Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
Chu Peng 楚鹏
minikube
提交
d8106f7d
M
minikube
项目概览
Chu Peng 楚鹏
/
minikube
与 Fork 源项目一致
从无法访问的项目Fork
通知
2
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
M
minikube
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
未验证
提交
d8106f7d
编写于
7月 07, 2020
作者:
M
Medya Ghazizadeh
提交者:
GitHub
7月 07, 2020
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #8454 from colvin/addon-podsecuritypolicies
Include a podsecuritypolicies addon
上级
5e9bb011
08ee21fd
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
185 addition
and
4 deletion
+185
-4
deploy/addons/pod-security-policy/pod-security-policy.yaml.tmpl
.../addons/pod-security-policy/pod-security-policy.yaml.tmpl
+132
-0
pkg/addons/config.go
pkg/addons/config.go
+5
-0
pkg/minikube/assets/addons.go
pkg/minikube/assets/addons.go
+8
-0
site/content/en/docs/tutorials/using_psp.md
site/content/en/docs/tutorials/using_psp.md
+40
-4
未找到文件。
deploy/addons/pod-security-policy/pod-security-policy.yaml.tmpl
0 → 100644
浏览文件 @
d8106f7d
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels:
addonmanager.kubernetes.io/mode: EnsureExists
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- "*"
volumes:
- "*"
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
labels:
addonmanager.kubernetes.io/mode: EnsureExists
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: psp:privileged
labels:
addonmanager.kubernetes.io/mode: EnsureExists
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- privileged
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: psp:restricted
labels:
addonmanager.kubernetes.io/mode: EnsureExists
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- restricted
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: default:restricted
labels:
addonmanager.kubernetes.io/mode: EnsureExists
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: psp:restricted
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: default:privileged
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: psp:privileged
subjects:
- kind: Group
name: system:masters
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:serviceaccounts:kube-system
apiGroup: rbac.authorization.k8s.io
pkg/addons/config.go
浏览文件 @
d8106f7d
...
...
@@ -156,4 +156,9 @@ var Addons = []*Addon{
set
:
SetBool
,
callbacks
:
[]
setFn
{
enableOrDisableAddon
},
},
{
name
:
"pod-security-policy"
,
set
:
SetBool
,
callbacks
:
[]
setFn
{
enableOrDisableAddon
},
},
}
pkg/minikube/assets/addons.go
浏览文件 @
d8106f7d
...
...
@@ -81,6 +81,14 @@ var Addons = map[string]*Addon{
"0640"
,
false
),
},
true
,
"default-storageclass"
),
"pod-security-policy"
:
NewAddon
([]
*
BinAsset
{
MustBinAsset
(
"deploy/addons/pod-security-policy/pod-security-policy.yaml.tmpl"
,
vmpath
.
GuestAddonsDir
,
"pod-security-policy.yaml"
,
"0640"
,
false
),
},
false
,
"pod-security-policy"
),
"storage-provisioner"
:
NewAddon
([]
*
BinAsset
{
MustBinAsset
(
"deploy/addons/storage-provisioner/storage-provisioner.yaml.tmpl"
,
...
...
site/content/en/docs/tutorials/using_psp.md
浏览文件 @
d8106f7d
...
...
@@ -13,18 +13,33 @@ This tutorial explains how to start minikube with Pod Security Policies (PSP) en
## Prerequisites
-
Minikube 1.
5.2
with Kubernetes 1.16.x or higher
-
Minikube 1.
11.1
with Kubernetes 1.16.x or higher
## Tutorial
Before starting minikube, you need to give it the PSP YAMLs in order to allow minikube to bootstrap.
Start minikube with the
`PodSecurityPolicy`
admission controller and the
`pod-security-policy`
addon enabled.
Create the directory:
`minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy --addons=pod-security-policy`
The
`pod-security-policy`
addon must be enabled along with the admission
controller to prevent issues during bootstrap.
## Older versions of minikube
Older versions of minikube do not ship with the
`pod-security-policy`
addon, so
the policies that addon enables must be separately applied to the cluster.
## Minikube 1.5.2 through 1.6.2
Before starting minikube, you need to give it the PSP YAMLs in order to allow minikube to bootstrap.
Create the directory:
`mkdir -p ~/.minikube/files/etc/kubernetes/addons`
Copy the YAML below into this file:
`~/.minikube/files/etc/kubernetes/addons/psp.yaml`
Now start minikube:
Now start minikube:
`minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy`
```yaml
...
...
@@ -161,3 +176,24 @@ subjects:
name: system:serviceaccounts:kube-system
apiGroup: rbac.authorization.k8s.io
```
### Minikube between 1.6.2 and 1.11.1
With minikube versions greater than 1.6.2 and less than 1.11.1, the YAML files
shown above will not be automatically applied to the cluster. You may have
errors during bootstrap of the cluster if the admission controller is enabled.
To use Pod Security Policies with these versions of minikube, first start a
cluster without the `PodSecurityPolicy` admission controller enabled.
Next, apply the YAML shown above to the cluster.
Finally, stop the cluster and then restart it with the admission controller
enabled.
```
minikube start
kubectl apply -f /path/to/psp.yaml
minikube stop
minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy
```
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录