Add PodSecurityPolicy creation and binding.

Fixes #292

Signed-off-by: Bala.FA <bala.gluster@gmail.com>

Author: balamurugana

cmd/kubectl-direct_csi/install.go

@@ -18,13 +18,14 @@ package main
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"k8s.io/klog"
 
-	"k8s.io/apimachinery/pkg/api/errors"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 
 	"github.com/minio/direct-csi/pkg/utils"
 	"github.com/minio/direct-csi/pkg/utils/installer"
@@ -49,6 +50,8 @@ var (
 	loopBackOnly       = false
 	nodeSelectorValues = []string{}
 	tolerationValues   = []string{}
+	seccompProfile     = ""
+	apparmorProfile    = ""
 )
 
 func init() {
@@ -61,6 +64,8 @@ func init() {
 	installCmd.PersistentFlags().MarkDeprecated("crd", "Will be removed in version 1.5 or greater")
 	installCmd.PersistentFlags().StringSliceVarP(&nodeSelectorValues, "node-selector", "n", nodeSelectorValues, "node selector parameters")
 	installCmd.PersistentFlags().StringSliceVarP(&tolerationValues, "tolerations", "t", tolerationValues, "tolerations parameters")
+	installCmd.PersistentFlags().StringVarP(&seccompProfile, "seccomp-profile", "", seccompProfile, "set Seccomp profile")
+	installCmd.PersistentFlags().StringVarP(&apparmorProfile, "apparmor-profile", "", apparmorProfile, "set Apparmor profile")
 
 	installCmd.PersistentFlags().BoolVarP(&loopBackOnly, "loopback-only", "", loopBackOnly, "Uses 4 free loopback devices per node and treat them as DirectCSIDrive resources. This is recommended only for testing/development purposes")
 	installCmd.PersistentFlags().MarkHidden("loopback-only")
@@ -90,16 +95,27 @@ func install(ctx context.Context, args []string) error {
 	utils.Init()
 
 	if err := installer.CreateNamespace(ctx, identity, dryRun); err != nil {
-		if !errors.IsAlreadyExists(err) {
+		if !k8serrors.IsAlreadyExists(err) {
 			return err
 		}
 	}
 	if !dryRun {
 		klog.Infof("'%s' namespace created", utils.Bold(identity))
 	}
 
+	if err := installer.CreatePodSecurityPolicy(ctx, identity, dryRun); err != nil {
+		switch {
+		case errors.Is(err, installer.ErrKubeVersionNotSupported):
+			klog.Infof("pod security policy is not supported in your kubernetes")
+		case !k8serrors.IsAlreadyExists(err):
+			return err
+		}
+	} else if !dryRun {
+		klog.Infof("'%s' pod security policy created", utils.Bold(identity))
+	}
+
 	if err := installer.CreateRBACRoles(ctx, identity, dryRun); err != nil {
-		if !errors.IsAlreadyExists(err) {
+		if !k8serrors.IsAlreadyExists(err) {
 			return err
 		}
 	}
@@ -116,14 +132,14 @@ func install(ctx context.Context, args []string) error {
 
 crdInstall:
 	if err := registerCRDs(ctx, identity); err != nil {
-		if !errors.IsAlreadyExists(err) {
+		if !k8serrors.IsAlreadyExists(err) {
 			return err
 		}
 		// if it exists
 		if !dryRun && overwriteCRD {
 			klog.V(4).Infof("overwriting CRDs")
 			if err := unregisterCRDs(ctx); err != nil {
-				if !errors.IsNotFound(err) {
+				if !k8serrors.IsNotFound(err) {
 					return err
 				}
 			}
@@ -136,7 +152,7 @@ crdInstall:
 	}
 
 	if err := installer.CreateCSIDriver(ctx, identity, dryRun); err != nil {
-		if !errors.IsAlreadyExists(err) {
+		if !k8serrors.IsAlreadyExists(err) {
 			return err
 		}
 	}
@@ -145,7 +161,7 @@ crdInstall:
 	}
 
 	if err := installer.CreateStorageClass(ctx, identity, dryRun); err != nil {
-		if !errors.IsAlreadyExists(err) {
+		if !k8serrors.IsAlreadyExists(err) {
 			return err
 		}
 	}
@@ -154,16 +170,16 @@ crdInstall:
 	}
 
 	if err := installer.CreateService(ctx, identity, dryRun); err != nil {
-		if !errors.IsAlreadyExists(err) {
+		if !k8serrors.IsAlreadyExists(err) {
 			return err
 		}
 	}
 	if !dryRun {
 		klog.Infof("'%s' service created", utils.Bold(identity))
 	}
 
