Skip to content

Instantly share code, notes, and snippets.

@ihcsim
Last active June 19, 2019 17:18
Show Gist options
  • Save ihcsim/d94f4cda94c1cce1662e12a68499c400 to your computer and use it in GitHub Desktop.
Save ihcsim/d94f4cda94c1cce1662e12a68499c400 to your computer and use it in GitHub Desktop.
# control plane
linkerd install | k apply -f -
## data plane psp
cat <<EOF|k apply -f -
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: linkerd-data-plane
spec:
allowPrivilegeEscalation: false
fsGroup:
ranges:
- max: 65535
min: 10001
rule: MustRunAs
readOnlyRootFilesystem: true
allowedCapabilities:
- NET_ADMIN
- NET_RAW
- NET_BIND_SERVICE
requiredDropCapabilities:
- ALL
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 10001
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
EOF
## emojivoto
curl https://run.linkerd.io/emojivoto.yml | bin/linkerd inject - | k apply -f - # this should fail until the psp rbac is configured
cat <<EOF|k apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: emojivoto-psp
namespace: emojivoto
rules:
- apiGroups: ['policy','extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['linkerd-data-plane']
EOF
k -n emojivoto create rolebinding emojivoto-psp --serviceaccount=emojivoto:emoji --serviceaccount=emojivoto:voting --serviceaccount=emojivoto:web --serviceaccount=emojivoto:default --role=emojivoto-psp
# nodes should run Ubuntu, as COS uses read-only root filesystem
linkerd install-cni --dest-cni-bin-dir=/home/kubernetes/bin|k apply -f -
# control plane
linkerd install --linkerd-cni-enabled|k apply -f -
# data plane
cat <<EOF|k apply -f -
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: linkerd-data-plane
spec:
allowPrivilegeEscalation: false
fsGroup:
ranges:
- max: 65535
min: 10001
rule: MustRunAs
readOnlyRootFilesystem: true
requiredDropCapabilities:
- ALL
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 10001
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
EOF
# emojivoto
curl https://run.linkerd.io/emojivoto.yml | bin/linkerd inject - | k apply -f - # this should fail until psp rbac is configured
cat <<EOF|k apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: emojivoto-psp
namespace: emojivoto
rules:
- apiGroups: ["policy", "extensions"]
resources: ["podsecuritypolicies"]
resourceNames: ["linkerd-data-plane"]
verbs: ["use"]
EOF
k -n emojivoto create rolebinding emojivoto-psp --serviceaccount=emojivoto:emoji --serviceaccount=emojivoto:web --serviceaccount=emojivoto:default --serviceaccount=emojivoto:voting --role=emojivoto-psp
## data plane psp
cat <<EOF|k apply -f -
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: linkerd-data-plane
spec:
allowPrivilegeEscalation: false
fsGroup:
ranges:
- max: 65535
min: 10001
rule: MustRunAs
readOnlyRootFilesystem: true
allowedCapabilities:
- NET_ADMIN
- NET_RAW
- NET_BIND_SERVICE
requiredDropCapabilities:
- ALL
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 10001
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
EOF
cat <<EOF|k apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: default-psp
rules:
- apiGroups: ['policy', 'extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['linkerd-data-plane']
EOF
k create rolebinding default-psp --service-account=default:default --role=default-psp
cat <<EOF|k apply -f -
kind: Deployment
apiVersion: apps/v1
metadata:
name: nginx
spec:
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
annotations:
linkerd.io/inject: enabled
spec:
containers:
- name: nginx
image: nginx
ports:
- name: http
containerPort: 80
securityContext:
capabilities:
add: ['NET_BIND_SERVICE']
drop: ['ALL']
EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment