From 798303eb881f6ae087feda1e4bf4e2672bb3dd5a Mon Sep 17 00:00:00 2001 From: Ahmad Mahmoudi Date: Tue, 12 May 2020 20:50:13 +0000 Subject: [PATCH] Added podsecuritypolicy for serviceaccounts Added capability in the podsecuritypolicy template to bind individual serviceaccounts to clusterroles to enable enforcing psp at serviceaccount level. The idea is that the default psp can be tuned to be restrictive for all serviceaccounts; and new psp, clusterroles, and clusterrolebindings are defined to bind specific serviceaccounts or namespaces to permissive podsecuritypolicies, based on the security requirements of a deployment. Change-Id: I1b13c0e324b9a756a07d36b6e53786303f4a9f89 --- .../templates/podsecuritypolicy.yaml | 44 ++++++++++++++++--- podsecuritypolicy/values.yaml | 12 +++++ 2 files changed, 50 insertions(+), 6 deletions(-) diff --git a/podsecuritypolicy/templates/podsecuritypolicy.yaml b/podsecuritypolicy/templates/podsecuritypolicy.yaml index 9e22c6eef..38b0ac87f 100644 --- a/podsecuritypolicy/templates/podsecuritypolicy.yaml +++ b/podsecuritypolicy/templates/podsecuritypolicy.yaml @@ -1,4 +1,4 @@ -{{/* +{{- /* Copyright 2018, AT&T Intellectual Property Licensed under the Apache License, Version 2.0 (the "License"); @@ -17,8 +17,9 @@ limitations under the License. {{- if .Values.manifests.podsecuritypolicy }} {{- $envAll := . }} -{{/* Create one ClusterRole and PSP per PSP definition in values */}} +{{- /* Create one ClusterRole and PSP per PSP definition in values */}} {{- range $pspName, $pspDetails := .Values.data }} +{{- if and $pspName $pspDetails }} --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy @@ -46,19 +47,21 @@ rules: resourceNames: - {{ $pspName }} {{- end }} +{{- end }} -{{/* Configure ClusterRoles to bind to different subjects as defaults */}} +{{- /* Configure ClusterRoles to bind to different subjects as defaults */}} +{{- if .Values.conf.defaults }} {{- range $rbacSubject, $defaultRole := .Values.conf.defaults }} -{{ if and $defaultRole (not (eq "nil" $defaultRole)) }} +{{- if and $defaultRole (not (eq "nil" $defaultRole)) }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: -{{/* NOTE: the role name is included in the name of the binding below +{{- /* NOTE: the role name is included in the name of the binding below for the sake of chart upgrades. The roleRef for a binding is immutable, so if the the defaultRole changes, we need a different binding to reflect that. This issue was only sporadic! */}} - name: psp-binding-for-{{- $rbacSubject -}}-{{- $defaultRole }} + name: psp-binding-for-{{- $rbacSubject | replace ":" "-" -}}-{{- $defaultRole }} labels: {{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} roleRef: @@ -72,3 +75,32 @@ subjects: {{- end }} {{- end }} {{- end }} +{{- /* Configure ClusterRoles to bind to non-default subjects */}} +{{- if .Values.conf.serviceaccounts }} +{{- range $rbacSubject, $rbacRole := .Values.conf.serviceaccounts }} +{{- if and $rbacSubject (not (eq "nil" $rbacRole)) }} +{{- $subjectName := ( $rbacSubject | split ":" )._1 | default "default" }} +{{- $subjectNamespace := ($rbacSubject | split ":" )._0 }} +--- +apiVersion: "rbac.authorization.k8s.io/v1" +kind: "ClusterRoleBinding" +metadata: +{{- /* NOTE: the role name is included in the name of the binding below + for the sake of chart upgrades. The roleRef for a binding is immutable, + so if the the defaultRole changes, we need a different binding to + reflect that. This issue was only sporadic! */}} + name: psp-binding-for-{{- $subjectNamespace -}}-{{- $subjectName -}}-{{- $rbacRole }} + labels: +{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +roleRef: + kind: "ClusterRole" + name: {{ $rbacRole | quote }} + apiGroup: "rbac.authorization.k8s.io" +subjects: +- kind: "ServiceAccount" + name: {{ $subjectName | quote }} + namespace: {{ $subjectNamespace| quote }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/podsecuritypolicy/values.yaml b/podsecuritypolicy/values.yaml index 814f3a934..fdb22dd5b 100644 --- a/podsecuritypolicy/values.yaml +++ b/podsecuritypolicy/values.yaml @@ -13,6 +13,18 @@ # limitations under the License. conf: + # The keys under serviceaccounts define specific serviceaccounts, for + # which this tempalte creates clusterRoleBindigs to bind the serviceaccounts + # to the clusterRole. The cluserRole names are defined by the value for + # each each key. + # Each clusterRoles uses a podSecurityPolicy with the same name, defined + # in the data section below. + # Kubernetes controllers use the podSecurityPolicy, bound to the serviceaccount, + # assigned to a pod, to assess if it is allowed to create the pod and its + # listed containers with the securityContexts defined in thier specs. + serviceaccounts: {} + # namespace-1:service-account-1: psp-all-permissive + # This defines creation of ClusterRoleBindings that configure # default PodSecurityPolicies for the subjects below. # `nil` avoids creation of a default binding for the subject.