openstack/openstack-helm-infra
Code Issues Proposed changes

Added podsecuritypolicy for serviceaccounts

Browse Source 
Added capability in the podsecuritypolicy template to bind individual
serviceaccounts to clusterroles to enable enforcing psp at
serviceaccount level.

The idea is that the default psp can be tuned to be restrictive for all
serviceaccounts; and new psp, clusterroles, and clusterrolebindings are
defined to bind specific serviceaccounts or namespaces to permissive
podsecuritypolicies, based on the security requirements of a deployment.

Change-Id: I1b13c0e324b9a756a07d36b6e53786303f4a9f89
This commit is contained in:
Ahmad Mahmoudi 2020-05-12 20:50:13 +00:00
parent f8c5d06769
commit 798303eb88
2 changed files with 50 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
podsecuritypolicy/templates/podsecuritypolicy.yaml
View File

@ -1,4 +1,4 @@
{{/* {{- /*
Copyright 2018, AT&T Intellectual Property Copyright 2018, AT&T Intellectual Property
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
@ -17,8 +17,9 @@ limitations under the License.
{{- if .Values.manifests.podsecuritypolicy }} {{- if .Values.manifests.podsecuritypolicy }}
{{- $envAll := . }} {{- $envAll := . }}
{{/* Create one ClusterRole and PSP per PSP definition in values */}} {{- /* Create one ClusterRole and PSP per PSP definition in values */}}
{{- range $pspName, $pspDetails := .Values.data }} {{- range $pspName, $pspDetails := .Values.data }}
{{- if and $pspName $pspDetails }}
--- ---
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
@ -46,19 +47,21 @@ rules:
resourceNames: resourceNames:
- {{ $pspName }} - {{ $pspName }}
{{- end }} {{- end }}
{{- end }}
{{/* Configure ClusterRoles to bind to different subjects as defaults */}} {{- /* Configure ClusterRoles to bind to different subjects as defaults */}}
{{- if .Values.conf.defaults }}
{{- range $rbacSubject, $defaultRole := .Values.conf.defaults }} {{- range $rbacSubject, $defaultRole := .Values.conf.defaults }}
{{ if and $defaultRole (not (eq "nil" $defaultRole)) }} {{- if and $defaultRole (not (eq "nil" $defaultRole)) }}
--- ---
kind: ClusterRoleBinding kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
{{/* NOTE: the role name is included in the name of the binding below {{- /* NOTE: the role name is included in the name of the binding below
for the sake of chart upgrades. The roleRef for a binding is immutable, for the sake of chart upgrades. The roleRef for a binding is immutable,
so if the the defaultRole changes, we need a different binding to so if the the defaultRole changes, we need a different binding to
reflect that. This issue was only sporadic! */}} reflect that. This issue was only sporadic! */}}
name: psp-binding-for-{{- $rbacSubject -}}-{{- $defaultRole }} name: psp-binding-for-{{- $rbacSubject | replace ":" "-" -}}-{{- $defaultRole }}
labels: labels:
{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
roleRef: roleRef:
@ -72,3 +75,32 @@ subjects:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- /* Configure ClusterRoles to bind to non-default subjects */}}
{{- if .Values.conf.serviceaccounts }}
{{- range $rbacSubject, $rbacRole := .Values.conf.serviceaccounts }}
{{- if and $rbacSubject (not (eq "nil" $rbacRole)) }}
{{- $subjectName := ( $rbacSubject | split ":" )._1 | default "default" }}
{{- $subjectNamespace := ($rbacSubject | split ":" )._0 }}
---
apiVersion: "rbac.authorization.k8s.io/v1"
kind: "ClusterRoleBinding"
metadata:
{{- /* NOTE: the role name is included in the name of the binding below
for the sake of chart upgrades. The roleRef for a binding is immutable,
so if the the defaultRole changes, we need a different binding to
reflect that. This issue was only sporadic! */}}
name: psp-binding-for-{{- $subjectNamespace -}}-{{- $subjectName -}}-{{- $rbacRole }}
labels:
{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
roleRef:
kind: "ClusterRole"
name: {{ $rbacRole | quote }}
apiGroup: "rbac.authorization.k8s.io"
subjects:
- kind: "ServiceAccount"
name: {{ $subjectName | quote }}
namespace: {{ $subjectNamespace| quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

12
podsecuritypolicy/values.yaml
View File

@ -13,6 +13,18 @@
# limitations under the License. # limitations under the License.
conf: conf:
# The keys under serviceaccounts define specific serviceaccounts, for
# which this tempalte creates clusterRoleBindigs to bind the serviceaccounts
# to the clusterRole. The cluserRole names are defined by the value for
# each each key.
# Each clusterRoles uses a podSecurityPolicy with the same name, defined
# in the data section below.
# Kubernetes controllers use the podSecurityPolicy, bound to the serviceaccount,
# assigned to a pod, to assess if it is allowed to create the pod and its
# listed containers with the securityContexts defined in thier specs.
serviceaccounts: {}
# namespace-1:service-account-1: psp-all-permissive
# This defines creation of ClusterRoleBindings that configure # This defines creation of ClusterRoleBindings that configure
# default PodSecurityPolicies for the subjects below. # default PodSecurityPolicies for the subjects below.
# `nil` avoids creation of a default binding for the subject. # `nil` avoids creation of a default binding for the subject.