def create_pod_security_policy_with_api(namespace):
"""Create pod security policy."""
# Using the API because of LP:1886694
logging.info('Creating pod security policy with K8s API')
_load_kube_config()
metadata = client.V1ObjectMeta(
namespace=namespace,
name='controller',
labels={'app': 'metallb'}
)
policy_spec = client.PolicyV1beta1PodSecurityPolicySpec(
allow_privilege_escalation=False,
default_allow_privilege_escalation=False,
fs_group=client.PolicyV1beta1FSGroupStrategyOptions(
ranges=[client.PolicyV1beta1IDRange(max=65535, min=1)],
rule='MustRunAs'
),
host_ipc=False,
host_network=False,
host_pid=False,
privileged=False,
read_only_root_filesystem=True,
required_drop_capabilities=['ALL'],
run_as_user=client.PolicyV1beta1RunAsUserStrategyOptions(
ranges=[client.PolicyV1beta1IDRange(max=65535, min=1)],
rule='MustRunAs'
),
se_linux=client.PolicyV1beta1SELinuxStrategyOptions(
rule='RunAsAny',
),
supplemental_groups=client.PolicyV1beta1SupplementalGroupsStrategyOptions(
ranges=[client.PolicyV1beta1IDRange(max=65535, min=1)],
rule='MustRunAs'
),
volumes=['configMap', 'secret', 'emptyDir'],
)
body = client.PolicyV1beta1PodSecurityPolicy(metadata=metadata, spec=policy_spec)
with client.ApiClient() as api_client:
api_instance = client.PolicyV1beta1Api(api_client)
try:
api_instance.create_pod_security_policy(body, pretty=True)
return True
except ApiException as err:
logging.exception("Exception when calling PolicyV1beta1Api"
"->create_pod_security_policy.")
if err.status != 409:
# ignoring 409 (AlreadyExists) errors
return False
else:
return True
def generate_psp(self, user):
policy = client.PolicyV1beta1PodSecurityPolicy(
api_version="policy/v1beta1",
kind="PodSecurityPolicy",
metadata=client.V1ObjectMeta(
name="tool-{}-psp".format(user.name),
annotations={
"seccomp.security.alpha.kubernetes.io/allowedProfileNames":
"runtime/default", # noqa: E501
"seccomp.security.alpha.kubernetes.io/defaultProfileName":
"runtime/default", # noqa: E501
},
),
spec=client.PolicyV1beta1PodSecurityPolicySpec(
allow_privilege_escalation=False,
fs_group=client.PolicyV1beta1FSGroupStrategyOptions(
rule="MustRunAs",
ranges=[
client.PolicyV1beta1IDRange(max=int(user.id),
min=int(user.id))
],
),
host_ipc=False,
host_network=False,
host_pid=False,
privileged=False,
required_drop_capabilities=["ALL"],
read_only_root_filesystem=False,
run_as_user=client.PolicyV1beta1RunAsUserStrategyOptions(
rule="MustRunAs",
ranges=[
client.PolicyV1beta1IDRange(max=int(user.id),
min=int(user.id))
],
),
se_linux=client.PolicyV1beta1SELinuxStrategyOptions(
rule="RunAsAny"),
run_as_group=client.PolicyV1beta1RunAsGroupStrategyOptions(
rule="MustRunAs",
ranges=[
client.PolicyV1beta1IDRange(max=int(user.id),
min=int(user.id))
],
),
supplemental_groups=client.
PolicyV1beta1SupplementalGroupsStrategyOptions( # noqa: E501
rule="MustRunAs",
ranges=[client.PolicyV1beta1IDRange(min=1, max=65535)],
),
volumes=[
"configMap",
"downwardAPI",
"emptyDir",
"projected",
"secret",
"hostPath",
"persistentVolumeClaim",
],
allowed_host_paths=[
client.PolicyV1beta1AllowedHostPath(
path_prefix="/var/lib/sss/pipes", read_only=False),
client.PolicyV1beta1AllowedHostPath(
path_prefix="/data/project", read_only=False),
client.PolicyV1beta1AllowedHostPath(
path_prefix="/data/scratch", read_only=False),
client.PolicyV1beta1AllowedHostPath(
path_prefix="/public/dumps", read_only=True),
client.PolicyV1beta1AllowedHostPath(path_prefix="/mnt/nfs",
read_only=True),
client.PolicyV1beta1AllowedHostPath(
path_prefix="/etc/wmcs-project", read_only=True),
client.PolicyV1beta1AllowedHostPath(
path_prefix="/etc/ldap.yaml", read_only=True),
client.PolicyV1beta1AllowedHostPath(
path_prefix="/etc/novaobserver.yaml", read_only=True),
client.PolicyV1beta1AllowedHostPath(
path_prefix="/etc/ldap.conf", read_only=True),
],
),
)
try:
_ = self.policy.create_pod_security_policy(policy)
except ApiException as api_ex:
if api_ex.status == 409 and "AlreadyExists" in api_ex.body:
logging.info("PodSecurityPolicy tool-%s-psp already exists",
user.name)
return
logging.error("Could not create podsecuritypolicy for %s", user)
raise