From 154f1700b179c50f1f9e6c2acdf2fd46f5ce1374 Mon Sep 17 00:00:00 2001 From: Hemanth Nakkina Date: Mon, 4 Mar 2019 10:28:09 +0530 Subject: [PATCH] Add annotations to podsecuritypolicy Provide support to add annotations to the podsecuritypolicy. This will allow to add annotations related to seccomp and apparmor in psp. Change-Id: I78718ae1f60e8ebee8ac8ba86145bb9ae26491d5 --- .../templates/podsecuritypolicy.yaml | 6 ++- podsecuritypolicy/values.yaml | 42 ++++++++++--------- .../007-podsecuritypolicy.sh | 6 ++- 3 files changed, 31 insertions(+), 23 deletions(-) diff --git a/podsecuritypolicy/templates/podsecuritypolicy.yaml b/podsecuritypolicy/templates/podsecuritypolicy.yaml index 46d1cd24f..741c9a8f0 100644 --- a/podsecuritypolicy/templates/podsecuritypolicy.yaml +++ b/podsecuritypolicy/templates/podsecuritypolicy.yaml @@ -26,8 +26,12 @@ metadata: name: {{ $pspName }} labels: {{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- if $pspDetails.annotations }} + annotations: +{{ toYaml $pspDetails.annotations | indent 4 }} +{{- end }} spec: -{{ toYaml $pspDetails | indent 2 }} +{{ toYaml $pspDetails.spec | indent 2 }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 diff --git a/podsecuritypolicy/values.yaml b/podsecuritypolicy/values.yaml index 355000f5f..807e12893 100644 --- a/podsecuritypolicy/values.yaml +++ b/podsecuritypolicy/values.yaml @@ -33,25 +33,27 @@ data: # Note: you can define as many PSPs here as you need. # psp-default: # This will be the `metadata.name` of the PodSecurityPolicy - privileged: true - allowPrivilegeEscalation: true - hostNetwork: true - hostPID: true - hostIPC: true - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - runAsUser: - rule: RunAsAny - fsGroup: - rule: RunAsAny - volumes: - - '*' - allowedCapabilities: - - '*' - hostPorts: - - min: 1 - max: 65536 + annotations: {} # Placeholder to add seccomp/apparmor default annotations + spec: + privileged: true + allowPrivilegeEscalation: true + hostNetwork: true + hostPID: true + hostIPC: true + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - '*' + allowedCapabilities: + - '*' + hostPorts: + - min: 1 + max: 65536 manifests: podsecuritypolicy: true diff --git a/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh b/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh index 1aed98a62..6b977e781 100755 --- a/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh +++ b/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh @@ -35,7 +35,7 @@ EOF #NOTE: Deploy with host networking off, and test for failure helm upgrade --install podsecuritypolicy ./podsecuritypolicy \ --namespace=kube-system \ - --set data.psp-default.hostNetwork=false \ + --set data.psp-default.spec.hostNetwork=false \ ${OSH_INFRA_EXTRA_HELM_ARGS} \ ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY} @@ -50,12 +50,14 @@ if kubectl apply -f /tmp/psp-test-pod.yaml; then echo "ERROR: podsecuritypolicy incorrectly admitted a privileged pod" kubectl delete pod psp-test exit 1 +else + echo "Failure above is expected. Continuing." fi #NOTE: Deploy with host networking on, and test for success helm upgrade --install podsecuritypolicy ./podsecuritypolicy \ --namespace=kube-system \ - --set data.psp-default.hostNetwork=true \ + --set data.psp-default.spec.hostNetwork=true \ ${OSH_INFRA_EXTRA_HELM_ARGS} \ ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}