- end }} {{- end }} {{- include "pulsar.broker.certs.volumeMounts" . | nindent 10 }} + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + securityContext: + readOnlyRootFilesystem: false + {{- end }} volumes: {{- if .Values.auth.authentication.enabled }} {{- if eq .Values.auth.authentication.provider "jwt" }} diff --git a/charts/pulsar/templates/proxy-rbac.yaml b/charts/pulsar/templates/proxy-rbac.yaml new file mode 100644 index 0000000..7136c05 --- /dev/null +++ b/charts/pulsar/templates/proxy-rbac.yaml @@ -0,0 +1,89 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if and .Values.rbac.enabled .Values.rbac.psp }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + namespace: {{ template "pulsar.namespace" . }} +rules: + - apiGroups: + - policy + resourceNames: + - "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + resources: + - podsecuritypolicies + verbs: + - use +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + namespace: {{ template "pulsar.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" +subjects: +- kind: ServiceAccount + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + readOnlyRootFilesystem: false + privileged: false + allowPrivilegeEscalation: false + runAsUser: + rule: 'RunAsAny' + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + seLinux: + rule: 'RunAsAny' + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim + {{- end}} diff --git a/charts/pulsar/templates/proxy-statefulset.yaml b/charts/pulsar/templates/proxy-statefulset.yaml index 00e001d..6a02bf5 100644 --- a/charts/pulsar/templates/proxy-statefulset.yaml +++ b/charts/pulsar/templates/proxy-statefulset.yaml @@ -101,6 +101,9 @@ spec: {{ end }} {{- end }} terminationGracePeriodSeconds: {{ .Values.proxy.gracePeriod }} + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + {{- end}} initContainers: # This init container will wait for zookeeper to be ready before # deploying the bookies @@ -189,6 +192,10 @@ spec: - name: pulsarssl containerPort: {{ .Values.proxy.ports.pulsarssl }} {{- end }} + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + securityContext: + readOnlyRootFilesystem: false + {{- end }} envFrom: - configMapRef: name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" diff --git a/charts/pulsar/templates/toolset-rbac.yaml b/charts/pulsar/templates/toolset-rbac.yaml new file mode 100644 index 0000000..1363884 --- /dev/null +++ b/charts/pulsar/templates/toolset-rbac.yaml @@ -0,0 +1,89 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if and .Values.rbac.enabled .Values.rbac.psp }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + namespace: {{ template "pulsar.namespace" . }} +rules: + - apiGroups: + - policy + resourceNames: + - "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + resources: + - podsecuritypolicies + verbs: + - use +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + namespace: {{ template "pulsar.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" +subjects: +- kind: ServiceAccount + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + readOnlyRootFilesystem: false + privileged: false + allowPrivilegeEscalation: false + runAsUser: + rule: 'RunAsAny' + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + seLinux: + rule: 'RunAsAny' + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim + {{- end}} diff --git a/charts/pulsar/templates/toolset-statefulset.yaml b/charts/pulsar/templates/toolset-statefulset.yaml index dd2b401..c7dfb13 100644 --- a/charts/pulsar/templates/toolset-statefulset.yaml +++ b/charts/pulsar/templates/toolset-statefulset.yaml @@ -56,6 +56,9 @@ spec: {{ toYaml .Values.toolset.tolerations | indent 8 }} {{- end }} terminationGracePeriodSeconds: {{ .Values.toolset.gracePeriod }} + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + {{- end}} containers: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" image: "{{ .Values.images.broker.repository }}:{{ .Values.images.broker.tag }}" @@ -71,6 +74,10 @@ spec: bin/apply-config-from-env.py conf/bookkeeper.conf; {{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }} sleep 10000000000 + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + securityContext: + readOnlyRootFilesystem: false + {{- end }} envFrom: - configMapRef: name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" diff --git a/charts/pulsar/templates/zookeeper-rbac.yaml b/charts/pulsar/templates/zookeeper-rbac.yaml new file mode 100644 index 0000000..5e3e224 --- /dev/null +++ b/charts/pulsar/templates/zookeeper-rbac.yaml @@ -0,0 +1,89 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if and .Values.rbac.enabled .Values.rbac.psp }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} +rules: + - apiGroups: + - policy + resourceNames: + - "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + resources: + - podsecuritypolicies + verbs: + - use +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" +subjects: +- kind: ServiceAccount + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} +spec: + readOnlyRootFilesystem: false + privileged: false + allowPrivilegeEscalation: false + runAsUser: + rule: 'RunAsAny' + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + seLinux: + rule: 'RunAsAny' + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim + {{- end}} diff --git a/charts/pulsar/templates/zookeeper-statefulset.yaml b/charts/pulsar/templates/zookeeper-statefulset.yaml index 40d05f4..c6f31cf 100644 --- a/charts/pulsar/templates/zookeeper-statefulset.yaml +++ b/charts/pulsar/templates/zookeeper-statefulset.yaml @@ -98,6 +98,9 @@ spec: {{ end }} {{- end }} terminationGracePeriodSeconds: {{ .Values.zookeeper.gracePeriod }} + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + {{- end }} containers: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" image: "{{ .Values.images.zookeeper.repository }}:{{ .Values.images.zookeeper.tag }}" @@ -136,6 +139,10 @@ spec: - configMapRef: name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" {{- if .Values.zookeeper.probe.readiness.enabled }} + {{- if and .Values.rbac.enabled .Values.rbac.psp }} + securityContext: + readOnlyRootFilesystem: false + {{- end}} readinessProbe: exec: command: