add support of pod security standards

cmd/cluster.go

@@ -300,7 +300,8 @@ func newClusterCmd(c *config) *cobra.Command {
 	clusterCreateCmd.Flags().StringSlice("labels", []string{}, "labels of the cluster")
 	clusterCreateCmd.Flags().StringSlice("external-networks", []string{}, "external networks of the cluster")
 	clusterCreateCmd.Flags().StringSlice("egress", []string{}, "static egress ips per network, must be in the form <network>:<ip>; e.g.: --egress internet:1.2.3.4,extnet:123.1.1.1 --egress internet:1.2.3.5 [optional]")
-	clusterCreateCmd.Flags().BoolP("allowprivileged", "", false, "allow privileged containers the cluster.")
+	clusterCreateCmd.Flags().BoolP("allowprivileged", "", false, "allow privileged containers the cluster (this is achieved through pod security policies and has no effect anymore on clusters >= v1.25")
+	clusterCreateCmd.Flags().String("default-pod-security-standard", "", "sets default pod security standard for clusters >= v1.23.x, defaults to restricted on clusters >= v1.25 (valid values: empty string, privileged, baseline, restricted)")
 	clusterCreateCmd.Flags().String("audit", "on", "audit logging of cluster API access; can be off, on (default) or splunk (logging to a predefined or custom splunk endpoint). [optional]")
 	clusterCreateCmd.Flags().Duration("healthtimeout", 0, "period (e.g. \"24h\") after which an unhealthy node is declared failed and will be replaced. [optional]")
 	clusterCreateCmd.Flags().Duration("draintimeout", 0, "period (e.g. \"3h\") after which a draining node will be forcefully deleted. [optional]")
@@ -326,6 +327,7 @@ func newClusterCmd(c *config) *cobra.Command {
 	must(clusterCreateCmd.RegisterFlagCompletionFunc("firewallimage", c.comp.FirewallImageListCompletion))
 	must(clusterCreateCmd.RegisterFlagCompletionFunc("firewallcontroller", c.comp.FirewallControllerVersionListCompletion))
 	must(clusterCreateCmd.RegisterFlagCompletionFunc("purpose", c.comp.ClusterPurposeListCompletion))
+	must(clusterCreateCmd.RegisterFlagCompletionFunc("default-pod-security-standard", c.comp.PodSecurityListCompletion))
 	must(clusterCreateCmd.RegisterFlagCompletionFunc("cri", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		return []string{"docker", "containerd"}, cobra.ShellCompDirectiveNoFileComp
 	}))
@@ -378,7 +380,8 @@ func newClusterCmd(c *config) *cobra.Command {
 	clusterUpdateCmd.Flags().String("machineimage", "", "machine image to use for the nodes, must be in the form of <name>-<version> ")
 	clusterUpdateCmd.Flags().StringSlice("addlabels", []string{}, "labels to add to the cluster")
 	clusterUpdateCmd.Flags().StringSlice("removelabels", []string{}, "labels to remove from the cluster")
-	clusterUpdateCmd.Flags().BoolP("allowprivileged", "", false, "allow privileged containers the cluster, please add --yes-i-really-mean-it")
+	clusterUpdateCmd.Flags().BoolP("allowprivileged", "", false, "allow privileged containers the cluster (this is achieved through pod security policies and has no effect anymore on clusters >=v1.25")
+	clusterUpdateCmd.Flags().String("default-pod-security-standard", "", "set default pod security standard for cluster >=v 1.23.x, send empty string explicitly to disable pod security standards (valid values: empty string, privileged, baseline, restricted)")
 	clusterUpdateCmd.Flags().String("audit", "on", "audit logging of cluster API access; can be off, on or splunk (logging to a predefined or custom splunk endpoint).")
 	clusterUpdateCmd.Flags().String("purpose", "", fmt.Sprintf("purpose of the cluster, can be one of %s. SLA is only given on production clusters.", strings.Join(completion.ClusterPurposes, "|")))
 	clusterUpdateCmd.Flags().StringSlice("egress", []string{}, "static egress ips per network, must be in the form <networkid>:<semicolon-separated ips>; e.g.: --egress internet:1.2.3.4;1.2.3.5 --egress extnet:123.1.1.1 [optional]. Use --egress none to remove all egress rules.")
@@ -403,6 +406,7 @@ func newClusterCmd(c *config) *cobra.Command {
 	must(clusterUpdateCmd.RegisterFlagCompletionFunc("machinetype", c.comp.MachineTypeListCompletion))
 	must(clusterUpdateCmd.RegisterFlagCompletionFunc("machineimage", c.comp.MachineImageListCompletion))
 	must(clusterUpdateCmd.RegisterFlagCompletionFunc("purpose", c.comp.ClusterPurposeListCompletion))
+	must(clusterUpdateCmd.RegisterFlagCompletionFunc("default-pod-security-standard", c.comp.PodSecurityListCompletion))
 	must(clusterUpdateCmd.RegisterFlagCompletionFunc("audit", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		return auditConfigOptions.Names(true),
 			cobra.ShellCompDirectiveNoFileComp
@@ -529,7 +533,15 @@ func (c *config) clusterCreate() error {
 	healthtimeout := viper.GetDuration("healthtimeout")
 	draintimeout := viper.GetDuration("draintimeout")
 
