Skip to content

Commit 345bb88

Browse files
cjeradcjerad
authored
remove PodSecurityPolicy when k8s version >=1.25 (#758)
* add k8s 1.24 and 1.25 to test suite * remove PodSecurityPolicy when k8s version >=1.25 * add k8s 1.24 and 1.25 to automated test workflow * update docs
1 parent 2fb865f commit 345bb88

File tree

10 files changed

+37
-14
lines changed

10 files changed

+37
-14
lines changed

.github/workflows/build-and-test.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -168,7 +168,7 @@ jobs:
168168
runs-on: ubuntu-20.04
169169
strategy:
170170
matrix:
171-
k8sVersion: ["1.18", "1.19", "1.20", "1.21", "1.22", "1.23"]
171+
k8sVersion: ["1.18", "1.19", "1.20", "1.21", "1.22", "1.23", "1.24", "1.25"]
172172
steps:
173173
- name: Set up Go 1.x
174174
uses: actions/setup-go@v2

README.md

+7-1
Original file line numberDiff line numberDiff line change
@@ -94,7 +94,6 @@ The `enableSqsTerminationDraining` must be set to false for these configuration
9494

9595
The Queue Processor Mode does not allow for fine-grained configuration of which events are handled through helm configuration keys. Instead, you can modify your Amazon EventBridge rules to not send certain types of events to the SQS Queue so that NTH does not process those events. All events when operating in Queue Processor mode are Cordoned and Drained unless the `cordon-only` flag is set to true.
9696

97-
9897
The `enableSqsTerminationDraining` flag turns on Queue Processor Mode. When Queue Processor Mode is enabled, IMDS mode will be disabled, even if you explicitly enabled any of the IMDS configuration keys. NTH cannot respond to queue events AND monitor IMDS paths. In this case, it is safe to disable IMDS for the NTH pod.
9998

10099
<details opened>
@@ -105,6 +104,9 @@ The `enableSqsTerminationDraining` flag turns on Queue Processor Mode. When Queu
105104

106105
The termination handler DaemonSet installs into your cluster a [ServiceAccount](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/), [ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/), [ClusterRoleBinding](https://kubernetes.io/docs/reference/access-authn-authz/rbac/), and a [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/). All four of these Kubernetes constructs are required for the termination handler to run properly.
107106

107+
#### Pod Security Admission
108+
109+
When using Kubernetes [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) it is recommended to assign the `[privileged](https://kubernetes.io/docs/concepts/security/pod-security-standards/#privileged)` level.
108110

109111
#### Kubectl Apply
110112

@@ -376,6 +378,10 @@ IAM Policy for aws-node-termination-handler Deployment:
376378

377379
### Installation
378380

381+
#### Pod Security Admission
382+
383+
When using Kubernetes [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) it is recommended to assign the `[baseline](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline)` level.
384+
379385
#### Helm
380386

381387
The easiest and most commonly used method to configure the termination handler is via [helm](https://helm.sh/). The chart for this project is hosted in the [eks-charts](https://github.com/aws/eks-charts) repository.

config/helm/aws-node-termination-handler/README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ The configuration in this table applies to all AWS Node Termination Handler mode
5656
| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the full name template. | `nil` |
5757
| `serviceAccount.annotations` | Annotations to add to the service account. | `{}` |
5858
| `rbac.create` | If `true`, create the RBAC resources. | `true` |
59-
| `rbac.pspEnabled` | If `true`, create a pod security policy resource. | `true` |
59+
| `rbac.pspEnabled` | If `true`, create a pod security policy resource. Note: `PodSecurityPolicy`s will not be created when Kubernetes version is 1.25 or later. | `true` |
6060
| `customLabels` | Labels to add to all resource metadata. | `{}` |
6161
| `podLabels` | Labels to add to the pod. | `{}` |
6262
| `podAnnotations` | Annotations to add to the pod. | `{}` |

config/helm/aws-node-termination-handler/templates/psp.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
{{- if .Values.rbac.pspEnabled }}
1+
{{- if and (.Values.rbac.pspEnabled) (semverCompare "<1.25-0" .Capabilities.KubeVersion.GitVersion) }}
22
apiVersion: policy/v1beta1
33
kind: PodSecurityPolicy
44
metadata:

config/helm/aws-node-termination-handler/values.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ serviceAccount:
2323
rbac:
2424
# Specifies whether RBAC resources should be created
2525
create: true
26-
# Specifies if PodSecurityPolicy resources should be created
26+
# Specifies if PodSecurityPolicy resources should be created. PodSecurityPolicy will not be created when Kubernetes version is 1.25 or later.
2727
pspEnabled: true
2828

2929
customLabels: {}

config/helm/localstack/templates/psp.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
{{- if .Values.rbac.pspEnabled }}
1+
{{- if and (.Values.rbac.pspEnabled) (semverCompare "<1.25-0" .Capabilities.KubeVersion.GitVersion) }}
22
apiVersion: policy/v1beta1
33
kind: PodSecurityPolicy
44
metadata:

config/helm/squid/templates/psp.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
{{- if .Values.rbac.pspEnabled }}
1+
{{- if and (.Values.rbac.pspEnabled) (semverCompare "<1.25-0" .Capabilities.KubeVersion.GitVersion) }}
22
apiVersion: policy/v1beta1
33
kind: PodSecurityPolicy
44
metadata:

config/helm/webhook-test-proxy/templates/psp.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
{{- if .Values.rbac.pspEnabled }}
1+
{{- if and (.Values.rbac.pspEnabled) (semverCompare "<1.25-0" .Capabilities.KubeVersion.GitVersion) }}
22
apiVersion: policy/v1beta1
33
kind: PodSecurityPolicy
44
metadata:

test/k8s-local-cluster-test/provision-cluster

+22-5
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,12 @@ TEST_ID=$(uuidgen | cut -d'-' -f1 | tr '[:upper:]' '[:lower:]')
77
CLUSTER_NAME_BASE=$(uuidgen | cut -d'-' -f1 | tr '[:upper:]' '[:lower:]')
88
OVERRIDE_PATH=0
99
KIND_CONFIG_FILE=$SCRIPTPATH/kind-three-node-cluster.yaml
10+
use_psp=false
1011

