Add --disable-pod-security-policies to cluster create and update co…

…mmands (#245)
fi-ts · Jul 31, 2023 · b14422b · b14422b
1 parent 815d27b
commit b14422b
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 3 deletions.
diff --git a/cmd/cluster.go b/cmd/cluster.go
@@ -302,6 +302,7 @@ func newClusterCmd(c *config) *cobra.Command {
 	clusterCreateCmd.Flags().StringSlice("egress", []string{}, "static egress ips per network, must be in the form <network>:<ip>; e.g.: --egress internet:1.2.3.4,extnet:123.1.1.1 --egress internet:1.2.3.5 [optional]")
 	clusterCreateCmd.Flags().BoolP("allowprivileged", "", false, "allow privileged containers the cluster (this is achieved through pod security policies and has no effect anymore on clusters >= v1.25")
 	clusterCreateCmd.Flags().String("default-pod-security-standard", "", "sets default pod security standard for clusters >= v1.23.x, defaults to restricted on clusters >= v1.25 (valid values: empty string, privileged, baseline, restricted)")
+	clusterCreateCmd.Flags().BoolP("disable-pod-security-policies", "", false, "disable pod security policies")
 	clusterCreateCmd.Flags().String("audit", "on", "audit logging of cluster API access; can be off, on (default) or splunk (logging to a predefined or custom splunk endpoint). [optional]")
 	clusterCreateCmd.Flags().Duration("healthtimeout", 0, "period (e.g. \"24h\") after which an unhealthy node is declared failed and will be replaced. [optional]")
 	clusterCreateCmd.Flags().Duration("draintimeout", 0, "period (e.g. \"3h\") after which a draining node will be forcefully deleted. [optional]")
@@ -381,6 +382,7 @@ func newClusterCmd(c *config) *cobra.Command {
 	clusterUpdateCmd.Flags().StringSlice("removelabels", []string{}, "labels to remove from the cluster")
 	clusterUpdateCmd.Flags().BoolP("allowprivileged", "", false, "allow privileged containers the cluster (this is achieved through pod security policies and has no effect anymore on clusters >=v1.25")
 	clusterUpdateCmd.Flags().String("default-pod-security-standard", "", "set default pod security standard for cluster >=v 1.23.x, send empty string explicitly to disable pod security standards (valid values: empty string, privileged, baseline, restricted)")
+	clusterUpdateCmd.Flags().BoolP("disable-pod-security-policies", "", false, "disable pod security policies")
 	clusterUpdateCmd.Flags().String("audit", "on", "audit logging of cluster API access; can be off, on or splunk (logging to a predefined or custom splunk endpoint).")
 	clusterUpdateCmd.Flags().String("purpose", "", fmt.Sprintf("purpose of the cluster, can be one of %s. SLA is only given on production clusters.", strings.Join(completion.ClusterPurposes, "|")))
 	clusterUpdateCmd.Flags().StringSlice("egress", []string{}, "static egress ips per network, must be in the form <networkid>:<semicolon-separated ips>; e.g.: --egress internet:1.2.3.4;1.2.3.5 --egress extnet:123.1.1.1 [optional]. Use --egress none to remove all egress rules.")
@@ -540,6 +542,10 @@ func (c *config) clusterCreate() error {
 	if viper.IsSet("default-pod-security-standard") {
 		defaultPodSecurityStandard = pointer.Pointer(viper.GetString("default-pod-security-standard"))
 	}
+	var disablePodSecurityPolicies *bool
+	if viper.IsSet("disable-pod-security-policies") {
+		disablePodSecurityPolicies = pointer.Pointer(viper.GetBool("disable-pod-security-policies"))
+	}
 
 	audit := viper.GetString("audit")
 
@@ -642,6 +648,7 @@ func (c *config) clusterCreate() error {
 			AllowPrivilegedContainers:  allowprivileged,
 			Version:                    &version,
 			DefaultPodSecurityStandard: defaultPodSecurityStandard,
+			DisablePodSecurityPolicies: disablePodSecurityPolicies,
 		},
 		Audit: auditConfig.Config,
 		Maintenance: &models.V1Maintenance{
@@ -1220,6 +1227,12 @@ func (c *config) updateCluster(args []string) error {
 		}
 		k8s.DefaultPodSecurityStandard = pointer.Pointer(viper.GetString("default-pod-security-standard"))
 	}
+	if viper.IsSet("disable-pod-security-policies") {
+		if !viper.GetBool("yes-i-really-mean-it") {
+			return fmt.Errorf("--disable-pod-security-policies set but you forgot to add --yes-i-really-mean-it")
+		}
+		k8s.DisablePodSecurityPolicies = pointer.Pointer(viper.GetBool("disable-pod-security-policies"))
+	}
 
 	cur.Kubernetes = k8s
 

diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/dcorbe/termui-dpc v0.0.0-20211125210512-9d2673a82dd6
 	github.com/dustin/go-humanize v1.0.1
 	github.com/fatih/color v1.15.0
-	github.com/fi-ts/cloud-go v0.20.22
+	github.com/fi-ts/cloud-go v0.20.23
 	github.com/gardener/gardener v1.59.0
 	github.com/gardener/machine-controller-manager v0.49.3
 	github.com/go-openapi/strfmt v0.21.7

diff --git a/go.sum b/go.sum
@@ -145,8 +145,8 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
 github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
-github.com/fi-ts/cloud-go v0.20.22 h1:n6w8uS5qM8nFeSAFIhYIX0+bdm6Ue8gvgNhNlq4LWCk=
-github.com/fi-ts/cloud-go v0.20.22/go.mod h1:BYrXp1jTvfxYRiL0B+LE+6ZDp3GF110y9Sr2tuRJo5c=
+github.com/fi-ts/cloud-go v0.20.23 h1:OU7YgEbjUDa6govbdqQI5LNW3aDlvwQzwLZbtROTtzY=
+github.com/fi-ts/cloud-go v0.20.23/go.mod h1:BYrXp1jTvfxYRiL0B+LE+6ZDp3GF110y9Sr2tuRJo5c=
 github.com/frankban/quicktest v1.14.5 h1:dfYrrRyLtiqT9GyKXgdh+k4inNeTvmGbuSgZ3lx3GhA=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=