From 3c441b116f82e8a05e3850c406db57c280af2c84 Mon Sep 17 00:00:00 2001 From: Daniel Lohse Date: Mon, 11 Jan 2021 09:07:05 +0100 Subject: [PATCH 1/2] Increase version to v0.2.0 --- README.md | 2 +- config/release/kustomization.yaml | 2 +- deploy/operator.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e231ee2..c4468ac 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ That Kubernetes operator doesn't exist. At least, it didn't until now. 🤠 ## Installation ```sh - kubectl apply -f https://raw.githubusercontent.com/annismckenzie/k3os-config-operator/v0.1.2/deploy/operator.yaml + kubectl apply -f https://raw.githubusercontent.com/annismckenzie/k3os-config-operator/v0.2.0/deploy/operator.yaml ``` diff --git a/config/release/kustomization.yaml b/config/release/kustomization.yaml index f28e8e6..875a2ec 100644 --- a/config/release/kustomization.yaml +++ b/config/release/kustomization.yaml @@ -6,4 +6,4 @@ bases: images: - name: ghcr.io/annismckenzie/k3os-config-operator - newTag: v0.1.2 + newTag: v0.2.0 diff --git a/deploy/operator.yaml b/deploy/operator.yaml index e05a3c3..95cc70b 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -397,7 +397,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/annismckenzie/k3os-config-operator:v0.1.2 + image: ghcr.io/annismckenzie/k3os-config-operator:v0.2.0 name: manager resources: limits: From bea9a3fb8813231cf6ebd8ba58e3faec77f85a52 Mon Sep 17 00:00:00 2001 From: Daniel Lohse Date: Mon, 11 Jan 2021 09:09:31 +0100 Subject: [PATCH 2/2] Update static deployment manifest --- deploy/operator.yaml | 55 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/deploy/operator.yaml b/deploy/operator.yaml index 95cc70b..793f285 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -149,6 +149,43 @@ status: conditions: [] storedVersions: [] --- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + labels: + app: k3os-config-operator + app.kubernetes.io/name: k3os-config-operator + name: k3os-config-operator-manager +spec: + allowPrivilegeEscalation: false + allowedHostPaths: + - pathPrefix: /var/lib/rancher/k3os + readOnly: false + forbiddenSysctls: + - '*' + fsGroup: + rule: RunAsAny + hostIPC: false + hostNetwork: false + hostPID: false + privileged: false + readOnlyRootFilesystem: false + requiredDropCapabilities: + - ALL + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - hostPath + - secret + - downwardAPI +--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -210,6 +247,14 @@ rules: - get - list - watch +- apiGroups: + - policy + resourceNames: + - k3os-config-operator-manager + resources: + - podsecuritypolicies + verbs: + - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -389,6 +434,8 @@ spec: command: - /manager env: + - name: ENABLE_NODECONFIG_FILE_MANAGEMENT + value: "true" - name: NODE_NAME valueFrom: fieldRef: @@ -406,4 +453,12 @@ spec: requests: cpu: 100m memory: 20Mi + volumeMounts: + - mountPath: /etc/k3osconfig.yaml + name: varlibrancherk3osconfigyaml terminationGracePeriodSeconds: 10 + volumes: + - hostPath: + path: /var/lib/rancher/k3os/config.yaml + type: FileOrCreate + name: varlibrancherk3osconfigyaml