Merge pull request #5 from surajssd/surajd/add-psp-configs

Add PodSecurityPolicy related configs
presslabs · May 13, 2019 · 35e70b4 · 35e70b4
2 parents 52ff505 + 38d526c
commit 35e70b4
Show file tree

Hide file tree

Showing 6 changed files with 80 additions and 0 deletions.
diff --git a/charts/orchestrator/templates/podsecuritypolicy.yaml b/charts/orchestrator/templates/podsecuritypolicy.yaml
@@ -0,0 +1,44 @@
+{{- if .Values.podSecurityPolicy }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "orchestrator.fullname" . }}
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  requiredDropCapabilities:
+  - KILL
+  - MKNOD
+  - SETGID
+  volumes:
+  - 'configMap'
+  - 'emptyDir'
+  - 'projected'
+  - 'secret'
+  - 'downwardAPI'
+  - 'persistentVolumeClaim'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+    # Forbid adding the root group.
+    - min: 1
+      max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+    # Forbid adding the root group.
+    - min: 1
+      max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}
diff --git a/charts/orchestrator/templates/role.yaml b/charts/orchestrator/templates/role.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.podSecurityPolicy }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "orchestrator.fullname" . }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ template "orchestrator.fullname" . }}
+{{- end }}
diff --git a/charts/orchestrator/templates/rolebinding.yaml b/charts/orchestrator/templates/rolebinding.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.podSecurityPolicy }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "orchestrator.fullname" . }}
+roleRef:
+  kind: Role
+  name: {{ template "orchestrator.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+# Authorize specific service accounts:
+- kind: ServiceAccount
+  name: {{ template "orchestrator.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+{{- end }}
diff --git a/charts/orchestrator/templates/serviceaccount.yaml b/charts/orchestrator/templates/serviceaccount.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "orchestrator.fullname" . }}
+  labels:
+    app: {{ template "orchestrator.fullname" . }}
diff --git a/charts/orchestrator/templates/statefulset.yaml b/charts/orchestrator/templates/statefulset.yaml
@@ -22,6 +22,7 @@ spec:
         checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
         checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
     spec:
+      serviceAccountName: {{ template "orchestrator.fullname" . }}
       affinity:
         {{- if .Values.nodeAffinity }}
         nodeAffinity:

diff --git a/charts/orchestrator/values.yaml b/charts/orchestrator/values.yaml
@@ -60,3 +60,5 @@ topologyUser: orchestrator
 #   - RaftNodes The statefullset members
 orchestratorConf:
   Debug: false
+
+podSecurityPolicy: false