-	allowprivileged := viper.GetBool("allowprivileged")
+	var allowprivileged *bool
+	if viper.IsSet("allowprivileged") {
+		allowprivileged = pointer.Pointer(viper.GetBool("allowprivileged"))
+	}
+	var defaultPodSecurityStandard *string
+	if viper.IsSet("default-pod-security-standard") {
+		defaultPodSecurityStandard = pointer.Pointer(viper.GetString("default-pod-security-standard"))
+	}
+
 	audit := viper.GetString("audit")
 
 	labels := viper.GetStringSlice("labels")
@@ -630,8 +642,9 @@ func (c *config) clusterCreate() error {
 		FirewallImage:             &firewallImage,
 		FirewallControllerVersion: &firewallController,
 		Kubernetes: &models.V1Kubernetes{
-			AllowPrivilegedContainers: &allowprivileged,
-			Version:                   &version,
+			AllowPrivilegedContainers:  allowprivileged,
+			Version:                    &version,
+			DefaultPodSecurityStandard: defaultPodSecurityStandard,
 		},
 		Audit: auditConfig.Config,
 		Maintenance: &models.V1Maintenance{
@@ -879,6 +892,7 @@ func (c *config) updateCluster(args []string) error {
 	if err != nil {
 		return err
 	}
+
 	workergroupname := viper.GetString("workergroup")
 	removeworkergroup := viper.GetBool("remove-workergroup")
 	workerlabelslice := viper.GetStringSlice("workerlabels")
@@ -1198,11 +1212,17 @@ func (c *config) updateCluster(args []string) error {
 	}
 	if viper.IsSet("allowprivileged") {
 		if !viper.GetBool("yes-i-really-mean-it") {
-			return fmt.Errorf("allowprivileged is set but you forgot to add --yes-i-really-mean-it")
+			return fmt.Errorf("--allowprivileged is set but you forgot to add --yes-i-really-mean-it")
 		}
-		allowPrivileged := viper.GetBool("allowprivileged")
-		k8s.AllowPrivilegedContainers = &allowPrivileged
+		k8s.AllowPrivilegedContainers = pointer.Pointer(viper.GetBool("allowprivileged"))
 	}
+	if viper.IsSet("default-pod-security-standard") {
+		if !viper.GetBool("yes-i-really-mean-it") {
+			return fmt.Errorf("--default-pod-security-standard is set but you forgot to add --yes-i-really-mean-it")
+		}
+		k8s.DefaultPodSecurityStandard = pointer.Pointer(viper.GetString("default-pod-security-standard"))
+	}
+
 	cur.Kubernetes = k8s
 
 	if viper.IsSet("audit") {

cmd/completion/completion.go

@@ -17,7 +17,13 @@ import (
 )
 
 var (
-	ClusterPurposes = []string{"production", "development", "evaluation", "infrastructure"}
+	ClusterPurposes     = []string{"production", "development", "evaluation", "infrastructure"}
+	PodSecurityDefaults = []string{
+		models.V1KubernetesDefaultPodSecurityStandardRestricted,
+		models.V1KubernetesDefaultPodSecurityStandardBaseline,
+		models.V1KubernetesDefaultPodSecurityStandardPrivileged,
+		models.V1KubernetesDefaultPodSecurityStandardEmpty,
+	}
 )
 
 type Completion struct {
@@ -83,6 +89,10 @@ func (c *Completion) ClusterPurposeListCompletion(cmd *cobra.Command, args []str
 	return ClusterPurposes, cobra.ShellCompDirectiveNoFileComp
 }
 
+func (c *Completion) PodSecurityListCompletion(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	return PodSecurityDefaults, cobra.ShellCompDirectiveNoFileComp
+}
+
 func (c *Completion) ClusterReconcileOperationCompletion(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 	operations := []string{
 		models.V1ClusterReconcileRequestOperationReconcile + "\tdefault reconcile",

go.mod

@@ -9,11 +9,12 @@ require (
 	github.com/dcorbe/termui-dpc v0.0.0-20211125210512-9d2673a82dd6
 	github.com/dustin/go-humanize v1.0.1
 	github.com/fatih/color v1.15.0
-	github.com/fi-ts/cloud-go v0.20.18
+	github.com/fi-ts/cloud-go v0.20.20
 	github.com/gardener/gardener v1.53.0
 	github.com/gardener/machine-controller-manager v0.48.1
 	github.com/go-openapi/strfmt v0.21.7
 	github.com/go-playground/validator/v10 v10.14.1
+	github.com/google/go-cmp v0.5.9
 	github.com/google/uuid v1.3.0
 	github.com/gosimple/slug v1.13.1
 	github.com/jinzhu/now v1.1.5
@@ -93,7 +94,6 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/go-github/v53 v53.2.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect

go.sum

@@ -145,8 +145,8 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
 github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
-github.com/fi-ts/cloud-go v0.20.18 h1:J2pSBvGNBlMcrSEGBgz4J6yBVukgHD0pBbuCwgSDbfM=
-github.com/fi-ts/cloud-go v0.20.18/go.mod h1:BYrXp1jTvfxYRiL0B+LE+6ZDp3GF110y9Sr2tuRJo5c=
+github.com/fi-ts/cloud-go v0.20.20 h1:whTuCQqDz9TiYPofmdvOCRze+frwnpRq+kefSodoCoA=
+github.com/fi-ts/cloud-go v0.20.20/go.mod h1:BYrXp1jTvfxYRiL0B+LE+6ZDp3GF110y9Sr2tuRJo5c=
 github.com/frankban/quicktest v1.14.5 h1:dfYrrRyLtiqT9GyKXgdh+k4inNeTvmGbuSgZ3lx3GhA=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=