Merge pull request #1331 from jordimassaguerpla/fix_psp_backport

jordimassaguerpla · web-flow · commit c52bf86670ce · 2020-08-18T17:29:11.000+02:00
Fix kucero PSP (bsc#1175352)
diff --git a/internal/pkg/skuba/addons/kucero.go b/internal/pkg/skuba/addons/kucero.go
@@ -49,30 +49,6 @@ metadata:
   name: kucero
   namespace: kube-system
 ---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: kucero
-spec:
-  allowedHostPaths:
-  - pathPrefix: /etc/kubernetes/pki
-    readOnly: true
-  - pathPrefix: /var/lib/kubelet/pki
-    readOnly: true
-  fsGroup:
-    rule: RunAsAny
-  hostPID: true
-  privileged: true
-  runAsUser:
-    rule: RunAsAny
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  volumes:
-  - secret
-  - hostPath
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -146,14 +122,6 @@ rules:
   - pods/eviction
   verbs:
   - create
-- apiGroups:
-  - extensions
-  resourceNames:
-  - kucero
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
 - apiGroups:
   - certificates.k8s.io
   resourceNames:
@@ -225,6 +193,19 @@ subjects:
   name: kucero
   namespace: kube-system
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: suse:caasp:psp:kucero
+roleRef:
+  kind: ClusterRole
+  name: suse:caasp:psp:privileged
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: kucero
+  namespace: kube-system
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
diff --git a/internal/pkg/skuba/kubernetes/versions.go b/internal/pkg/skuba/kubernetes/versions.go
@@ -107,7 +107,7 @@ var (
 				Dex:           &AddonVersion{"2.23.0", 7},
 				Gangway:       &AddonVersion{"3.1.0-rev5", 5},
 				MetricsServer: &AddonVersion{"0.3.6", 0},
-				Kucero:        &AddonVersion{"1.1.1", 0},
+				Kucero:        &AddonVersion{"1.1.1", 1},
 				PSP:           &AddonVersion{"", 2},
 			},
 		},
