Last active
June 19, 2019 17:18
-
-
Save ihcsim/d94f4cda94c1cce1662e12a68499c400 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # control plane | |
| linkerd install | k apply -f - | |
| ## data plane psp | |
| cat <<EOF|k apply -f - | |
| apiVersion: policy/v1beta1 | |
| kind: PodSecurityPolicy | |
| metadata: | |
| name: linkerd-data-plane | |
| spec: | |
| allowPrivilegeEscalation: false | |
| fsGroup: | |
| ranges: | |
| - max: 65535 | |
| min: 10001 | |
| rule: MustRunAs | |
| readOnlyRootFilesystem: true | |
| allowedCapabilities: | |
| - NET_ADMIN | |
| - NET_RAW | |
| - NET_BIND_SERVICE | |
| requiredDropCapabilities: | |
| - ALL | |
| runAsUser: | |
| rule: RunAsAny | |
| seLinux: | |
| rule: RunAsAny | |
| supplementalGroups: | |
| ranges: | |
| - max: 65535 | |
| min: 10001 | |
| rule: MustRunAs | |
| volumes: | |
| - configMap | |
| - emptyDir | |
| - projected | |
| - secret | |
| - downwardAPI | |
| - persistentVolumeClaim | |
| EOF | |
| ## emojivoto | |
| curl https://run.linkerd.io/emojivoto.yml | bin/linkerd inject - | k apply -f - # this should fail until the psp rbac is configured | |
| cat <<EOF|k apply -f - | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: Role | |
| metadata: | |
| name: emojivoto-psp | |
| namespace: emojivoto | |
| rules: | |
| - apiGroups: ['policy','extensions'] | |
| resources: ['podsecuritypolicies'] | |
| verbs: ['use'] | |
| resourceNames: ['linkerd-data-plane'] | |
| EOF | |
| k -n emojivoto create rolebinding emojivoto-psp --serviceaccount=emojivoto:emoji --serviceaccount=emojivoto:voting --serviceaccount=emojivoto:web --serviceaccount=emojivoto:default --role=emojivoto-psp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # nodes should run Ubuntu, as COS uses read-only root filesystem | |
| linkerd install-cni --dest-cni-bin-dir=/home/kubernetes/bin|k apply -f - | |
| # control plane | |
| linkerd install --linkerd-cni-enabled|k apply -f - | |
| # data plane | |
| cat <<EOF|k apply -f - | |
| apiVersion: policy/v1beta1 | |
| kind: PodSecurityPolicy | |
| metadata: | |
| name: linkerd-data-plane | |
| spec: | |
| allowPrivilegeEscalation: false | |
| fsGroup: | |
| ranges: | |
| - max: 65535 | |
| min: 10001 | |
| rule: MustRunAs | |
| readOnlyRootFilesystem: true | |
| requiredDropCapabilities: | |
| - ALL | |
| runAsUser: | |
| rule: RunAsAny | |
| seLinux: | |
| rule: RunAsAny | |
| supplementalGroups: | |
| ranges: | |
| - max: 65535 | |
| min: 10001 | |
| rule: MustRunAs | |
| volumes: | |
| - configMap | |
| - emptyDir | |
| - projected | |
| - secret | |
| - downwardAPI | |
| - persistentVolumeClaim | |
| EOF | |
| # emojivoto | |
| curl https://run.linkerd.io/emojivoto.yml | bin/linkerd inject - | k apply -f - # this should fail until psp rbac is configured | |
| cat <<EOF|k apply -f - | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: Role | |
| metadata: | |
| name: emojivoto-psp | |
| namespace: emojivoto | |
| rules: | |
| - apiGroups: ["policy", "extensions"] | |
| resources: ["podsecuritypolicies"] | |
| resourceNames: ["linkerd-data-plane"] | |
| verbs: ["use"] | |
| EOF | |
| k -n emojivoto create rolebinding emojivoto-psp --serviceaccount=emojivoto:emoji --serviceaccount=emojivoto:web --serviceaccount=emojivoto:default --serviceaccount=emojivoto:voting --role=emojivoto-psp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## data plane psp | |
| cat <<EOF|k apply -f - | |
| apiVersion: policy/v1beta1 | |
| kind: PodSecurityPolicy | |
| metadata: | |
| name: linkerd-data-plane | |
| spec: | |
| allowPrivilegeEscalation: false | |
| fsGroup: | |
| ranges: | |
| - max: 65535 | |
| min: 10001 | |
| rule: MustRunAs | |
| readOnlyRootFilesystem: true | |
| allowedCapabilities: | |
| - NET_ADMIN | |
| - NET_RAW | |
| - NET_BIND_SERVICE | |
| requiredDropCapabilities: | |
| - ALL | |
| runAsUser: | |
| rule: RunAsAny | |
| seLinux: | |
| rule: RunAsAny | |
| supplementalGroups: | |
| ranges: | |
| - max: 65535 | |
| min: 10001 | |
| rule: MustRunAs | |
| volumes: | |
| - configMap | |
| - emptyDir | |
| - projected | |
| - secret | |
| - downwardAPI | |
| - persistentVolumeClaim | |
| EOF | |
| cat <<EOF|k apply -f - | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: Role | |
| metadata: | |
| name: default-psp | |
| rules: | |
| - apiGroups: ['policy', 'extensions'] | |
| resources: ['podsecuritypolicies'] | |
| verbs: ['use'] | |
| resourceNames: ['linkerd-data-plane'] | |
| EOF | |
| k create rolebinding default-psp --service-account=default:default --role=default-psp | |
| cat <<EOF|k apply -f - | |
| kind: Deployment | |
| apiVersion: apps/v1 | |
| metadata: | |
| name: nginx | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: nginx | |
| template: | |
| metadata: | |
| labels: | |
| app: nginx | |
| annotations: | |
| linkerd.io/inject: enabled | |
| spec: | |
| containers: | |
| - name: nginx | |
| image: nginx | |
| ports: | |
| - name: http | |
| containerPort: 80 | |
| securityContext: | |
| capabilities: | |
| add: ['NET_BIND_SERVICE'] | |
| drop: ['ALL'] | |
| EOF | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment