Merge pull request #240 from fi-ts/podsecurity-review

Review pod security policies

cmd/cluster.go

@@ -300,8 +300,8 @@ func newClusterCmd(c *config) *cobra.Command {
 	clusterCreateCmd.Flags().StringSlice("labels", []string{}, "labels of the cluster")
 	clusterCreateCmd.Flags().StringSlice("external-networks", []string{}, "external networks of the cluster")
 	clusterCreateCmd.Flags().StringSlice("egress", []string{}, "static egress ips per network, must be in the form <network>:<ip>; e.g.: --egress internet:1.2.3.4,extnet:123.1.1.1 --egress internet:1.2.3.5 [optional]")
-	clusterCreateCmd.Flags().BoolP("allowprivileged", "", false, "allow privileged containers the cluster.")
-	clusterCreateCmd.Flags().String("default-pod-security-standard", "", "set default pod security standard for cluster =>1.23.x (valid values: privileged, baseline, restricted, \"\")")
+	clusterCreateCmd.Flags().BoolP("allowprivileged", "", false, "allow privileged containers the cluster (this is achieved through pod security policies and has no effect anymore on clusters >= v1.25")
+	clusterCreateCmd.Flags().String("default-pod-security-standard", "", "sets default pod security standard for clusters >= v1.23.x, defaults to restricted on clusters >= v1.25 (valid values: empty string, privileged, baseline, restricted)")
 	clusterCreateCmd.Flags().String("audit", "on", "audit logging of cluster API access; can be off, on (default) or splunk (logging to a predefined or custom splunk endpoint). [optional]")
 	clusterCreateCmd.Flags().Duration("healthtimeout", 0, "period (e.g. \"24h\") after which an unhealthy node is declared failed and will be replaced. [optional]")
 	clusterCreateCmd.Flags().Duration("draintimeout", 0, "period (e.g. \"3h\") after which a draining node will be forcefully deleted. [optional]")
@@ -380,8 +380,8 @@ func newClusterCmd(c *config) *cobra.Command {
 	clusterUpdateCmd.Flags().String("machineimage", "", "machine image to use for the nodes, must be in the form of <name>-<version> ")
 	clusterUpdateCmd.Flags().StringSlice("addlabels", []string{}, "labels to add to the cluster")
 	clusterUpdateCmd.Flags().StringSlice("removelabels", []string{}, "labels to remove from the cluster")
-	clusterUpdateCmd.Flags().BoolP("allowprivileged", "", false, "allow privileged containers the cluster, please add --yes-i-really-mean-it")
-	clusterUpdateCmd.Flags().String("default-pod-security-standard", "", "set default pod security standard for cluster =>1.23.x (valid values: privileged, baseline, restricted, \"\")")
+	clusterUpdateCmd.Flags().BoolP("allowprivileged", "", false, "allow privileged containers the cluster (this is achieved through pod security policies and has no effect anymore on clusters >=v1.25")
+	clusterUpdateCmd.Flags().String("default-pod-security-standard", "", "set default pod security standard for cluster >=v 1.23.x, send empty string explicitly to disable pod security standards (valid values: empty string, privileged, baseline, restricted)")
 	clusterUpdateCmd.Flags().String("audit", "on", "audit logging of cluster API access; can be off, on or splunk (logging to a predefined or custom splunk endpoint).")
 	clusterUpdateCmd.Flags().String("purpose", "", fmt.Sprintf("purpose of the cluster, can be one of %s. SLA is only given on production clusters.", strings.Join(completion.ClusterPurposes, "|")))
 	clusterUpdateCmd.Flags().StringSlice("egress", []string{}, "static egress ips per network, must be in the form <networkid>:<semicolon-separated ips>; e.g.: --egress internet:1.2.3.4;1.2.3.5 --egress extnet:123.1.1.1 [optional]. Use --egress none to remove all egress rules.")
@@ -533,8 +533,14 @@ func (c *config) clusterCreate() error {
 	healthtimeout := viper.GetDuration("healthtimeout")
 	draintimeout := viper.GetDuration("draintimeout")
 
-	allowprivileged := viper.GetBool("allowprivileged")
-	defaultPodSecurityStandard := viper.GetString("default-pod-security-standard")
+	var allowprivileged *bool
+	if viper.IsSet("allowprivileged") {
+		allowprivileged = pointer.Pointer(viper.GetBool("allowprivileged"))
+	}
+	var defaultPodSecurityStandard *string
+	if viper.IsSet("default-pod-security-standard") {
+		defaultPodSecurityStandard = pointer.Pointer(viper.GetString("default-pod-security-standard"))
+	}
 
 	audit := viper.GetString("audit")
 
@@ -636,9 +642,9 @@ func (c *config) clusterCreate() error {
 		FirewallImage:             &firewallImage,
 		FirewallControllerVersion: &firewallController,
 		Kubernetes: &models.V1Kubernetes{
-			AllowPrivilegedContainers:  &allowprivileged,
+			AllowPrivilegedContainers:  allowprivileged,
 			Version:                    &version,
-			DefaultPodSecurityStandard: &defaultPodSecurityStandard,
+			DefaultPodSecurityStandard: defaultPodSecurityStandard,
 		},
 		Audit: auditConfig.Config,
 		Maintenance: &models.V1Maintenance{
@@ -1206,15 +1212,15 @@ func (c *config) updateCluster(args []string) error {
 	}
 	if viper.IsSet("allowprivileged") {
 		if !viper.GetBool("yes-i-really-mean-it") {
-			return fmt.Errorf("allowprivileged is set but you forgot to add --yes-i-really-mean-it")
+			return fmt.Errorf("--allowprivileged is set but you forgot to add --yes-i-really-mean-it")
 		}
 		k8s.AllowPrivilegedContainers = pointer.Pointer(viper.GetBool("allowprivileged"))
 	}
 	if viper.IsSet("default-pod-security-standard") {
-		k8s.DefaultPodSecurityStandard = pointer.Pointer(viper.GetString("default-pod-security-standard"))
 		if !viper.GetBool("yes-i-really-mean-it") {
 			return fmt.Errorf("--default-pod-security-standard is set but you forgot to add --yes-i-really-mean-it")
 		}
+		k8s.DefaultPodSecurityStandard = pointer.Pointer(viper.GetString("default-pod-security-standard"))
 	}
 
 	cur.Kubernetes = k8s

cmd/completion/completion.go

@@ -18,7 +18,12 @@ import (
 
 var (
 	ClusterPurposes     = []string{"production", "development", "evaluation", "infrastructure"}
-	PodSecurityDefaults = []string{"restricted", "privileged", "baseline"}
+	PodSecurityDefaults = []string{
+		models.V1KubernetesDefaultPodSecurityStandardRestricted,
+		models.V1KubernetesDefaultPodSecurityStandardBaseline,
+		models.V1KubernetesDefaultPodSecurityStandardPrivileged,
+		models.V1KubernetesDefaultPodSecurityStandardEmpty,
+	}
 )
 
 type Completion struct {