From f6ef52da8d0945d845c7fe50cef5c32baa54213c Mon Sep 17 00:00:00 2001 From: Alona Paz Date: Sun, 18 Dec 2022 14:25:46 +0200 Subject: [PATCH 1/5] Make secondary-dns deployment psa ready Can be tested by - kubectl label --dry-run=server --overwrite ns secondary pod-security.kubernetes.io/enforce=restricted https://kubernetes.io/docs/concepts/security/pod-security-admission/ Signed-off-by: Alona Paz --- manifests/secondarydns.yaml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/manifests/secondarydns.yaml b/manifests/secondarydns.yaml index 19252d6a..0320cd7f 100644 --- a/manifests/secondarydns.yaml +++ b/manifests/secondarydns.yaml @@ -9,7 +9,7 @@ data: DOMAIN: "" NAME_SERVER_IP: "" Corefile: | - .:53 { + .:5353 { auto { directory /zones db\.(.*) {1} reload 45s @@ -75,6 +75,11 @@ spec: kubectl.kubernetes.io/default-container: status-monitor spec: serviceAccountName: secondary + securityContext: + runAsUser: 1000 + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" containers: - args: - -conf @@ -82,8 +87,12 @@ spec: image: k8s.gcr.io/coredns/coredns:v1.8.6 imagePullPolicy: IfNotPresent name: secondary-dns + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] ports: - - containerPort: 53 + - containerPort: 5353 name: dns protocol: UDP resources: @@ -100,6 +109,10 @@ spec: mountPath: /zones readOnly: true - name: status-monitor + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] image: registry:5000/kubevirt/kubesecondarydns:latest volumeMounts: - name: secdns-zones From b668c8e46294348e8110e76a95f0e27835558525 Mon Sep 17 00:00:00 2001 From: Alona Paz Date: Sun, 18 Dec 2022 14:44:21 +0200 Subject: [PATCH 2/5] Change the NodePort tragetPort to 5353 Signed-off-by: Alona Paz --- hack/create-nodeport.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/create-nodeport.sh b/hack/create-nodeport.sh index 1997fddf..fc5a182d 100755 --- a/hack/create-nodeport.sh +++ b/hack/create-nodeport.sh @@ -13,5 +13,5 @@ if [ -z $NAMESPACE ]; then exit 1 fi -${KUBECTL} expose -n ${NAMESPACE} deployment/secondary-dns --name=dns-nodeport --type=NodePort --port=31111 --target-port=53 --protocol='UDP' +${KUBECTL} expose -n ${NAMESPACE} deployment/secondary-dns --name=dns-nodeport --type=NodePort --port=31111 --target-port=5353 --protocol='UDP' ${KUBECTL} patch -n ${NAMESPACE} service/dns-nodeport --type='json' --patch='[{"op": "replace", "path": "/spec/ports/0/nodePort", "value":31111}]' From c8641f4b1db0a38541405b7f7aef8cd95aa91857 Mon Sep 17 00:00:00 2001 From: Alona Paz Date: Sun, 18 Dec 2022 14:47:02 +0200 Subject: [PATCH 3/5] README: update the KubeSecondaryDNS port to 5353 Signed-off-by: Alona Paz --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4017cb64..b334c2fd 100644 --- a/README.md +++ b/README.md @@ -2,12 +2,12 @@ DNS for KubeVirt VirtualMachines secondary interfaces ## Prerequisites -1. The KubeSecondaryDNS Deployment should be reachable from outside the cluster. +1. The KubeSecondaryDNS Deployment which listens on port 5353 should be reachable from outside the cluster. It can be exposed using NodePort, Load Balancer, Ingress or any other methodology. The IP to reach the KubeSecondaryDNS from outside the cluster would be called from now on "KubeSecondaryDNS public IP". 2. The secondary interfaces IPs must appear on the VMI status. -For this IPs should be either declared statically (i.e with CNI) or to have a guest agent installed. +For this, IPs should be either declared statically (i.e with CNI) or to have a guest agent installed. 3. Kubevirt must be installed, else the plugin would have an error. 4. If necessary, establish connectivity to KubeSecondaryDNS public IP via a relevant DNS entity that is used to reach the authoritative KubeSecondaryDNS server, such as DNSResolver, TLD NameServer, etc. From ee3f65ac20a4571dec00565aea4ac904f5c08f60 Mon Sep 17 00:00:00 2001 From: Alona Paz Date: Mon, 19 Dec 2022 10:20:05 +0200 Subject: [PATCH 4/5] bump kubevirtci to enable PSA on the provider This PR should be included - https://github.com/kubevirt/kubevirtci/pull/915 Signed-off-by: Alona Paz --- cluster/cluster.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cluster/cluster.sh b/cluster/cluster.sh index 94bb6319..8582f61a 100644 --- a/cluster/cluster.sh +++ b/cluster/cluster.sh @@ -14,7 +14,7 @@ export KUBEVIRT_PROVIDER=${KUBEVIRT_PROVIDER:-'k8s-1.25'} export KUBEVIRT_NUM_NODES=1 -export KUBEVIRTCI_TAG='2211212125-021efaa' +export KUBEVIRTCI_TAG='2212161203-bcbedfe' KUBEVIRTCI_REPO='https://github.com/kubevirt/kubevirtci.git' # The CLUSTER_PATH var is used in cluster folder and points to the _kubevirtci where the cluster is deployed from. From 9d8626101047a84f985a169436fa4efe322fa874 Mon Sep 17 00:00:00 2001 From: Alona Paz Date: Mon, 19 Dec 2022 13:13:01 +0200 Subject: [PATCH 5/5] Disable `KUBEVIRT_PSA` Disable `KUBEVIRT_PSA` until there will be kubevirt stable branch that supports PSA. Meanwhile, if there will be a PSA violatation, a warning will be recieved. Signed-off-by: Alona Paz --- cluster/up.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/cluster/up.sh b/cluster/up.sh index 1b3dbd33..7cccb5d1 100755 --- a/cluster/up.sh +++ b/cluster/up.sh @@ -18,6 +18,7 @@ set -ex pipefail export DEPLOY_CNAO=${DEPLOY_CNAO:-true} export DEPLOY_KUBEVIRT=${DEPLOY_KUBEVIRT:-true} +export KUBEVIRT_PSA=${KUBEVIRT_PSA:-false} source ./cluster/cluster.sh