Add annotations to podsecuritypolicy

Provide support to add annotations to the podsecuritypolicy. This will allow to add annotations related to seccomp and apparmor in psp. Change-Id: I78718ae1f60e8ebee8ac8ba86145bb9ae26491d5
2019-03-04 10:28:09 +05:30 · 2019-03-04 10:28:09 +05:30 · 154f1700b1
commit 154f1700b1
parent 469b31356d
3 changed files with 31 additions and 23 deletions
--- a/podsecuritypolicy/templates/podsecuritypolicy.yaml
+++ b/podsecuritypolicy/templates/podsecuritypolicy.yaml
@ -26,8 +26,12 @@ metadata:
  name: {{ $pspName }}
  labels:
 {{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $pspDetails.annotations }}
+  annotations:
+{{ toYaml $pspDetails.annotations | indent 4 }}
+{{- end }}
 spec:
-{{ toYaml $pspDetails | indent 2 }}
+{{ toYaml $pspDetails.spec | indent 2 }}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
--- a/podsecuritypolicy/values.yaml
+++ b/podsecuritypolicy/values.yaml
@ -33,25 +33,27 @@ data:
  # Note: you can define as many PSPs here as you need.
  #
  psp-default:  # This will be the `metadata.name` of the PodSecurityPolicy
-    privileged: true
-    allowPrivilegeEscalation: true
-    hostNetwork: true
-    hostPID: true
-    hostIPC: true
-    seLinux:
-      rule: RunAsAny
-    supplementalGroups:
-      rule: RunAsAny
-    runAsUser:
-      rule: RunAsAny
-    fsGroup:
-      rule: RunAsAny
-    volumes:
-    - '*'
-    allowedCapabilities:
-    - '*'
-    hostPorts:
-    - min: 1
-      max: 65536
+    annotations: {} # Placeholder to add seccomp/apparmor default annotations
+    spec:
+      privileged: true
+      allowPrivilegeEscalation: true
+      hostNetwork: true
+      hostPID: true
+      hostIPC: true
+      seLinux:
+        rule: RunAsAny
+      supplementalGroups:
+        rule: RunAsAny
+      runAsUser:
+        rule: RunAsAny
+      fsGroup:
+        rule: RunAsAny
+      volumes:
+      - '*'
+      allowedCapabilities:
+      - '*'
+      hostPorts:
+      - min: 1
+        max: 65536
 manifests:
  podsecuritypolicy: true
--- a/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh
+++ b/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh
@ -35,7 +35,7 @@ EOF
 #NOTE: Deploy with host networking off, and test for failure
 helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
  --namespace=kube-system \
-  --set data.psp-default.hostNetwork=false \
+  --set data.psp-default.spec.hostNetwork=false \
  ${OSH_INFRA_EXTRA_HELM_ARGS} \
  ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}

@ -50,12 +50,14 @@ if kubectl apply -f /tmp/psp-test-pod.yaml; then
  echo "ERROR: podsecuritypolicy incorrectly admitted a privileged pod"
  kubectl delete pod psp-test
  exit 1
+else
+  echo "Failure above is expected. Continuing."
 fi

 #NOTE: Deploy with host networking on, and test for success
 helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
  --namespace=kube-system \
-  --set data.psp-default.hostNetwork=true \
+  --set data.psp-default.spec.hostNetwork=true \
  ${OSH_INFRA_EXTRA_HELM_ARGS} \
  ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}