Add PodSecurityPolicy for consul-telemetry-collector

charts/consul/templates/telemetry-collector-podsecuritypolicy.yaml

@@ -0,0 +1,40 @@
+{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "consul.fullname" . }}-telemetry-collector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: telemetry-collector
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  # This is redundant with non-root + disallow privilege escalation,
+  # but we can provide it for defense in depth.
+  requiredDropCapabilities:
+    - ALL
+  # Allow core volume types.
+  volumes:
+    - 'configMap'
+    - 'emptyDir'
+    - 'projected'
+    - 'secret'
+    - 'downwardAPI'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false
+{{- end }}

charts/consul/templates/telemetry-collector-role.yaml

@@ -0,0 +1,21 @@
+{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "consul.fullname" . }}-telemetry-collector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: consul-telemetry-collector
+rules:
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    resourceNames:
+      - {{ template "consul.fullname" . }}-telemetry-collector
+    verbs:
+      - use
+{{- end }}
+

charts/consul/templates/telemetry-collector-rolebinding.yaml

@@ -0,0 +1,21 @@
+{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "consul.fullname" . }}-telemetry-collector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: consul-telemetry-collector
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "consul.fullname" . }}-telemetry-collector
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "consul.fullname" . }}-telemetry-collector
+{{- end }}
+

charts/consul/test/unit/telemetry-collector-podsecuritypolicy.bats

@@ -0,0 +1,21 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "telemetryCollector/PodSecurityPolicy: disabled by default" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/telemetry-collector-podsecuritypolicy.yaml  \
+      .
+}
+
+@test "telemetryCollector/PodSecurityPolicy: enabled with telemetryCollector and global.enablePodSecurityPolicies=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/telemetry-collector-podsecuritypolicy.yaml  \
+      --set 'telemetryCollector.enabled=true' \
+      --set 'global.enablePodSecurityPolicies=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}

charts/consul/test/unit/telemetry-collector-role.bats

@@ -0,0 +1,21 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "telemetryCollector/Role: disabled by default" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/telemetry-collector-role.yaml  \
+      .
+}
+
+@test "telemetryCollector/Role: enabled with telemetryCollector and global.enablePodSecurityPolicies=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/telemetry-collector-role.yaml  \
+      --set 'telemetryCollector.enabled=true' \
+      --set 'global.enablePodSecurityPolicies=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}

charts/consul/test/unit/telemetry-collector-rolebinding.bats

@@ -0,0 +1,21 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "telemetryCollector/RoleBinding: disabled by default" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/telemetry-collector-rolebinding.yaml  \
+      .
+}
+
+@test "telemetryCollector/RoleBinding: enabled with telemetryCollector and global.enablePodSecurityPolicies=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/telemetry-collector-rolebinding.yaml  \
+      --set 'telemetryCollector.enabled=true' \
+      --set 'global.enablePodSecurityPolicies=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}