-	if err := installer.CreateDaemonSet(ctx, identity, image, dryRun, registry, org, loopBackOnly, nodeSelector, tolerations); err != nil {
-		if !errors.IsAlreadyExists(err) {
+	if err := installer.CreateDaemonSet(ctx, identity, image, dryRun, registry, org, loopBackOnly, nodeSelector, tolerations, seccompProfile, apparmorProfile); err != nil {
+		if !k8serrors.IsAlreadyExists(err) {
 			return err
 		}
 	}
@@ -172,7 +188,7 @@ crdInstall:
 	}
 
 	if err := installer.CreateDeployment(ctx, identity, image, dryRun, registry, org); err != nil {
-		if !errors.IsAlreadyExists(err) {
+		if !k8serrors.IsAlreadyExists(err) {
 			return err
 		}
 	}
@@ -182,7 +198,7 @@ crdInstall:
 
 	if admissionControl {
 		if err := installer.RegisterDriveValidationRules(ctx, identity, dryRun); err != nil {
-			if !errors.IsAlreadyExists(err) {
+			if !k8serrors.IsAlreadyExists(err) {
 				return err
 			}
 		}

pkg/utils/installer/install.go

@@ -20,12 +20,13 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"k8s.io/klog"
 	"path/filepath"
 	"regexp"
 	"strings"
 	"time"
 
+	"k8s.io/klog/v2"
+
 	"github.com/minio/direct-csi/pkg/topology"
 	"github.com/minio/direct-csi/pkg/utils"
 
@@ -364,12 +365,21 @@ func getConversionWebhookURL(identity string) (conversionWebhookURL string) {
 	return
 }
 
-func CreateDaemonSet(ctx context.Context, identity string, directCSIContainerImage string, dryRun bool, registry, org string, loopBackOnly bool, nodeSelector map[string]string, tolerations []corev1.Toleration) error {
+func CreateDaemonSet(ctx context.Context, identity string, directCSIContainerImage string, dryRun bool, registry, org string, loopBackOnly bool, nodeSelector map[string]string, tolerations []corev1.Toleration, seccompProfileName, apparmorProfileName string) error {
 	name := sanitizeName(identity)
 	generatedSelectorValue := generateSanitizedUniqueNameFrom(name)
 	conversionWebhookURL := getConversionWebhookURL(identity)
 
 	privileged := true
+	securityContext := &corev1.SecurityContext{Privileged: &privileged}
+
+	if seccompProfileName != "" {
+		securityContext.SeccompProfile = &corev1.SeccompProfile{
+			Type:             corev1.SeccompProfileTypeLocalhost,
+			LocalhostProfile: &seccompProfileName,
+		}
+	}
+
 	podSpec := corev1.PodSpec{
 		ServiceAccountName: name,
 		HostNetwork:        false,
@@ -429,9 +439,7 @@ func CreateDaemonSet(ctx context.Context, identity string, directCSIContainerIma
 					}
 					return args
 				}(),
-				SecurityContext: &corev1.SecurityContext{
-					Privileged: &privileged,
-				},
+				SecurityContext: securityContext,
 				Env: []corev1.EnvVar{
 					{
 						Name: kubeNodeNameEnvVar,
@@ -495,6 +503,11 @@ func CreateDaemonSet(ctx context.Context, identity string, directCSIContainerIma
 		Tolerations:  tolerations,
 	}
 
