From 834956424f6141b7e2b0f72ced76d638180834bb Mon Sep 17 00:00:00 2001 From: Suraj Deshmukh Date: Sat, 16 Jan 2021 08:44:03 +0530 Subject: [PATCH] psp: Make the restrictive policy as the first on the list The policy order of PSP has two methods of selecting a PSP for applications: 1. If a PSP allows the pod specification as is without a mutation, then that PSP is used. 2. If the above condition fails, then the fist PSP is chosen from an allowed-PSP list, and the pod is mutated accordingly. In Lokomotive's case the general cluster-wide PSP for apps that don't ship PSP is the minimal restrictive PSP. So we need to ensure that it is on top of the list for selection not bottom. Signed-off-by: Suraj Deshmukh --- .../control-plane/kubernetes/templates/psp-restricted.yaml | 4 ++-- pkg/assets/generated_assets.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/assets/charts/control-plane/kubernetes/templates/psp-restricted.yaml b/assets/charts/control-plane/kubernetes/templates/psp-restricted.yaml index a6cdd5386..b83055e7f 100644 --- a/assets/charts/control-plane/kubernetes/templates/psp-restricted.yaml +++ b/assets/charts/control-plane/kubernetes/templates/psp-restricted.yaml @@ -1,7 +1,7 @@ apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: zz-minimal + name: aa-minimal annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' @@ -56,7 +56,7 @@ rules: resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - - zz-minimal + - aa-minimal --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 diff --git a/pkg/assets/generated_assets.go b/pkg/assets/generated_assets.go index ef97d4577..d6e469187 100644 --- a/pkg/assets/generated_assets.go +++ b/pkg/assets/generated_assets.go @@ -5294,7 +5294,7 @@ var vfsgenAssets = func() http.FileSystem { modTime: time.Date(1970, 1, 1, 0, 0, 1, 0, time.UTC), uncompressedSize: 1761, - compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xbc\x54\x4d\x6f\x1b\x47\x0c\xbd\xef\xaf\x20\x90\xc3\x1e\x9a\x95\x61\x14\x2e\x8a\xbd\xb9\x76\x12\x08\xb1\x1d\x41\xf9\xb8\x04\x3d\x8c\x76\xb8\x12\xab\xd9\x99\x29\xc9\x91\x22\xff\xfa\x62\x66\x57\xb2\x9c\xba\x45\x0e\x45\x6f\x43\x2e\xf9\xf8\xf8\xc8\xa5\x89\xf4\x05\x59\x28\xf8\x16\x62\x70\xd4\x1d\x2e\x76\x97\x2b\x54\x73\x59\x6d\xc9\xdb\x16\x16\xc1\x7e\xc4\x2e\x31\xe9\x61\x51\xbe\x57\x03\xaa\xb1\x46\x4d\x5b\x01\x78\x33\x60\x0b\x8f\x8f\xcd\x40\x9e\x06\xe3\x2a\x00\xe3\x7d\x50\xa3\x14\xbc\xe4\x08\x00\xc1\xae\x0b\x43\x9c\xc9\x04\x33\x33\x2e\x6e\xcc\x6c\x9b\x56\xc8\x1e\x15\x65\x46\xe1\xc2\x38\x17\xf6\x68\x17\x1c\x7a\x72\xf8\x60\x06\x94\x16\x6a\x1b\xba\x2d\xf2\x85\xc5\xde\x24\xa7\xaf\x39\x79\xa5\x01\x8f\x76\xfd\xe3\xf0\x53\xc6\x19\x7c\x0b\xdf\xc3\xd7\x95\x44\xec\x32\xe7\xc8\xb4\x23\x87\x6b\xb4\x2d\xf4\xc6\x09\x56\x00\xaf\x60\x89\x7f\x26\x62\xb4\xa0\x01\x22\xe3\x0e\xbd\x02\x4a\x67\xdc\xd8\x6c\x76\x73\x08\x3a\xcb\x1a\xe4\x6e\x16\x47\x94\x37\xa7\xa0\x73\xb8\x4f\x1b\x12\x20\x01\x46\x9b\xbc\x35\x5e\x61\x4f\xba\x01\x1f\x7c\x93\x61\xe0\x27\xb0\x24\x05\xe8\x89\xcf\x59\xbd\xd7\x05\x64\x95\x14\xf6\x08\x9d\xf1\x10\x39\xec\xc8\x22\x90\x42\x1f\x18\x2c\xf6\xe8\x05\x81\x3c\x58\x8c\xba\xc9\xb4\x78\xea\xe0\x96\x43\xbc\x31\xd1\xac\xc8\x91\x12\x96\x39\x35\xf0\x7e\x7e\x77\x57\x1e\xf7\xef\x1f\x3e\xdc\x96\xd7\xc7\x37\x9f\x3e\xcf\x4f\xcf\x77\xe5\xf9\x0a\xae\x0b\xa9\x2e\x30\xc2\x2e\xb8\x34\x20\xe8\x21\xa2\xe4\x0a\xa3\x3d\x01\xd6\x5d\xf0\x3d\xad\xef\x4d\xac\x47\x1b\x87\xa8\x87\x5b\xe2\xc9\x8c\x1c\xfe\xc0\x4e\xd1\x4e\xb6\x60\xc7\xa8\x93\x61\xc3\xde\xef\x0d\xdb\xeb\xc5\xbc\x1e\xab\x8a\x94\x52\x1b\xa3\x10\xf3\xca\x8a\xa2\xd7\x2f\x63\x41\x10\x54\x48\x11\x56\x07\xd0\x0d\x42\xe7\x92\x28\x32\x18\x3b\x90\x07\xc3\x08\x62\x7a\xcc\x13\x4a\x82\xb3\xa9\xfa\x77\x18\x37\xce\xd0\x90\x4b\x6d\x82\xe8\x03\xea\x3e\xf0\xf6\x69\x5e\xd9\x39\x5f\xdc\x3c\x77\x2c\xe6\xb7\x4f\x0e\x4e\xfe\x5a\x3e\x0b\xf2\xb8\xf5\xa7\x7d\x19\x09\x05\xaf\x86\x3c\x72\xd9\x92\xe4\xcb\xac\x43\xd2\xb2\x31\x4f\xf3\x2d\x1a\x66\x28\x87\x2d\xd4\xf7\x49\x74\x99\x51\x1f\x82\x5f\x86\x50\x94\x11\xbc\x23\x9f\xbe\xb5\xe7\x71\x25\xe6\xda\x1f\xca\xf7\x14\xa3\xc3\x01\xbd\x1a\xf7\x8e\x43\x8a\xd2\xbe\x08\x39\xfe\x3b\x6c\xfc\x1a\xe5\x48\xf8\x6d\xe0\x15\x59\x30\xd6\x92\x5f\x17\xda\x85\xdd\x3a\xc3\x8c\xc4\x1a\x18\xc8\xb7\x70\x59\x0c\x80\xc1\x7c\x6b\xe1\x97\xab\xab\x9f\xaf\x2a\x80\x5e\x4a\xbd\xff\xab\x1c\xa3\xb1\x1f\xbc\x3b\x64\x61\xde\x92\x43\x39\x88\xe2\x70\x1c\x47\xd3\x34\xd3\xfd\xba\x19\x57\x61\x19\x1c\x56\xe7\xc7\x8e\x57\xa6\x9b\x99\xa4\x9b\xc0\xf4\x58\xfe\xa8\xd9\xf6\xd7\x72\x2b\x76\x97\x2f\x9c\x38\x46\x51\xa6\xbc\xac\x4d\x94\x58\xe5\xfe\xa4\xad\x1a\x30\x91\x26\x99\xe1\x6b\x3d\x1e\xd0\xfa\xf7\x42\x4f\x42\xe2\x0e\x27\xbf\x3d\x5e\xa7\x12\x42\x28\x25\x68\x87\xbc\x92\xb6\xf4\xf6\xb5\x4e\x82\xcf\x32\xc7\x1b\x58\x76\xf5\xec\xbe\xbe\xd8\xd8\x6f\xe4\xb3\x86\xff\x5d\x7f\xcd\xa8\x66\x93\xf3\xd1\x2b\x75\x46\xd1\x56\x1c\x1c\x2e\xb1\xcf\x49\x7f\xd7\xf6\x1f\x84\x82\x93\x42\xff\x42\xa9\x92\xb4\xca\x97\xa0\x28\x3a\x42\x97\x94\x13\xe8\x34\xdc\xe7\x74\x7e\x0c\xfa\xaf\x00\x00\x00\xff\xff\x3e\x33\x48\x5b\xe1\x06\x00\x00"), + compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xbc\x54\x4d\x6f\x1b\x47\x0c\xbd\xef\xaf\x20\x90\xc3\x1e\x9a\x95\x61\x14\x2e\x8a\xbd\xb9\x76\x12\x08\xb1\x1d\x41\xf9\xb8\x04\x3d\x50\x3b\x5c\x89\xd5\xec\xcc\x74\xc8\x91\xa2\xfe\xfa\x62\x66\x57\xb2\x9c\xba\x85\x0f\x45\x6e\x43\x2e\xf9\xf8\xf8\xc8\x25\x06\xfe\x42\x51\xd8\xbb\x16\x82\xb7\xdc\x1d\x2e\x76\x97\x2b\x52\xbc\xac\xb6\xec\x4c\x0b\x0b\x6f\x3e\x52\x97\x22\xeb\x61\x51\xbe\x57\x03\x29\x1a\x54\x6c\x2b\x00\x87\x03\xb5\x80\xd8\x0c\xec\x78\x40\x5b\x01\xa0\x73\x5e\x51\xd9\x3b\xc9\x11\x00\x42\x5d\xe7\x87\x30\x93\x09\x66\x86\x36\x6c\x70\xb6\x4d\x2b\x8a\x8e\x94\x64\xc6\xfe\x02\xad\xf5\x7b\x32\x8b\xe8\x7b\xb6\xf4\x80\x03\x49\x0b\xb5\xf1\xdd\x96\xe2\x85\xa1\x1e\x93\xd5\xd7\x31\x39\xe5\x81\x8e\x76\xfd\x72\xf8\x29\xe3\x0c\xbe\x85\xef\xe1\xeb\x4a\x02\x75\x99\x73\x88\xbc\x63\x4b\x6b\x32\x2d\xf4\x68\x85\x2a\x80\x57\xb0\xa4\x3f\x13\x47\x32\xa0\x1e\x42\xa4\x1d\x39\x05\x92\x0e\xed\xd8\x6c\x76\x47\xef\x75\x96\x35\xc8\xdd\x2c\x8e\x28\x6f\x4e\x41\xe7\x70\x9f\x36\x2c\xc0\x02\x91\x4c\x72\x06\x9d\xc2\x9e\x75\x03\xce\xbb\x26\xc3\xc0\x4f\x60\x58\x0a\xd0\x23\x9f\xb3\x7a\xaf\x0b\xc8\x2a\x29\xec\x09\x3a\x74\x10\xa2\xdf\xb1\x21\x60\x85\xde\x47\x30\xd4\x93\x13\x02\x76\x60\x28\xe8\x26\xd3\x8a\x53\x07\xb7\xd1\x87\x1b\x0c\xb8\x62\xcb\xca\x54\xe6\xd4\xc0\xfb\xf9\xdd\x5d\x79\xdc\xbf\x7f\xf8\x70\x5b\x5e\x1f\xdf\x7c\xfa\x3c\x3f\x3d\xdf\x95\xe7\x2b\xb8\x2e\xa4\x3a\x1f\x09\x76\xde\xa6\x81\x40\x0f\x81\x24\x57\x18\xed\x09\xb0\xee\xbc\xeb\x79\x7d\x8f\xa1\x1e\x6d\x1a\x82\x1e\x6e\x39\x4e\x66\x88\xfe\x0f\xea\x94\xcc\x64\x0b\x75\x91\x74\x32\x8c\xdf\xbb\x3d\x46\x73\xbd\x98\xd7\x63\x55\x91\x52\x6a\x83\x0a\x21\xaf\xac\x28\x39\xfd\x32\x16\x04\x21\x85\x14\x60\x75\x00\xdd\x10\x74\x36\x89\x52\x04\x34\x03\x3b\xc0\x48\x20\xd8\x53\x9e\x50\x12\x9a\x4d\xd5\xbf\xc3\xb8\xb1\xc8\x43\x2e\xb5\xf1\xa2\x0f\xa4\x7b\x1f\xb7\x8f\xf3\xca\xce\xf9\xe2\xe6\xa9\x63\x31\xbf\x7d\x74\xc4\xe4\xae\xe5\xb3\x50\x1c\xb7\xfe\xb4\x2f\x23\x21\xef\x14\xd9\x51\x2c\x5b\x92\x5c\x99\xb5\x4f\x5a\x36\xe6\x71\xbe\x45\xc3\x0c\x65\xa9\x85\xfa\x3e\x89\x2e\x33\xea\x83\x77\x4b\xef\x8b\x32\x42\x77\xec\xd2\xb7\xf6\x3c\xae\xc4\x5c\xbb\x43\xf9\x9e\x42\xb0\x34\x90\x53\xb4\xef\xa2\x4f\x41\xda\x67\x21\xc7\x7f\x27\xa2\x5b\x93\x1c\x09\xbf\xf5\x71\xc5\x06\xd0\x18\x76\xeb\x42\xbb\xb0\x5b\x67\x98\x91\x58\x03\x03\xbb\x16\x2e\x8b\x01\x30\xe0\xb7\x16\x7e\xb9\xba\xfa\xf9\xaa\x02\xe8\xa5\xd4\xfb\x51\xe5\x22\xa1\xf9\xe0\xec\x21\x0b\xf3\x96\x2d\xc9\x41\x94\x86\xe3\x38\x9a\xa6\x99\xee\xd7\xcd\xb8\x0a\x4b\x6f\xa9\x3a\x3f\x76\x71\x85\xdd\x0c\x93\x6e\x7c\xe4\xbf\xca\x1f\x35\xdb\xfe\x5a\x6e\xc5\xee\xf2\x99\x13\x17\x49\x34\x72\x5e\xd6\x26\x48\xa8\x72\x7f\xd2\x56\x0d\x60\xe0\x49\x66\xf8\x5a\x8f\x07\xb4\xfe\xbd\xd0\x13\x9f\x62\x47\x93\xdf\x1c\xaf\x53\x09\x61\x92\x12\xb4\xa3\xb8\x92\xb6\xf4\xf6\xb5\x4e\x42\x4f\x32\xc7\x1b\x58\x76\xf5\xec\xbe\x3e\xdb\xd8\x6f\xec\xb2\x86\xff\x5f\x7f\xcd\xa8\x66\x93\xf3\xc9\x29\x77\xa8\x64\xaa\xe8\x2d\x2d\xa9\xcf\x49\xff\xd4\xf6\x5f\x84\x82\x93\x42\xff\x41\xa9\x92\xb4\xca\x97\xa0\x28\x3a\x42\x97\x94\x13\xe8\x34\xdc\xa7\x74\x5e\x06\xfd\x77\x00\x00\x00\xff\xff\xde\xa0\xd6\x69\xe1\x06\x00\x00"), }, "/charts/control-plane/kubernetes/values.yaml": &vfsgen۰CompressedFileInfo{ name: "values.yaml",