namespace-config: Grant access to existing PSP
This change updates the namespace-config chart to (optionally) create
RBAC rules allowing service accounts in the namespace 'use' access to an
existing Pod Security Policy in the cluster. The policy is specified as:
podSecurityPolicy:
existingPsp: name-of-existing-psp
This aligns with the PSP deprecation guidance provided to date [0],
which suggests easing the transition to the "PSP Replacement Policy" by
establishing the standard PSPs (Restricted, Baseline, and Privileged),
assigning a cluster-wide default, and binding more-permissive policies
as needed in certain namespaces.
[0] https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/
Change-Id: I46da230abf822e0cc3553561fd779444439c34a7
This commit is contained in:
Phil Sphicas
parent
9797d1b034
commit
3c4ebf0172
@ -15,6 +15,6 @@ apiVersion: v1
|
|||||||
appVersion: v1.0.0
|
appVersion: v1.0.0
|
||||||
description: OpenStack-Helm Namespace Config
|
description: OpenStack-Helm Namespace Config
|
||||||
name: namespace-config
|
name: namespace-config
|
||||||
version: 0.1.0
|
version: 0.1.1
|
||||||
home: https://kubernetes.io/docs/concepts/policy/limit-range/
|
home: https://kubernetes.io/docs/concepts/policy/limit-range/
|
||||||
...
|
...
|
||||||
|
|||||||
29
namespace-config/templates/psp-rbac.yaml
Normal file
29
namespace-config/templates/psp-rbac.yaml
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
{{- if (not (empty .Values.podSecurityPolicy.existingPsp)) -}}
|
||||||
|
{{- $name := printf "psp:%s:%s" .Release.Name .Values.podSecurityPolicy.existingPsp -}}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ $name }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: {{ $name }}
|
||||||
|
subjects:
|
||||||
|
- kind: Group
|
||||||
|
name: system:serviceaccounts:{{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: {{ $name }}
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- policy
|
||||||
|
resources:
|
||||||
|
- podsecuritypolicies
|
||||||
|
verbs:
|
||||||
|
- use
|
||||||
|
resourceNames:
|
||||||
|
- {{ .Values.podSecurityPolicy.existingPsp }}
|
||||||
|
{{- end -}}
|
||||||
@ -24,4 +24,10 @@ limits:
|
|||||||
defaultRequest:
|
defaultRequest:
|
||||||
cpu: 0.1
|
cpu: 0.1
|
||||||
memory: 64Mi
|
memory: 64Mi
|
||||||
|
|
||||||
|
podSecurityPolicy:
|
||||||
|
# Optionally specify the name of an existing pod security policy.
|
||||||
|
# If specified, a role and rolebinding will be created granting access for
|
||||||
|
# service accounts in this namespace to use existingPsp.
|
||||||
|
existingPsp: ""
|
||||||
...
|
...
|
||||||
|
|||||||
@ -1,4 +1,5 @@
|
|||||||
---
|
---
|
||||||
namespace-config:
|
namespace-config:
|
||||||
- 0.1.0 Initial Chart
|
- 0.1.0 Initial Chart
|
||||||
|
- 0.1.1 Grant access to existing PodSecurityPolicy
|
||||||
...
|
...
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user