diff --git a/cmd/cluster.go b/cmd/cluster.go index 86b62ac1..6b30ef82 100644 --- a/cmd/cluster.go +++ b/cmd/cluster.go @@ -300,8 +300,8 @@ func newClusterCmd(c *config) *cobra.Command { clusterCreateCmd.Flags().StringSlice("labels", []string{}, "labels of the cluster") clusterCreateCmd.Flags().StringSlice("external-networks", []string{}, "external networks of the cluster") clusterCreateCmd.Flags().StringSlice("egress", []string{}, "static egress ips per network, must be in the form :; e.g.: --egress internet:1.2.3.4,extnet:123.1.1.1 --egress internet:1.2.3.5 [optional]") - clusterCreateCmd.Flags().BoolP("allowprivileged", "", false, "allow privileged containers the cluster.") - clusterCreateCmd.Flags().String("default-pod-security-standard", "", "set default pod security standard for cluster =>1.23.x (valid values: privileged, baseline, restricted, \"\")") + clusterCreateCmd.Flags().BoolP("allowprivileged", "", false, "allow privileged containers the cluster (this is achieved through pod security policies and has no effect anymore on clusters >= v1.25") + clusterCreateCmd.Flags().String("default-pod-security-standard", "", "sets default pod security standard for clusters >= v1.23.x, defaults to restricted on clusters >= v1.25 (valid values: empty string, privileged, baseline, restricted)") clusterCreateCmd.Flags().String("audit", "on", "audit logging of cluster API access; can be off, on (default) or splunk (logging to a predefined or custom splunk endpoint). [optional]") clusterCreateCmd.Flags().Duration("healthtimeout", 0, "period (e.g. \"24h\") after which an unhealthy node is declared failed and will be replaced. [optional]") clusterCreateCmd.Flags().Duration("draintimeout", 0, "period (e.g. \"3h\") after which a draining node will be forcefully deleted. [optional]") @@ -380,8 +380,8 @@ func newClusterCmd(c *config) *cobra.Command { clusterUpdateCmd.Flags().String("machineimage", "", "machine image to use for the nodes, must be in the form of - ") clusterUpdateCmd.Flags().StringSlice("addlabels", []string{}, "labels to add to the cluster") clusterUpdateCmd.Flags().StringSlice("removelabels", []string{}, "labels to remove from the cluster") - clusterUpdateCmd.Flags().BoolP("allowprivileged", "", false, "allow privileged containers the cluster, please add --yes-i-really-mean-it") - clusterUpdateCmd.Flags().String("default-pod-security-standard", "", "set default pod security standard for cluster =>1.23.x (valid values: privileged, baseline, restricted, \"\")") + clusterUpdateCmd.Flags().BoolP("allowprivileged", "", false, "allow privileged containers the cluster (this is achieved through pod security policies and has no effect anymore on clusters >=v1.25") + clusterUpdateCmd.Flags().String("default-pod-security-standard", "", "set default pod security standard for cluster >=v 1.23.x, send empty string explicitly to disable pod security standards (valid values: empty string, privileged, baseline, restricted)") clusterUpdateCmd.Flags().String("audit", "on", "audit logging of cluster API access; can be off, on or splunk (logging to a predefined or custom splunk endpoint).") clusterUpdateCmd.Flags().String("purpose", "", fmt.Sprintf("purpose of the cluster, can be one of %s. SLA is only given on production clusters.", strings.Join(completion.ClusterPurposes, "|"))) clusterUpdateCmd.Flags().StringSlice("egress", []string{}, "static egress ips per network, must be in the form :; e.g.: --egress internet:1.2.3.4;1.2.3.5 --egress extnet:123.1.1.1 [optional]. Use --egress none to remove all egress rules.") @@ -533,8 +533,14 @@ func (c *config) clusterCreate() error { healthtimeout := viper.GetDuration("healthtimeout") draintimeout := viper.GetDuration("draintimeout") - allowprivileged := viper.GetBool("allowprivileged") - defaultPodSecurityStandard := viper.GetString("default-pod-security-standard") + var allowprivileged *bool + if viper.IsSet("allowprivileged") { + allowprivileged = pointer.Pointer(viper.GetBool("allowprivileged")) + } + var defaultPodSecurityStandard *string + if viper.IsSet("default-pod-security-standard") { + defaultPodSecurityStandard = pointer.Pointer(viper.GetString("default-pod-security-standard")) + } audit := viper.GetString("audit") @@ -636,9 +642,9 @@ func (c *config) clusterCreate() error { FirewallImage: &firewallImage, FirewallControllerVersion: &firewallController, Kubernetes: &models.V1Kubernetes{ - AllowPrivilegedContainers: &allowprivileged, + AllowPrivilegedContainers: allowprivileged, Version: &version, - DefaultPodSecurityStandard: &defaultPodSecurityStandard, + DefaultPodSecurityStandard: defaultPodSecurityStandard, }, Audit: auditConfig.Config, Maintenance: &models.V1Maintenance{ @@ -1206,15 +1212,15 @@ func (c *config) updateCluster(args []string) error { } if viper.IsSet("allowprivileged") { if !viper.GetBool("yes-i-really-mean-it") { - return fmt.Errorf("allowprivileged is set but you forgot to add --yes-i-really-mean-it") + return fmt.Errorf("--allowprivileged is set but you forgot to add --yes-i-really-mean-it") } k8s.AllowPrivilegedContainers = pointer.Pointer(viper.GetBool("allowprivileged")) } if viper.IsSet("default-pod-security-standard") { - k8s.DefaultPodSecurityStandard = pointer.Pointer(viper.GetString("default-pod-security-standard")) if !viper.GetBool("yes-i-really-mean-it") { return fmt.Errorf("--default-pod-security-standard is set but you forgot to add --yes-i-really-mean-it") } + k8s.DefaultPodSecurityStandard = pointer.Pointer(viper.GetString("default-pod-security-standard")) } cur.Kubernetes = k8s diff --git a/cmd/completion/completion.go b/cmd/completion/completion.go index f6fb55f6..f4c38fa7 100644 --- a/cmd/completion/completion.go +++ b/cmd/completion/completion.go @@ -18,7 +18,12 @@ import ( var ( ClusterPurposes = []string{"production", "development", "evaluation", "infrastructure"} - PodSecurityDefaults = []string{"restricted", "privileged", "baseline"} + PodSecurityDefaults = []string{ + models.V1KubernetesDefaultPodSecurityStandardRestricted, + models.V1KubernetesDefaultPodSecurityStandardBaseline, + models.V1KubernetesDefaultPodSecurityStandardPrivileged, + models.V1KubernetesDefaultPodSecurityStandardEmpty, + } ) type Completion struct {