From 036213e5badd2184e20fad8d280f08f5e24355ab Mon Sep 17 00:00:00 2001 From: Jiaqi Luo <6218999+jiaqiluo@users.noreply.github.com> Date: Mon, 9 Aug 2021 15:26:28 -0700 Subject: [PATCH 1/3] backport of https://github.com/rancher/webhook/pull/45 add a pre-delete-hook to clean up mutatingwebhookconfigurations --- charts/rancher-webhook/templates/_helpers.tpl | 6 ++++- .../pre-delete-hook-cluster-role-binding.yaml | 19 ++++++++++++++ .../pre-delete-hook-cluster-role.yaml | 16 ++++++++++++ .../templates/pre-delete-hook-job.yaml | 26 +++++++++++++++++++ .../pre-delete-hook-service-account.yaml | 12 +++++++++ charts/rancher-webhook/values.yaml | 8 +++++- 6 files changed, 85 insertions(+), 2 deletions(-) create mode 100644 charts/rancher-webhook/templates/pre-delete-hook-cluster-role-binding.yaml create mode 100644 charts/rancher-webhook/templates/pre-delete-hook-cluster-role.yaml create mode 100644 charts/rancher-webhook/templates/pre-delete-hook-job.yaml create mode 100644 charts/rancher-webhook/templates/pre-delete-hook-service-account.yaml diff --git a/charts/rancher-webhook/templates/_helpers.tpl b/charts/rancher-webhook/templates/_helpers.tpl index f652b5643..45f62d0b8 100644 --- a/charts/rancher-webhook/templates/_helpers.tpl +++ b/charts/rancher-webhook/templates/_helpers.tpl @@ -4,4 +4,8 @@ {{- else -}} {{- "" -}} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{- define "rancher-webhook.labels" -}} +app: rancher-webhook +{{- end }} diff --git a/charts/rancher-webhook/templates/pre-delete-hook-cluster-role-binding.yaml b/charts/rancher-webhook/templates/pre-delete-hook-cluster-role-binding.yaml new file mode 100644 index 000000000..ca439ff48 --- /dev/null +++ b/charts/rancher-webhook/templates/pre-delete-hook-cluster-role-binding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.preDelete.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rancher-webhook-pre-delete + labels: {{ include "rancher-webhook.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rancher-webhook-pre-delete +subjects: + - kind: ServiceAccount + name: rancher-webhook-pre-delete + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/rancher-webhook/templates/pre-delete-hook-cluster-role.yaml b/charts/rancher-webhook/templates/pre-delete-hook-cluster-role.yaml new file mode 100644 index 000000000..c7047cfcc --- /dev/null +++ b/charts/rancher-webhook/templates/pre-delete-hook-cluster-role.yaml @@ -0,0 +1,16 @@ +{{- if .Values.preDelete.enabled }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: rancher-webhook-pre-delete + labels: {{ include "rancher-webhook.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +rules: + - apiGroups: [ "admissionregistration.k8s.io" ] + resources: [ "mutatingwebhookconfigurations" ] + verbs: [ "delete" ] + resourceNames: [ "rancher.cattle.io"] +{{- end }} diff --git a/charts/rancher-webhook/templates/pre-delete-hook-job.yaml b/charts/rancher-webhook/templates/pre-delete-hook-job.yaml new file mode 100644 index 000000000..75d3070a9 --- /dev/null +++ b/charts/rancher-webhook/templates/pre-delete-hook-job.yaml @@ -0,0 +1,26 @@ +{{- if .Values.preDelete.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: rancher-webhook-pre-delete + namespace: {{ .Release.Namespace }} + labels: {{ include "rancher-webhook.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + backoffLimit: 3 + template: + metadata: + name: rancher-webhook-pre-delete + labels: {{ include "rancher-webhook.labels" . | nindent 8 }} + spec: + serviceAccountName: rancher-webhook-pre-delete + restartPolicy: OnFailure + containers: + - name: rancher-webhook-pre-delete + image: "{{ include "system_default_registry" . }}{{ .Values.preDelete.image.repository }}:{{ .Values.preDelete.image.tag }}" + imagePullPolicy: IfNotPresent + command: ["kubectl", "delete", "mutatingwebhookconfigurations.admissionregistration.k8s.io", "rancher.cattle.io" ] +{{- end }} diff --git a/charts/rancher-webhook/templates/pre-delete-hook-service-account.yaml b/charts/rancher-webhook/templates/pre-delete-hook-service-account.yaml new file mode 100644 index 000000000..93e215394 --- /dev/null +++ b/charts/rancher-webhook/templates/pre-delete-hook-service-account.yaml @@ -0,0 +1,12 @@ +{{- if .Values.preDelete.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rancher-webhook-pre-delete + namespace: {{ .Release.Namespace }} + labels: {{ include "rancher-webhook.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +{{- end }} diff --git a/charts/rancher-webhook/values.yaml b/charts/rancher-webhook/values.yaml index d4b53df95..49402b3d8 100644 --- a/charts/rancher-webhook/values.yaml +++ b/charts/rancher-webhook/values.yaml @@ -5,4 +5,10 @@ image: global: cattle: - systemDefaultRegistry: "" \ No newline at end of file + systemDefaultRegistry: "" + +preDelete: + enabled: true + image: + repository: rancher/kubectl + tag: v1.20.2 From 7efd8b0167086404b04949bc55a77e9dbbf64b76 Mon Sep 17 00:00:00 2001 From: Jiaqi Luo <6218999+jiaqiluo@users.noreply.github.com> Date: Wed, 18 Aug 2021 11:10:08 -0700 Subject: [PATCH 2/3] backport of https://github.com/rancher/webhook/pull/47 Issue: The package-helm script replaces all tag values in the values.yaml Fix: Update the regex to match "tag: latest" only --- scripts/package-helm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/package-helm b/scripts/package-helm index 20a2c262f..04a32088e 100755 --- a/scripts/package-helm +++ b/scripts/package-helm @@ -18,7 +18,7 @@ sed -i \ build/charts/rancher-webhook/Chart.yaml sed -i \ - -e 's/tag:.*/tag: '${HELM_TAG}'/' \ + -e 's/tag: latest/tag: '${HELM_TAG}'/' \ build/charts/rancher-webhook/values.yaml helm package -d ./dist/artifacts ./build/charts/rancher-webhook From 241c4dbd9e72c5306b392d9926304472d36e3c26 Mon Sep 17 00:00:00 2001 From: Jiaqi Luo <6218999+jiaqiluo@users.noreply.github.com> Date: Mon, 16 Aug 2021 13:52:08 -0700 Subject: [PATCH 3/3] backport of https://github.com/rancher/webhook/pull/46 and https://github.com/rancher/webhook/pull/51 add support for running in the hardened cluster --- .../pre-delete-hook-cluster-role.yaml | 9 ++++- .../templates/pre-delete-hook-job.yaml | 4 +-- .../templates/pre-delete-hook-psp.yaml | 33 +++++++++++++++++++ 3 files changed, 43 insertions(+), 3 deletions(-) create mode 100644 charts/rancher-webhook/templates/pre-delete-hook-psp.yaml diff --git a/charts/rancher-webhook/templates/pre-delete-hook-cluster-role.yaml b/charts/rancher-webhook/templates/pre-delete-hook-cluster-role.yaml index c7047cfcc..36a1c7fef 100644 --- a/charts/rancher-webhook/templates/pre-delete-hook-cluster-role.yaml +++ b/charts/rancher-webhook/templates/pre-delete-hook-cluster-role.yaml @@ -12,5 +12,12 @@ rules: - apiGroups: [ "admissionregistration.k8s.io" ] resources: [ "mutatingwebhookconfigurations" ] verbs: [ "delete" ] - resourceNames: [ "rancher.cattle.io"] + resourceNames: [ "rancher.cattle.io" ] + - apiGroups: [ "" ] + resources: [ "serviceaccounts" ] + verbs: [ "get" ] + - apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: [ "use" ] + resourceNames: [ "rancher-webhook-pre-delete" ] {{- end }} diff --git a/charts/rancher-webhook/templates/pre-delete-hook-job.yaml b/charts/rancher-webhook/templates/pre-delete-hook-job.yaml index 75d3070a9..de1233b57 100644 --- a/charts/rancher-webhook/templates/pre-delete-hook-job.yaml +++ b/charts/rancher-webhook/templates/pre-delete-hook-job.yaml @@ -19,8 +19,8 @@ spec: serviceAccountName: rancher-webhook-pre-delete restartPolicy: OnFailure containers: - - name: rancher-webhook-pre-delete + - name: rancher-webhook-pre-delete image: "{{ include "system_default_registry" . }}{{ .Values.preDelete.image.repository }}:{{ .Values.preDelete.image.tag }}" imagePullPolicy: IfNotPresent - command: ["kubectl", "delete", "mutatingwebhookconfigurations.admissionregistration.k8s.io", "rancher.cattle.io" ] + command: [ "kubectl", "delete", "--ignore-not-found=true", "mutatingwebhookconfigurations", "rancher.cattle.io" ] {{- end }} diff --git a/charts/rancher-webhook/templates/pre-delete-hook-psp.yaml b/charts/rancher-webhook/templates/pre-delete-hook-psp.yaml new file mode 100644 index 000000000..8acf758d0 --- /dev/null +++ b/charts/rancher-webhook/templates/pre-delete-hook-psp.yaml @@ -0,0 +1,33 @@ +{{- if .Values.preDelete.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: rancher-webhook-pre-delete + labels: {{ include "rancher-webhook.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'secret' +{{- end }}