From e39b0d382bc2dd44663bfcb877bdd3640cbffa6e Mon Sep 17 00:00:00 2001 From: Alex <39635005+alexarefev@users.noreply.github.com> Date: Tue, 22 Nov 2022 18:13:31 +0500 Subject: [PATCH] [MANOPD-81799]Deploy Kubernetes failed (#290) * psp fix * True/False --- kubemarine/plugins/calico.py | 87 +++++++++++++++++++++++++++++++++--- 1 file changed, 81 insertions(+), 6 deletions(-) diff --git a/kubemarine/plugins/calico.py b/kubemarine/plugins/calico.py index 82c1e7ad5..10f3eab03 100755 --- a/kubemarine/plugins/calico.py +++ b/kubemarine/plugins/calico.py @@ -69,7 +69,9 @@ def apply_calico_yaml(cluster, calico_original_yaml, calico_yaml): "DaemonSet_calico-node", "Deployment_calico-typha", "Service_calico-typha", - "PodDisruptionBudget_calico-typha" + "PodDisruptionBudget_calico-typha", + "ClusterRole_calico-kube-controllers", + "ClusterRole_calico-node" ] # enrich objects one by one @@ -82,14 +84,19 @@ def apply_calico_yaml(cluster, calico_original_yaml, calico_yaml): else: # enrich 'calico-typha' objects only if it's enabled in 'cluster.yaml' # in other case those objects must be excluded - if not cluster.inventory['plugins']['calico']['typha']['enabled']: + str_value = true_or_false(str(cluster.inventory['plugins']['calico']['typha']['enabled'])) + if str_value == 'false': obj_list.pop(key) excluded_list.append(key) cluster.log.verbose(f"The {key} has been excluded from result") - else: + elif str_value == 'true': patched_list.append(key) if enrich_objects_fns[key]: obj_list = enrich_objects_fns[key](cluster, obj_list) + else: + raise Exception(f"The {key} can't be patched correctly " + f"plugins.calico.typha.enabled must be set in 'True' or 'False' " + f"as string or boolean value") cluster.log.verbose(f"The total number of patched objects is {len(patched_list)} " f"the objects are the following: {patched_list}") @@ -118,10 +125,11 @@ def enrich_configmap_calico_config(cluster, obj_list): key = "ConfigMap_calico-config" val = cluster.inventory['plugins']['calico']['mtu'] obj_list[key]['data']['veth_mtu'] = str(val) - cluster.log.verbose(f"The {key} has been patched in 'data.typha_service_name' with '{val}'") - if cluster.inventory['plugins']['calico']['typha']['enabled'] == True: + cluster.log.verbose(f"The {key} has been patched in 'data.veth_mtu' with '{val}'") + str_value = true_or_false(str(cluster.inventory['plugins']['calico']['typha']['enabled'])) + if str_value == "true": val = "calico-typha" - else: + elif str_value == "false": val = "none" obj_list[key]['data']['typha_service_name'] = val cluster.log.verbose(f"The {key} has been patched in 'data.typha_service_name' with '{val}'") @@ -251,6 +259,42 @@ def enrich_deployment_calico_typha(cluster, obj_list): return obj_list +def enrich_clusterRole_calico_kube_controllers(cluster, obj_list): + """ + The method implements the enrichment procedure for Calico controller ClusterRole + :param cluster: Cluster object + :param obj_list: list of objects for enrichment + """ + + key = "ClusterRole_calico-kube-controllers" + if cluster.inventory['rbac']['admission'] == "psp" and \ + cluster.inventory['rbac']['psp']['pod-security'] == "enabled": + api_list = obj_list[key]['rules'] + api_list.append(psp_calico_kube_controllers) + obj_list[key]['rules'] = api_list + cluster.log.verbose(f"The {key} has been patched in 'rules' with '{psp_calico_kube_controllers}'") + + return obj_list + + +def enrich_clusterrole_calico_node(cluster, obj_list): + """ + The method implements the enrichment procedure for Calico node ClusterRole + :param cluster: Cluster object + :param obj_list: list of objects for enrichment + """ + + key = "ClusterRole_calico-node" + if cluster.inventory['rbac']['admission'] == "psp" and \ + cluster.inventory['rbac']['psp']['pod-security'] == "enabled": + api_list = obj_list[key]['rules'] + api_list.append(psp_calico_node) + obj_list[key]['rules'] = api_list + cluster.log.verbose(f"The {key} has been patched in 'rules' with '{psp_calico_node}'") + + return obj_list + + def validate_original(cluster, obj_list): """ The method implements some validations for Calico objects @@ -347,12 +391,43 @@ def save_multiple_yaml(filepath, multi_yaml) -> None: except Exception as exc: print(f"Failed to save {filepath}", exc) + +def true_or_false(input_string): + """ + The method check string and boolean value + :param input_string: String that should be checked + """ + if input_string in ['true', 'True', 'TRUE']: + result = "true" + elif input_string in ['false', 'False', 'FALSE']: + result = "false" + else: + result = "undefined" + + return result + # name of objects and enrichment methods mapping enrich_objects_fns = { "ConfigMap_calico-config": enrich_configmap_calico_config, "Deployment_calico-kube-controllers": enrich_deployment_calico_kube_controllers, "DaemonSet_calico-node": enrich_daemonset_calico_node, "Deployment_calico-typha": enrich_deployment_calico_typha, + "ClusterRole_calico-kube-controllers": enrich_clusterRole_calico_kube_controllers, + "ClusterRole_calico-node": enrich_clusterrole_calico_node, "Service_calico-typha": None, "PodDisruptionBudget_calico-typha": None } + +psp_calico_kube_controllers = { + "apiGroups": ["policy"], + "resources": ["podsecuritypolicies"], + "verbs": ["use"], + "resourceNames": ["oob-anyuid-psp"] +} + +psp_calico_node = { + "apiGroups": ["policy"], + "resources": ["podsecuritypolicies"], + "verbs": ["use"], + "resourceNames": ["oob-privileged-psp"] +}