Install Bind before Kyverno because it does not meet the Pod security policy

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
2021-05-20 15:56:32 +01:00 · 2021-05-20 15:56:32 +01:00 · 1f16fcc72b
commit 1f16fcc72b
parent 6ad0ef19e0
4 changed files with 37 additions and 10 deletions
--- a/devel/addon/bind/manifests/deployment.yaml
+++ b/devel/addon/bind/manifests/deployment.yaml
@ -18,6 +18,10 @@ spec:
      - name: bind
        image: sameersbn/bind:bazel
        imagePullPolicy: Never
+        # TODO(wallrj): I couldn't figure out how to run Bind as a non-root user, using this Docker image.
+        # I think bind expects to start as root and then chown to a non-root BIND user.
+        # securityContext:
+        #   runAsNonRoot: true
        command:
        - /bin/bash
        - -c
--- a/devel/addon/kyverno/install.sh
+++ b/devel/addon/kyverno/install.sh
@ -32,5 +32,5 @@ check_tool kustomize
 helm repo add kyverno https://kyverno.github.io/kyverno/
 helm repo update
 helm upgrade --install --wait kyverno kyverno/kyverno --namespace kyverno --create-namespace
-# Install all Pod security policies
-kustomize build https://github.com/kyverno/policies/pod-security | kubectl apply -f -
+# Install policies using local kustomization.yaml
+kustomize build ${SCRIPT_ROOT} | kubectl apply -f -
--- a/devel/addon/kyverno/kustomization.yaml
+++ b/devel/addon/kyverno/kustomization.yaml
@ -0,0 +1,24 @@
+bases:
+  - https://github.com/kyverno/policies/pod-security
+
+# Patch the pod security policy to exclude our E2E Bind deployment which is too
+# difficult to run as non-root
+# TODO(wallrj): This doesn't work because kustomize doesn't properly to
+# strategigMergePatch on custom resources.
+# See https://github.com/kubernetes-sigs/kustomize/issues/1510
+# And https://github.com/kubernetes-sigs/kustomize/issues/2339
+# patches:
+# - target:
+#     kind: ClusterPolicy
+#     name: require-run-as-non-root
+#   patch: |-
+#     apiVersion: kyverno.io/v1
+#     kind: ClusterPolicy
+#     metadata:
+#       name: require-run-as-non-root
+#     spec:
+#       rules:
+#       - name: check-containers
+#         exclude:
+#           resources:
+#             namespaces: ["bind"]
--- a/devel/setup-e2e-deps.sh
+++ b/devel/setup-e2e-deps.sh
@ -32,7 +32,7 @@ source "${SCRIPT_ROOT}/lib/lib.sh"
 setup_tools

 echo "Installing kyverno into cluster..."
-"${SCRIPT_ROOT}/addon/kyverno/install.sh" 
+"${SCRIPT_ROOT}/addon/kyverno/install.sh"

 echo "Installing cert-manager into the cluster..."
 "${SCRIPT_ROOT}/addon/certmanager/install.sh"
@ -41,20 +41,19 @@ check_bazel
 bazel build --platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //devel/addon/...

 echo "Installing sample-webhook into the cluster..."
-"${SCRIPT_ROOT}/addon/samplewebhook/install.sh" 
+"${SCRIPT_ROOT}/addon/samplewebhook/install.sh"

 echo "Installing bind into the cluster..."
-"${SCRIPT_ROOT}/addon/bind/install.sh" 
+"${SCRIPT_ROOT}/addon/bind/install.sh"

 echo "Installing pebble into the cluster..."
-"${SCRIPT_ROOT}/addon/pebble/install.sh" 
+"${SCRIPT_ROOT}/addon/pebble/install.sh"

 echo "Installing ingress-nginx into the cluster..."
-"${SCRIPT_ROOT}/addon/ingressnginx/install.sh" 
+"${SCRIPT_ROOT}/addon/ingressnginx/install.sh"

 echo "Loading vault into the cluster..."
-"${SCRIPT_ROOT}/addon/vault/install.sh" 
+"${SCRIPT_ROOT}/addon/vault/install.sh"

 echo "Installing sample-external-issuer into the cluster..."
-"${SCRIPT_ROOT}/addon/sample-external-issuer/install.sh" 
-
+"${SCRIPT_ROOT}/addon/sample-external-issuer/install.sh"