Merge "Add PodSecurityPolicy chart"

2019-01-10 07:24:16 +00:00 · 2019-01-10 07:24:16 +00:00 · 730e7811c2
commit 730e7811c2
parent 8662018a4d eda4b31502
5 changed files with 188 additions and 0 deletions
--- a/podsecuritypolicy/.helmignore
+++ b/podsecuritypolicy/.helmignore
@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.pyc
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
--- a/podsecuritypolicy/Chart.yaml
+++ b/podsecuritypolicy/Chart.yaml
@ -0,0 +1,21 @@
+# Copyright 2018, AT&T Intellectual Property
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: OpenStack-Helm PodSecurityPolicy Chart
+name: podsecuritypolicy
+version: 0.1.0
+home: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+maintainers:
+  - name: OpenStack-Helm Authors
--- a/podsecuritypolicy/requirements.yaml
+++ b/podsecuritypolicy/requirements.yaml
@ -0,0 +1,18 @@
+# Copyright 2018, AT&T Intellectual Property
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: http://localhost:8879/charts
+    version: 0.1.0
--- a/podsecuritypolicy/templates/podsecuritypolicy.yaml
+++ b/podsecuritypolicy/templates/podsecuritypolicy.yaml
@ -0,0 +1,70 @@
+{{/*
+Copyright 2018, AT&T Intellectual Property
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.podsecuritypolicy }}
+{{- $envAll := . }}
+
+{{/* Create one ClusterRole and PSP per PSP definition in values */}}
+{{- range $pspName, $pspDetails := .Values.data }}
+---
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ $pspName }}
+  labels:
+{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+{{ toYaml $pspDetails | indent 2 }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $pspName }}
+  labels:
+{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ $pspName }}
+{{- end }}
+
+{{/* Configure ClusterRoles to bind to different subjects as defaults */}}
+{{- range $rbacSubject, $defaultRole := .Values.conf.defaults }}
+{{ if and $defaultRole (not (eq "nil" $defaultRole)) }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+{{/* NOTE: the role name is included in the name of the binding below
+     for the sake of chart upgrades.  The roleRef for a binding is immutable,
+     so if the the defaultRole changes, we need a different binding to
+     reflect that. This issue was only sporadic! */}}
+  name: psp-binding-for-{{- $rbacSubject -}}-{{- $defaultRole }}
+  labels:
+{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+roleRef:
+  kind: ClusterRole
+  name: {{ $defaultRole }}
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: Group
+  name: system:{{- $rbacSubject }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end }}
+{{- end }}
--- a/podsecuritypolicy/values.yaml
+++ b/podsecuritypolicy/values.yaml
@ -0,0 +1,57 @@
+# Copyright 2018, AT&T Intellectual Property
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+conf:
+  # This defines creation of ClusterRoleBindings that configure
+  # default PodSecurityPolicies for the subjects below.
+  # `nil` avoids creation of a default binding for the subject.
+  #
+  defaults:
+    serviceaccounts: psp-default
+    authenticated: psp-default
+    unauthenticated: nil
+
+data:
+  # Each of these corresponds to the `spec` of a PodSecurityPolicy object.
+  # Note that this default PodSecurityPolicy is incredibly permissive.  It is
+  # intended to be tuned over time as a default, and to be overridden by
+  # operators as appropriate.
+  #
+  # A ClusterRole will be created for the PSP, with the same `metadata.name`.
+  #
+  # Note: you can define as many PSPs here as you need.
+  #
+  psp-default:  # This will be the `metadata.name` of the PodSecurityPolicy
+    privileged: true
+    allowPrivilegeEscalation: true
+    hostNetwork: true
+    hostPID: true
+    hostIPC: true
+    seLinux:
+      rule: RunAsAny
+    supplementalGroups:
+      rule: RunAsAny
+    runAsUser:
+      rule: RunAsAny
+    fsGroup:
+      rule: RunAsAny
+    volumes:
+    - '*'
+    allowedCapabilities:
+    - '*'
+    hostPorts:
+    - min: 1
+      max: 65536
+manifests:
+  podsecuritypolicy: true