From 1e7cad05d0603d381dab4920a1ad63b94d7f48bf Mon Sep 17 00:00:00 2001 From: alexarefev <39635005+alexarefev@users.noreply.github.com> Date: Tue, 5 Apr 2022 13:21:56 +0300 Subject: [PATCH] [MANOPD-74997] PSS labels fix (#137) * MANOPD-74997 managing procedure fix * MANOPD-74997 check consistence for PSS and PSP procedure --- kubemarine/admission.py | 49 +++++++++++++++-------------- kubemarine/procedures/manage_psp.py | 1 + kubemarine/procedures/manage_pss.py | 1 + 3 files changed, 27 insertions(+), 24 deletions(-) diff --git a/kubemarine/admission.py b/kubemarine/admission.py index feaf558dc..26ea2af55 100644 --- a/kubemarine/admission.py +++ b/kubemarine/admission.py @@ -611,7 +611,7 @@ def manage_pss_enrichment(inventory, cluster): procedure_config = cluster.procedure_inventory["pss"] current_config = cluster.inventory["rbac"]["pss"] minor_version = int(cluster.inventory["services"]["kubeadm"]["kubernetesVersion"].split('.')[1]) - + if is_security_enabled(inventory) and procedure_config["pod-security"] == "enabled": # check the difference between current and procedure config diff = 0 @@ -623,7 +623,7 @@ def manage_pss_enrichment(inventory, cluster): for mode in procedure_config["exemptions"]: if procedure_config["exemptions"][mode] != current_config["exemptions"][mode]: diff += 1 - if diff == 0: + if diff == 0 and not procedure_config.get("namespaces", False): raise Exception("Procedure configuration error. Please specify what you going to change explicitly.") if not is_security_enabled(inventory) and procedure_config["pod-security"] == "disabled": @@ -648,11 +648,6 @@ def manage_pss_enrichment(inventory, cluster): for namespace in procedure_config["namespaces"]: for item in procedure_config["namespaces"][namespace]: if item.endswith("version"): - #mode = re.split('-',item)[0] - #if mode in procedure_config["defaults"]: - # profile = procedure_config["defaults"][mode] - #else: - # profile = current_config["defaults"][mode] verify_version(item, procedure_config["namespaces"][namespace][item], minor_version) else: verify_parameter(item, procedure_config["namespaces"][namespace][item], valid_profiles) @@ -892,37 +887,37 @@ def label_namespace_pss(cluster, manage_type): for plugin in cluster.inventory["plugins"]: is_install = cluster.inventory["plugins"][plugin].get("install") # set/delete label 'pod-security.kubernetes.io/enforce: privileged' for local provisioner and ingress namespaces - if is_install == True and plugin in privileged_plugins.keys() and profile != "privileged": - if manage_type in ["apply", "install"]: + if manage_type in ["apply", "install"]: + if is_install and plugin in privileged_plugins.keys() and profile != "privileged": cluster.log.debug("Set PSS labels on namespace %s" % privileged_plugins[plugin]) for mode in valid_modes: first_master.sudo("kubectl label ns %s pod-security.kubernetes.io/%s=%s --overwrite" % (privileged_plugins[plugin], mode, "privileged")) first_master.sudo("kubectl label ns %s pod-security.kubernetes.io/%s-version=%s --overwrite" % (privileged_plugins[plugin], mode, "latest")) - elif manage_type == "delete": - cluster.log.debug("Delete PSS labels from namespace %s" % privileged_plugins[plugin]) - for mode in valid_modes: - first_master.sudo("kubectl label ns %s pod-security.kubernetes.io/%s-" - % (privileged_plugins[plugin], mode)) - first_master.sudo("kubectl label ns %s pod-security.kubernetes.io/%s-version-" - % (privileged_plugins[plugin], mode)) - # set/delete label 'pod-security.kubernetes.io/enforce: baseline' for kubernetes dashboard - elif is_install == True and plugin in baseline_plugins.keys() and profile == "restricted": - if manage_type in ["apply", "install"]: + # set/delete label 'pod-security.kubernetes.io/enforce: baseline' for kubernetes dashboard + elif is_install and plugin in baseline_plugins.keys() and profile == "restricted": cluster.log.debug("Set PSS labels on namespace %s" % baseline_plugins[plugin]) for mode in valid_modes: first_master.sudo("kubectl label ns %s pod-security.kubernetes.io/%s=%s --overwrite" % (baseline_plugins[plugin], mode, "baseline")) first_master.sudo("kubectl label ns %s pod-security.kubernetes.io/%s-version=%s --overwrite" % (baseline_plugins[plugin], mode, "latest")) - elif manage_type == "delete": + elif manage_type == "delete": + if is_install and plugin in privileged_plugins.keys(): + cluster.log.debug("Delete PSS labels from namespace %s" % privileged_plugins[plugin]) + for mode in valid_modes: + first_master.sudo("kubectl label ns %s pod-security.kubernetes.io/%s- || true" + % (privileged_plugins[plugin], mode)) + first_master.sudo("kubectl label ns %s pod-security.kubernetes.io/%s-version- || true" + % (privileged_plugins[plugin], mode)) + elif is_install and plugin in baseline_plugins.keys(): cluster.log.debug("Delete PSS labels from namespace %s" % baseline_plugins[plugin]) for mode in valid_modes: - first_master.sudo("kubectl label ns %s pod-security.kubernetes.io/%s-" - % (baseline_plugins[plugin], mode)) - first_master.sudo("kubectl label ns %s pod-security.kubernetes.io/%s-version-" - % (baseline_plugins[plugin], mode)) + first_master.sudo("kubectl label ns %s pod-security.kubernetes.io/%s- || true" + % (baseline_plugins[plugin], mode)) + first_master.sudo("kubectl label ns %s pod-security.kubernetes.io/%s-version- || true" + % (baseline_plugins[plugin], mode)) procedure_config = cluster.procedure_inventory["pss"] namespaces = procedure_config.get("namespaces") @@ -939,3 +934,9 @@ def label_namespace_pss(cluster, manage_type): for mode in namespaces[namespace]: first_master.sudo("kubectl label ns %s pod-security.kubernetes.io/%s-" % (namespace, mode)) + +def check_inventory(cluster): + # check if 'admission' option in cluster.yaml and procedure.yaml are inconsistent + if cluster.context.get('initial_procedure') == 'manage_pss' and cluster.inventory["rbac"]["admission"] != "pss" or \ + cluster.context.get('initial_procedure') == 'manage_psp' and cluster.inventory["rbac"]["admission"] != "psp": + raise Exception("Procedure config and cluster config are inconsistent. Please check 'admission' option") diff --git a/kubemarine/procedures/manage_psp.py b/kubemarine/procedures/manage_psp.py index 05454c1fd..21d80859d 100755 --- a/kubemarine/procedures/manage_psp.py +++ b/kubemarine/procedures/manage_psp.py @@ -20,6 +20,7 @@ from kubemarine.core import flow tasks = OrderedDict({ + "check_inventory": admission.check_inventory, "delete_custom": admission.delete_custom_task, "add_custom": admission.add_custom_task, "reconfigure_oob": admission.reconfigure_oob_task, diff --git a/kubemarine/procedures/manage_pss.py b/kubemarine/procedures/manage_pss.py index e2384f7e0..fc6c3c959 100755 --- a/kubemarine/procedures/manage_pss.py +++ b/kubemarine/procedures/manage_pss.py @@ -20,6 +20,7 @@ from kubemarine.core import flow tasks = OrderedDict({ + "check_inventory": admission.check_inventory, "delete_default_pss": admission.delete_default_pss, "apply_default_pss": admission.apply_default_pss, "restart_pods": admission.restart_pods_task