Skip to content

Commit

Permalink
deploy: Add explicit PodSecurityPolicy and Role
Browse files Browse the repository at this point in the history
  • Loading branch information
@brancz
brancz committed Oct 1, 2021
1 parent e289fa4 commit 83b1987
Show file tree
Hide file tree
Showing 5 changed files with 160 additions and 2 deletions.
95 changes: 94 additions & 1 deletion deploy/lib/parca/parca.libsonnet
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,99 @@ function(params) {
},
},

podSecurityPolicy: {
apiVersion: 'policy/v1beta1',
kind: 'PodSecurityPolicy',
metadata: {
name: prc.config.name,
},
spec: {
allowPrivilegeEscalation: false,
fsGroup: {
ranges: [
{
max: 65535,
min: 1,
},
],
rule: 'MustRunAs',
},
requiredDropCapabilities: [
'ALL',
],
runAsUser: {
rule: 'MustRunAsNonRoot',
},
seLinux: {
rule: 'RunAsAny',
},
supplementalGroups: {
ranges: [
{
max: 65535,
min: 1,
},
],
rule: 'MustRunAs',
},
volumes: [
'configMap',
'emptyDir',
'projected',
'secret',
'downwardAPI',
'persistentVolumeClaim',
],
},
},

role: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'Role',
metadata: {
name: prc.config.name,
namespace: prc.config.namespace,
labels: prc.config.commonLabels,
},
rules: [
{
apiGroups: [
'policy',
],
resourceNames: [
prc.config.name,
],
resources: [
'podsecuritypolicies',
],
verbs: [
'use',
],
},
],
},

roleBinding: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'RoleBinding',
metadata: {
name: prc.config.name,
namespace: prc.config.namespace,
labels: prc.config.commonLabels,
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'Role',
name: prc.role.metadata.name,
},
subjects: [
{
kind: 'ServiceAccount',
name: prc.serviceAccount.metadata.name,
},
],
},

configmap: {
apiVersion: 'v1',
kind: 'ConfigMap',
Expand Down Expand Up @@ -161,7 +254,7 @@ function(params) {
configMap: { name: prc.config.configmapName },
}],
nodeSelector: {
'beta.kubernetes.io/os': 'linux',
'kubernetes.io/os': 'linux',
},
},
},
Expand Down
2 changes: 1 addition & 1 deletion deploy/tilt/parca-server-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ spec:
- mountPath: /var/parca
name: parca-config
nodeSelector:
beta.kubernetes.io/os: linux
kubernetes.io/os: linux
securityContext:
fsGroup: 65534
runAsUser: 65534
Expand Down
29 changes: 29 additions & 0 deletions deploy/tilt/parca-server-podSecurityPolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: parca
spec:
allowPrivilegeEscalation: false
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
19 changes: 19 additions & 0 deletions deploy/tilt/parca-server-role.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: observability
app.kubernetes.io/instance: parca
app.kubernetes.io/name: parca
app.kubernetes.io/version: dev
name: parca
namespace: parca
rules:
- apiGroups:
- policy
resourceNames:
- parca
resources:
- podsecuritypolicies
verbs:
- use
17 changes: 17 additions & 0 deletions deploy/tilt/parca-server-roleBinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: observability
app.kubernetes.io/instance: parca
app.kubernetes.io/name: parca
app.kubernetes.io/version: dev
name: parca
namespace: parca
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: parca
subjects:
- kind: ServiceAccount
name: parca

0 comments on commit 83b1987

Please sign in to comment.