v2.0.8-rc2

分支 (545)

标签 (1936)

管理

管理

master

main

release/v2.9

fix/v2.9/42823

release/v2.8

release/v2.7

fix/42823

v2.9.2-hotfix-tigeraoperator-conflict

v2.8.9-hotfix-test-cve-monitoring

v2.7.16-hotfix-test-cve-monitoring

v2.8-define-artifacts-to-upload

v2.9.2-hotfix-metrics-downstream-network

v2.9.2-hotfix-downstream-caches-reduction

v2.8-self-hosted-runners

v2.9.2-hotfix-transport-leak

v2.8.5-hotfix-tigeraoperator-conflict

markus/temp-remove-rsa

fix/42788-v2.9

fix/42788

backport-userretention-to-v2.8

v2.9.3-alpha4

v2.10.0-alpha2

v2.8.9-alpha9

v2.9.2-hotfix-ch-2-efe7cd186

v2.10.0-alpha1

v2.7.16-alpha3

v2.7.16-alpha4

v2.8.9-alpha8

v2.8.9-alpha7

v2.9.3-alpha3

v2.9.3-alpha2

v2.9.3-alpha1

v2.8.9-alpha6

v2.8.9-alpha5

v2.8.9-alpha4

v2.8.9-alpha3

v2.8.9-alpha2

v2.8.9-alpha1

v2.9.2-hotfix-ch-1-77f48fb9f

v2.9.2-hotfix-ch-2-3778e74e6

rancher
/
app
/
podsecuritypolicytemplate_data.go

package app

import (
	"fmt"

	"github.com/rancher/types/apis/management.cattle.io/v3"
	"github.com/rancher/types/config"
	"k8s.io/api/core/v1"
	"k8s.io/api/extensions/v1beta1"
	"k8s.io/apimachinery/pkg/api/errors"
	v12 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

const runAsAny = "RunAsAny"
const mustRunAs = "MustRunAs"

func addDefaultPodSecurityPolicyTemplates(management *config.ManagementContext) error {
	pspts := management.Management.PodSecurityPolicyTemplates("")
	policies := []*v3.PodSecurityPolicyTemplate{
		{
			ObjectMeta: v12.ObjectMeta{
				Name: "unrestricted",
			},
			Spec: v1beta1.PodSecurityPolicySpec{
				Privileged:               true,
				AllowPrivilegeEscalation: toBoolPtr(true),
				AllowedCapabilities: []v1.Capability{
					"*",
				},
				Volumes: []v1beta1.FSType{
					"*",
				},
				HostNetwork: true,
				HostPorts: []v1beta1.HostPortRange{
					{Min: 0, Max: 65535},
				},
				HostIPC: true,
				HostPID: true,
				RunAsUser: v1beta1.RunAsUserStrategyOptions{
					Rule: runAsAny,
				},
				SELinux: v1beta1.SELinuxStrategyOptions{
					Rule: runAsAny,
				},
				SupplementalGroups: v1beta1.SupplementalGroupsStrategyOptions{
					Rule: runAsAny,
				},
				FSGroup: v1beta1.FSGroupStrategyOptions{
					Rule: runAsAny,
				},
			},
			Description: "This is the default unrestricted Pod Security Policy Template.  It is the most permissive " +
				"Pod Security Policy that can be created in Kubernetes and is equivalent to running Kubernetes " +
				"without Pod Security Policies enabled.",
		},
		{
			ObjectMeta: v12.ObjectMeta{
				Name: "restricted",
			},
			Spec: v1beta1.PodSecurityPolicySpec{
				Privileged:               false,
				AllowPrivilegeEscalation: toBoolPtr(false),
				RequiredDropCapabilities: []v1.Capability{
					"ALL",
				},
				Volumes: []v1beta1.FSType{
					"configMap",
					"emptyDir",
					"projected",
					"secret",
					"downwardAPI",
					"persistentVolumeClaim",
				},
				HostNetwork: false,
				HostIPC:     false,
				HostPID:     false,
				RunAsUser: v1beta1.RunAsUserStrategyOptions{
					Rule: runAsAny,
				},
				SELinux: v1beta1.SELinuxStrategyOptions{
					Rule: runAsAny,
				},
				SupplementalGroups: v1beta1.SupplementalGroupsStrategyOptions{
					Rule: mustRunAs,
					Ranges: []v1beta1.IDRange{
						{Min: 1, Max: 65535},
					},
				},
				FSGroup: v1beta1.FSGroupStrategyOptions{
					Rule: mustRunAs,
					Ranges: []v1beta1.IDRange{
						{Min: 1, Max: 65535},
					},
				},
				ReadOnlyRootFilesystem: false,
			},
			Description: "This is the default restricted Pod Security Policy Template.  It restricts many user " +
				"actions and does not allow privilege escalation.",
		},
	}
	for _, policy := range policies {
		_, err := pspts.Create(policy)
		if err != nil && !errors.IsAlreadyExists(err) {
			return fmt.Errorf("error creating default pspt: %v", err)
		}
	}

	return nil
}

func toBoolPtr(boolean bool) *bool {
	return &boolean
}