Comments (4)
vito-laurenza-zocdoc
commented on August 23, 2024
I've tried adding a PSP similar to the one the csi driver optionally installs, but that doesn't help either.
from secrets-store-csi-driver-provider-aws.
vito-laurenza-zocdoc
commented on August 23, 2024
$ diff -u <(curl -sL https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/r1/deployment/aws-provider-installer.yaml) ./aws-provider-installer.yaml
--- /dev/fd/63 2021-05-21 15:33:29.000000000 -0400
+++ ./aws-provider-installer.yaml 2021-05-21 15:33:21.000000000 -0400
@@ -1,3 +1,4 @@
+# source: https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/r1/deployment/aws-provider-installer.yaml
# https://kubernetes.io/docs/reference/access-authn-authz/rbac
apiVersion: v1
kind: ServiceAccount
@@ -22,6 +23,11 @@
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get"]
+- apiGroups: ['policy']
+ resources: ['podsecuritypolicies']
+ verbs: ['use']
+ resourceNames:
+ - csi-secrets-store-provider-aws-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
@@ -36,6 +42,36 @@
name: csi-secrets-store-provider-aws
namespace: kube-system
---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ labels:
+ app: csi-secrets-store-provider-aws
+ name: csi-secrets-store-provider-aws-psp
+ namespace: kube-system
+spec:
+ allowPrivilegeEscalation: true
+ fsGroup:
+ ranges:
+ - max: 65535
+ min: 1
+ rule: MustRunAs
+ hostPorts:
+ - max: 65535
+ min: 0
+ privileged: true
+ runAsUser:
+ rule: RunAsAny
+ seLinux:
+ rule: RunAsAny
+ supplementalGroups:
+ ranges:
+ - max: 65535
+ min: 1
+ rule: MustRunAs
+ volumes:
+ - hostPath
+---
apiVersion: apps/v1
kind: DaemonSet
metadata:
@@ -77,6 +113,7 @@
- name: providervol
hostPath:
path: "/etc/kubernetes/secrets-store-csi-providers"
+ type: DirectoryOrCreate
- name: mountpoint-dir
hostPath:
path: /var/lib/kubelet/pods
from secrets-store-csi-driver-provider-aws.
vito-laurenza-zocdoc
commented on August 23, 2024
I was able to make this work (selinux was denying access to create the socket).
I think having issue #15 solved will provide a simpler way for folks to get this working in their various environments.
--- /dev/fd/63 2021-05-24 15:36:18.000000000 -0400
+++ ./aws-provider-installer.yaml 2021-05-24 15:36:16.000000000 -0400
@@ -1,3 +1,4 @@
+# source: https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/r1/deployment/aws-provider-installer.yaml
# https://kubernetes.io/docs/reference/access-authn-authz/rbac
apiVersion: v1
kind: ServiceAccount
@@ -22,6 +23,11 @@
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get"]
+- apiGroups: ['policy']
+ resources: ['podsecuritypolicies']
+ verbs: ['use']
+ resourceNames:
+ - csi-secrets-store-provider-aws-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
@@ -36,6 +42,36 @@
name: csi-secrets-store-provider-aws
namespace: kube-system
---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ labels:
+ app: csi-secrets-store-provider-aws
+ name: csi-secrets-store-provider-aws-psp
+ namespace: kube-system
+spec:
+ allowPrivilegeEscalation: true
+ fsGroup:
+ ranges:
+ - max: 65535
+ min: 1
+ rule: MustRunAs
+ hostPorts:
+ - max: 65535
+ min: 0
+ privileged: true
+ runAsUser:
+ rule: RunAsAny
+ seLinux:
+ rule: RunAsAny
+ supplementalGroups:
+ ranges:
+ - max: 65535
+ min: 1
+ rule: MustRunAs
+ volumes:
+ - hostPath
+---
apiVersion: apps/v1
kind: DaemonSet
metadata:
@@ -54,6 +90,7 @@
labels:
app: csi-secrets-store-provider-aws
spec:
+ priorityClassName: system-node-critical
serviceAccountName: csi-secrets-store-provider-aws
hostNetwork: true
containers:
@@ -73,10 +110,13 @@
- name: mountpoint-dir
mountPath: /var/lib/kubelet/pods
mountPropagation: HostToContainer
+ securityContext:
+ privileged: true
volumes:
- name: providervol
hostPath:
path: "/etc/kubernetes/secrets-store-csi-providers"
+ type: DirectoryOrCreate
- name: mountpoint-dir
hostPath:
path: /var/lib/kubelet/podsfrom secrets-store-csi-driver-provider-aws.
pierluigilenoci
commented on August 23, 2024
@vito-laurenza-zocdoc why did you close the ticket? For me, it was still a meaningful report.
from secrets-store-csi-driver-provider-aws.
Related Issues (20)
- Link for the Chart to download as dependency in Helm / ArgoCD HOT 2
- Documentation on how to use a secret as an env var HOT 2
- CSI secret store driver fails to create secret
- Env in pod is not loading as expected HOT 1
- Add high priority to DaemonSet HOT 2
- When adding nodeSelector and tolerations to schedule onto a specific node, secrets can no longer be fetched. HOT 3
- Pod Identity Association not recognised by secrets store CSI driver HOT 21
- [Question] Inside .yaml, there is a way to retrieve all aws secrets without pass keys? HOT 1
- Unable to mount secret, "Failed fetching secret <secretName>: RequestCanceled: request context canceled" HOT 1
- Expose Additional Security Context Settings in Helm Chart HOT 1
- Is it possible to use this outside of EKS? HOT 3
- Allow setting `driver-writes-secrets` argument via Helm values HOT 1
- Please consider changing the object parameter format. HOT 2
- AWS provider pod failing with "panic: runtime error: invalid memory address or nil pointer dereference" HOT 2
- Provider socket does not exist if provider pod starts before driver pod HOT 2
- Wait(n=1) would exceed context deadline HOT 1
- Secret access cross account without resource based policy HOT 1
- Cross account secret access HOT 1
- Request support for adding custom CA certs to helm chart HOT 1
- Error with affinity HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secrets-store-csi-driver-provider-aws.