diff --git a/podsecuritypolicy/templates/podsecuritypolicy.yaml b/podsecuritypolicy/templates/podsecuritypolicy.yaml index 9e22c6eef..38b0ac87f 100644 --- a/podsecuritypolicy/templates/podsecuritypolicy.yaml +++ b/podsecuritypolicy/templates/podsecuritypolicy.yaml @@ -1,4 +1,4 @@ -{{/* +{{- /* Copyright 2018, AT&T Intellectual Property Licensed under the Apache License, Version 2.0 (the "License"); @@ -17,8 +17,9 @@ limitations under the License. {{- if .Values.manifests.podsecuritypolicy }} {{- $envAll := . }} -{{/* Create one ClusterRole and PSP per PSP definition in values */}} +{{- /* Create one ClusterRole and PSP per PSP definition in values */}} {{- range $pspName, $pspDetails := .Values.data }} +{{- if and $pspName $pspDetails }} --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy @@ -46,19 +47,21 @@ rules: resourceNames: - {{ $pspName }} {{- end }} +{{- end }} -{{/* Configure ClusterRoles to bind to different subjects as defaults */}} +{{- /* Configure ClusterRoles to bind to different subjects as defaults */}} +{{- if .Values.conf.defaults }} {{- range $rbacSubject, $defaultRole := .Values.conf.defaults }} -{{ if and $defaultRole (not (eq "nil" $defaultRole)) }} +{{- if and $defaultRole (not (eq "nil" $defaultRole)) }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: -{{/* NOTE: the role name is included in the name of the binding below +{{- /* NOTE: the role name is included in the name of the binding below for the sake of chart upgrades. The roleRef for a binding is immutable, so if the the defaultRole changes, we need a different binding to reflect that. This issue was only sporadic! */}} - name: psp-binding-for-{{- $rbacSubject -}}-{{- $defaultRole }} + name: psp-binding-for-{{- $rbacSubject | replace ":" "-" -}}-{{- $defaultRole }} labels: {{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} roleRef: @@ -72,3 +75,32 @@ subjects: {{- end }} {{- end }} {{- end }} +{{- /* Configure ClusterRoles to bind to non-default subjects */}} +{{- if .Values.conf.serviceaccounts }} +{{- range $rbacSubject, $rbacRole := .Values.conf.serviceaccounts }} +{{- if and $rbacSubject (not (eq "nil" $rbacRole)) }} +{{- $subjectName := ( $rbacSubject | split ":" )._1 | default "default" }} +{{- $subjectNamespace := ($rbacSubject | split ":" )._0 }} +--- +apiVersion: "rbac.authorization.k8s.io/v1" +kind: "ClusterRoleBinding" +metadata: +{{- /* NOTE: the role name is included in the name of the binding below + for the sake of chart upgrades. The roleRef for a binding is immutable, + so if the the defaultRole changes, we need a different binding to + reflect that. This issue was only sporadic! */}} + name: psp-binding-for-{{- $subjectNamespace -}}-{{- $subjectName -}}-{{- $rbacRole }} + labels: +{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +roleRef: + kind: "ClusterRole" + name: {{ $rbacRole | quote }} + apiGroup: "rbac.authorization.k8s.io" +subjects: +- kind: "ServiceAccount" + name: {{ $subjectName | quote }} + namespace: {{ $subjectNamespace| quote }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/podsecuritypolicy/values.yaml b/podsecuritypolicy/values.yaml index 814f3a934..fdb22dd5b 100644 --- a/podsecuritypolicy/values.yaml +++ b/podsecuritypolicy/values.yaml @@ -13,6 +13,18 @@ # limitations under the License. conf: + # The keys under serviceaccounts define specific serviceaccounts, for + # which this tempalte creates clusterRoleBindigs to bind the serviceaccounts + # to the clusterRole. The cluserRole names are defined by the value for + # each each key. + # Each clusterRoles uses a podSecurityPolicy with the same name, defined + # in the data section below. + # Kubernetes controllers use the podSecurityPolicy, bound to the serviceaccount, + # assigned to a pod, to assess if it is allowed to create the pod and its + # listed containers with the securityContexts defined in thier specs. + serviceaccounts: {} + # namespace-1:service-account-1: psp-all-permissive + # This defines creation of ClusterRoleBindings that configure # default PodSecurityPolicies for the subjects below. # `nil` avoids creation of a default binding for the subject.