Added podsecuritypolicy for serviceaccounts

Added capability in the podsecuritypolicy template to bind individual serviceaccounts to clusterroles to enable enforcing psp at serviceaccount level. The idea is that the default psp can be tuned to be restrictive for all serviceaccounts; and new psp, clusterroles, and clusterrolebindings are defined to bind specific serviceaccounts or namespaces to permissive podsecuritypolicies, based on the security requirements of a deployment. Change-Id: I1b13c0e324b9a756a07d36b6e53786303f4a9f89
2020-05-12 20:50:13 +00:00 · 2020-05-12 20:50:13 +00:00 · 798303eb88
commit 798303eb88
parent f8c5d06769
2 changed files with 50 additions and 6 deletions
--- a/podsecuritypolicy/templates/podsecuritypolicy.yaml
+++ b/podsecuritypolicy/templates/podsecuritypolicy.yaml
@ -1,4 +1,4 @@
-{{/*
+{{- /*
 Copyright 2018, AT&T Intellectual Property

 Licensed under the Apache License, Version 2.0 (the "License");
@ -17,8 +17,9 @@ limitations under the License.
 {{- if .Values.manifests.podsecuritypolicy }}
 {{- $envAll := . }}

-{{/* Create one ClusterRole and PSP per PSP definition in values */}}
+{{- /* Create one ClusterRole and PSP per PSP definition in values */}}
 {{- range $pspName, $pspDetails := .Values.data }}
+{{- if and $pspName $pspDetails }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@ -46,19 +47,21 @@ rules:
  resourceNames:
  - {{ $pspName }}
 {{- end }}
+{{- end }}

-{{/* Configure ClusterRoles to bind to different subjects as defaults */}}
+{{- /* Configure ClusterRoles to bind to different subjects as defaults */}}
+{{- if .Values.conf.defaults }}
 {{- range $rbacSubject, $defaultRole := .Values.conf.defaults }}
-{{ if and $defaultRole (not (eq "nil" $defaultRole)) }}
+{{- if and $defaultRole (not (eq "nil" $defaultRole)) }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-{{/* NOTE: the role name is included in the name of the binding below
+{{- /* NOTE: the role name is included in the name of the binding below
     for the sake of chart upgrades.  The roleRef for a binding is immutable,
     so if the the defaultRole changes, we need a different binding to
     reflect that. This issue was only sporadic! */}}
-  name: psp-binding-for-{{- $rbacSubject -}}-{{- $defaultRole }}
+  name: psp-binding-for-{{- $rbacSubject | replace ":" "-" -}}-{{- $defaultRole }}
  labels:
 {{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
 roleRef:
@ -72,3 +75,32 @@ subjects:
 {{- end }}
 {{- end }}
 {{- end }}
+{{- /* Configure ClusterRoles to bind to non-default subjects */}}
+{{- if .Values.conf.serviceaccounts }}
+{{- range $rbacSubject, $rbacRole := .Values.conf.serviceaccounts }}
+{{- if and $rbacSubject (not (eq "nil" $rbacRole)) }}
+{{- $subjectName := ( $rbacSubject | split ":" )._1 | default "default" }}
+{{- $subjectNamespace := ($rbacSubject | split ":" )._0 }}
+---
+apiVersion: "rbac.authorization.k8s.io/v1"
+kind: "ClusterRoleBinding"
+metadata:
+{{- /* NOTE: the role name is included in the name of the binding below
+     for the sake of chart upgrades.  The roleRef for a binding is immutable,
+     so if the the defaultRole changes, we need a different binding to
+     reflect that. This issue was only sporadic! */}}
+  name: psp-binding-for-{{- $subjectNamespace -}}-{{- $subjectName -}}-{{- $rbacRole }}
+  labels:
+{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+roleRef:
+  kind: "ClusterRole"
+  name: {{ $rbacRole | quote }}
+  apiGroup: "rbac.authorization.k8s.io"
+subjects:
+- kind: "ServiceAccount"
+  name: {{ $subjectName | quote }}
+  namespace: {{ $subjectNamespace| quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
--- a/podsecuritypolicy/values.yaml
+++ b/podsecuritypolicy/values.yaml
@ -13,6 +13,18 @@
 # limitations under the License.

 conf:
+  # The keys under serviceaccounts define specific serviceaccounts, for
+  # which this tempalte creates clusterRoleBindigs to bind the serviceaccounts
+  # to the clusterRole. The cluserRole names are defined by the value for
+  # each each key.
+  # Each clusterRoles uses a podSecurityPolicy with the same name, defined
+  # in the data section below.
+  # Kubernetes controllers use the podSecurityPolicy, bound to the serviceaccount,
+  # assigned to a pod, to assess if it is allowed to create the pod and its
+  # listed containers with the securityContexts defined in thier specs.
+  serviceaccounts: {}
+  #  namespace-1:service-account-1: psp-all-permissive
+
  # This defines creation of ClusterRoleBindings that configure
  # default PodSecurityPolicies for the subjects below.
  # `nil` avoids creation of a default binding for the subject.