serving-operator
serving-operator copied to clipboard
Published
20 hours ago •
knative
knative
Support for PodSecurityPolicy
If PodSecurityPolicy is enabled in k8s cluster, deployment autoscaler and activator will not be available without proper PSP.
Currently we could inject PSP when creating CR as below,
apiVersion: v1
kind: Namespace
metadata:
name: knative-serving
---
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: knative-serving-psp
labels:
serving.knative.dev/release: devel
serving.knative.dev/controller: "true"
spec:
allowPrivilegeEscalation: true
allowedCapabilities:
- 'NET_ADMIN'
fsGroup:
rule: RunAsAny
privileged: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: knative-serving-psp
labels:
serving.knative.dev/controller: "true"
rules:
- apiGroups:
- extensions
resourceNames:
- knative-serving-psp
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: v1
kind: Secret
metadata:
name: regsec
namespace: knative-serving
data:
.dockerconfigjson: eyJhdXRocyI6IHsiaWNwZGV2LmljcDo4NTAwIjogeyJhdXRoIjogIllXUnRhVzQ2WVdSdGFXND0ifX19Cg==
type: kubernetes.io/dockerconfigjson
---
apiVersion: serving.knative.dev/v1alpha1
kind: KnativeServing
metadata:
name: knative-serving
namespace: knative-serving
spec:
registry:
override:
imagePullSecrets:
Could serving-operator support PodSecurityPolicy? If so, user only need to enable PSP support when they create CR and PSP related stuff could be created by serving-operator automatically.
Proposal:
apiVersion: serving.knative.dev/v1alpha1
kind: KnativeServing
metadata:
name: knative-serving
namespace: knative-serving
spec:
registry:
override:
imagePullSecrets:
podSecurityPolicySupport: false