12+
# shellcheck disable=SC2034
13+
K8_1_25="kindest/node:v1.25.3@sha256:f1de3b0670462f43280114eccceab8bf1b9576d2afe0582f8f74529da6fd0365"
14+
# shellcheck disable=SC2034
15+
K8_1_24="kindest/node:v1.24.7@sha256:5c015142d9b60a0f6c45573f809957076514e38ec973565e2b2fe828b91597f5"
1116
# shellcheck disable=SC2034
1217
K8_1_23="kindest/node:v1.23.5@sha256:1a72748086bc24ed6163de1d1e33cc0e2eb5a1eb5ebffdb15b53c3bcd5376a6f"
1318
# shellcheck disable=SC2034
@@ -23,8 +28,8 @@ K8_1_18="kindest/node:v1.18.19@sha256:7af1492e19b3192a79f606e43c35fb741e520d195f
2328

2429
K8_VERSION="$K8_1_20"
2530
KUBECTL_VERSION=$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)
26-
KIND_VERSION="0.11.1"
27-
HELM_VERSION="3.7.1"
31+
KIND_VERSION="0.17.0"
32+
HELM_VERSION="3.10.0"
2833

2934
echoerr() { echo "$@" 1>&2; }
3035

@@ -55,7 +60,12 @@ while getopts "b:i:v:k:o" opt; do
5560
echoerr "👉 Test Run: $TEST_ID 👈"
5661
;;
5762
v ) # K8s version to provision
58-
OPTARG="K8_`echo $OPTARG | sed 's/\./\_/g'`"
63+
maj_ver=`echo $OPTARG | cut -d '.' -f 1`
64+
min_ver=`echo $OPTARG | cut -d '.' -f 2`
65+
if [[ $maj_ver -eq 1 && $min_ver -lt 25 ]]; then
66+
use_psp=true
67+
fi
68+
OPTARG="K8_${maj_ver}_${min_ver}"
5969
if [ ! -z ${OPTARG+x} ]; then
6070
K8_VERSION=${!OPTARG}
6171
else
@@ -124,12 +134,19 @@ fi
124134
# Disable spinners and color in kind output
125135
export TERM=dumb
126136
echoerr "🥑 Creating k8s cluster using \"kind\""
137+
if [[ "$use_psp" = false ]]; then
138+
no_psp_kind_config_file="${TMP_DIR}/`basename $KIND_CONFIG_FILE`"
139+
cat $KIND_CONFIG_FILE | sed 's/,PodSecurityPolicy//' > "${no_psp_kind_config_file}"
140+
KIND_CONFIG_FILE="${no_psp_kind_config_file}"
141+
fi
127142
retry 3 kind create cluster --name "$CLUSTER_NAME" --image $K8_VERSION --config "$KIND_CONFIG_FILE" --kubeconfig $TMP_DIR/kubeconfig 1>&2
128143

129144
echo "$CLUSTER_NAME" > "$TMP_DIR/clustername"
130145
echoerr "👍 Created k8s cluster using \"kind\""
131146

132-
kubectl apply -f "$SCRIPTPATH/psp-default.yaml" --context "kind-$CLUSTER_NAME" --kubeconfig "$TMP_DIR/kubeconfig" 1>&2
133-
kubectl apply -f "$SCRIPTPATH/psp-privileged.yaml" --context "kind-$CLUSTER_NAME" --kubeconfig "$TMP_DIR/kubeconfig" 1>&2
147+
if [[ "$use_psp" = true ]]; then
148+
kubectl apply -f "$SCRIPTPATH/psp-default.yaml" --context "kind-$CLUSTER_NAME" --kubeconfig "$TMP_DIR/kubeconfig" 1>&2
149+
kubectl apply -f "$SCRIPTPATH/psp-privileged.yaml" --context "kind-$CLUSTER_NAME" --kubeconfig "$TMP_DIR/kubeconfig" 1>&2
150+
fi
134151

135152
echo "$TMP_DIR"

test/k8s-local-cluster-test/run-test

+1-1
Original file line numberDiff line numberDiff line change
@@ -136,7 +136,7 @@ USAGE=$(cat << 'EOM'
136136
-n Node Termination Handler Docker Image
137137
-d use GOPROXY=direct to bypass proxy.golang.org
138138
-o Override path w/ your own kubectl and kind binaries
139-
-v Kubernetes Version (Default: 1.20) [1.18, 1.19, 1.20, 1.21, 1.22, and 1.23]
139+
-v Kubernetes Version (Default: 1.20) [1.18, 1.19, 1.20, 1.21, 1.22, 1.23, 1.24, and 1.25]
140140
-w Webhook Docker Image
141141
142142
EOM

0 commit comments

Comments
 (0)