diff --git a/charts/internal/shoot-system-components/charts/csi-driver-node/templates/clusterrole-csi-driver.yaml b/charts/internal/shoot-system-components/charts/csi-driver-node/templates/clusterrole-csi-driver.yaml index 4fee19b56..a5cc7f57f 100644 --- a/charts/internal/shoot-system-components/charts/csi-driver-node/templates/clusterrole-csi-driver.yaml +++ b/charts/internal/shoot-system-components/charts/csi-driver-node/templates/clusterrole-csi-driver.yaml @@ -16,7 +16,9 @@ rules: - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update", "patch"] +{{- if not .Values.pspDisabled }} - apiGroups: ["policy", "extensions"] resourceNames: ["{{ include "csi-driver-node.extensionsGroup" . }}.{{ include "csi-driver-node.name" . }}.csi-driver-node"] resources: ["podsecuritypolicies"] verbs: ["use"] +{{- end }} diff --git a/charts/internal/shoot-system-components/charts/csi-driver-node/templates/podsecuritypolicy.yaml b/charts/internal/shoot-system-components/charts/csi-driver-node/templates/podsecuritypolicy.yaml index f119f52a6..501b9bd83 100644 --- a/charts/internal/shoot-system-components/charts/csi-driver-node/templates/podsecuritypolicy.yaml +++ b/charts/internal/shoot-system-components/charts/csi-driver-node/templates/podsecuritypolicy.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.pspDisabled }} --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy @@ -26,3 +27,4 @@ spec: fsGroup: rule: RunAsAny readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/internal/shoot-system-components/charts/csi-driver-node/values.yaml b/charts/internal/shoot-system-components/charts/csi-driver-node/values.yaml index b4371a648..a2984e462 100644 --- a/charts/internal/shoot-system-components/charts/csi-driver-node/values.yaml +++ b/charts/internal/shoot-system-components/charts/csi-driver-node/values.yaml @@ -35,3 +35,5 @@ resources: memory: 32Mi limits: memory: 300Mi + +pspDisabled: false diff --git a/example/10-fake-shoot-controlplane.yaml b/example/10-fake-shoot-controlplane.yaml index 050d36bc3..79304e4f6 100644 --- a/example/10-fake-shoot-controlplane.yaml +++ b/example/10-fake-shoot-controlplane.yaml @@ -128,7 +128,7 @@ spec: - command: - /hyperkube - apiserver - - --enable-admission-plugins=Priority,NamespaceLifecycle,LimitRanger,PodSecurityPolicy,ServiceAccount,NodeRestriction,DefaultStorageClass,Initializers,DefaultTolerationSeconds,ResourceQuota,StorageObjectInUseProtection,MutatingAdmissionWebhook,ValidatingAdmissionWebhook + - --enable-admission-plugins=Priority,NamespaceLifecycle,LimitRanger,ServiceAccount,NodeRestriction,DefaultStorageClass,Initializers,DefaultTolerationSeconds,ResourceQuota,StorageObjectInUseProtection,MutatingAdmissionWebhook,ValidatingAdmissionWebhook - --disable-admission-plugins=PersistentVolumeLabel - --allow-privileged=true - --anonymous-auth=false diff --git a/pkg/controller/controlplane/valuesprovider.go b/pkg/controller/controlplane/valuesprovider.go index ec4e21bb5..2451ea61a 100644 --- a/pkg/controller/controlplane/valuesprovider.go +++ b/pkg/controller/controlplane/valuesprovider.go @@ -551,6 +551,7 @@ func getControlPlaneShootChartValues( "url": "https://" + aws.CSISnapshotValidation + "." + cp.Namespace + "/volumesnapshot", "caBundle": string(caSecret.Data[secretutils.DataKeyCertificateBundle]), }, + "pspDisabled": gardencorev1beta1helper.IsPSPDisabled(cluster.Shoot), } if value, ok := cluster.Shoot.Annotations[aws.VolumeAttachLimit]; ok { diff --git a/pkg/controller/controlplane/valuesprovider_test.go b/pkg/controller/controlplane/valuesprovider_test.go index 61645941b..56129a5df 100644 --- a/pkg/controller/controlplane/valuesprovider_test.go +++ b/pkg/controller/controlplane/valuesprovider_test.go @@ -321,6 +321,7 @@ var _ = Describe("ValuesProvider", func() { "url": "https://" + aws.CSISnapshotValidation + "." + cp.Namespace + "/volumesnapshot", "caBundle": "", }, + "pspDisabled": false, }), })) }) @@ -341,6 +342,63 @@ var _ = Describe("ValuesProvider", func() { "url": "https://" + aws.CSISnapshotValidation + "." + cp.Namespace + "/volumesnapshot", "caBundle": "", }, + "pspDisabled": false, + }), + })) + }) + }) + + Context("podSecurityPolicy", func() { + It("should return correct shoot control plane chart when PodSecurityPolicy admission plugin is not disabled in the shoot", func() { + clusterK8sAtLeast118.Shoot.Spec.Kubernetes.KubeAPIServer = &gardencorev1beta1.KubeAPIServerConfig{ + AdmissionPlugins: []gardencorev1beta1.AdmissionPlugin{ + { + Name: "PodSecurityPolicy", + }, + }, + } + values, err := vp.GetControlPlaneShootChartValues(ctx, cp, clusterK8sAtLeast118, fakeSecretsManager, nil) + Expect(err).NotTo(HaveOccurred()) + Expect(values).To(Equal(map[string]interface{}{ + aws.CloudControllerManagerName: enabledTrue, + aws.CSINodeName: utils.MergeMaps(enabledTrue, map[string]interface{}{ + "kubernetesVersion": "1.18.1", + "vpaEnabled": true, + "driver": map[string]interface{}{ + "volumeAttachLimit": "42", + }, + "webhookConfig": map[string]interface{}{ + "url": "https://" + aws.CSISnapshotValidation + "." + cp.Namespace + "/volumesnapshot", + "caBundle": "", + }, + "pspDisabled": false, + }), + })) + }) + It("should return correct shoot control plane chart when PodSecurityPolicy admission plugin is disabled in the shoot", func() { + clusterK8sAtLeast118.Shoot.Spec.Kubernetes.KubeAPIServer = &gardencorev1beta1.KubeAPIServerConfig{ + AdmissionPlugins: []gardencorev1beta1.AdmissionPlugin{ + { + Name: "PodSecurityPolicy", + Disabled: pointer.Bool(true), + }, + }, + } + values, err := vp.GetControlPlaneShootChartValues(ctx, cp, clusterK8sAtLeast118, fakeSecretsManager, nil) + Expect(err).NotTo(HaveOccurred()) + Expect(values).To(Equal(map[string]interface{}{ + aws.CloudControllerManagerName: enabledTrue, + aws.CSINodeName: utils.MergeMaps(enabledTrue, map[string]interface{}{ + "kubernetesVersion": "1.18.1", + "vpaEnabled": true, + "driver": map[string]interface{}{ + "volumeAttachLimit": "42", + }, + "webhookConfig": map[string]interface{}{ + "url": "https://" + aws.CSISnapshotValidation + "." + cp.Namespace + "/volumesnapshot", + "caBundle": "", + }, + "pspDisabled": true, }), })) })