+	annotations := map[string]string{CreatedByLabel: DirectCSIPluginName}
+	if apparmorProfileName != "" {
+		annotations["container.apparmor.security.beta.kubernetes.io/direct-csi"] = apparmorProfileName
+	}
+
 	daemonset := &appsv1.DaemonSet{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "DaemonSet",
@@ -505,11 +518,9 @@ func CreateDaemonSet(ctx context.Context, identity string, directCSIContainerIma
 			Selector: metav1.AddLabelToSelector(&metav1.LabelSelector{}, directCSISelector, generatedSelectorValue),
 			Template: corev1.PodTemplateSpec{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      sanitizeName(name),
-					Namespace: sanitizeName(name),
-					Annotations: map[string]string{
-						CreatedByLabel: DirectCSIPluginName,
-					},
+					Name:        sanitizeName(name),
+					Namespace:   sanitizeName(name),
+					Annotations: annotations,
 					Labels: map[string]string{
 						directCSISelector: generatedSelectorValue,
 					},

pkg/utils/installer/psp.go

@@ -0,0 +1,118 @@
+/*
+ * This file is part of MinIO Direct CSI
+ * Copyright (C) 2021, MinIO, Inc.
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+package installer
+
+import (
+	"context"
+
+	"github.com/minio/direct-csi/pkg/utils"
+	policy "k8s.io/api/policy/v1beta1"
+	rbac "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func createPodSecurityPolicy(ctx context.Context, identity string, dryRun bool) error {
+	psp := &policy.PodSecurityPolicy{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "policy/v1beta1",
+			Kind:       "PodSecurityPolicy",
+		},
+		ObjectMeta: objMeta(identity),
+		Spec: policy.PodSecurityPolicySpec{
+			Privileged: true,
+			HostPID:    true,
+			HostIPC:    true,
+			AllowedHostPaths: []policy.AllowedHostPath{
+				{PathPrefix: "/proc", ReadOnly: true},
+				{PathPrefix: "/sys", ReadOnly: true},
+				{PathPrefix: "/var/lib/direct-csi"},
+				{PathPrefix: "/csi"},
+				{PathPrefix: "/var/lib/kubelet"},
+			},
+			SELinux: policy.SELinuxStrategyOptions{
+				Rule: policy.SELinuxStrategyRunAsAny,
+			},
+			RunAsUser: policy.RunAsUserStrategyOptions{
+				Rule: policy.RunAsUserStrategyRunAsAny,
+			},
+			SupplementalGroups: policy.SupplementalGroupsStrategyOptions{
+				Rule: policy.SupplementalGroupsStrategyRunAsAny,
+			},
+			FSGroup: policy.FSGroupStrategyOptions{
+				Rule: policy.FSGroupStrategyRunAsAny,
+			},
+		},
+	}
+
+	if dryRun {
+		utils.LogYAML(psp)
+	} else if _, err := utils.GetKubeClient().PolicyV1beta1().PodSecurityPolicies().Create(ctx, psp, metav1.CreateOptions{}); err != nil {
+		return err
+	}
+
+	crb := &rbac.ClusterRoleBinding{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "rbac.authorization.k8s.io/v1",
+			Kind:       "ClusterRoleBinding",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      sanitizeName("psp-" + identity),
+			Namespace: sanitizeName(identity),
+			Annotations: map[string]string{
+				CreatedByLabel: DirectCSIPluginName,
+			},
+			Labels: map[string]string{
+				"app":  DirectCSI,
+				"type": CSIDriver,
+			},
+		},
+		Subjects: []rbac.Subject{
+			{
+				Kind:     "Group",
+				APIGroup: "rbac.authorization.k8s.io",
+				Name:     "system:serviceaccounts:" + sanitizeName(identity),
+			},
+		},
+		RoleRef: rbac.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     sanitizeName(identity),
+		},
+	}
+
+	if dryRun {
+		return utils.LogYAML(crb)
+	}
+
+	_, err := utils.GetKubeClient().RbacV1().ClusterRoleBindings().Create(ctx, crb, metav1.CreateOptions{})
+	return err
+}
+
+func CreatePodSecurityPolicy(ctx context.Context, identity string, dryRun bool) error {
+	info, err := utils.GetGroupKindVersions("policy", "PodSecurityPolicy", "v1beta1")
+	if err != nil {
+		return err
+	}
+
+	if info.Version == "v1beta1" {
+		return createPodSecurityPolicy(ctx, identity, dryRun)
+	}
+
+	return ErrKubeVersionNotSupported
+}