diff --git a/.nancy-ignore b/.nancy-ignore index 249fed690..aeebc1296 100644 --- a/.nancy-ignore +++ b/.nancy-ignore @@ -26,6 +26,7 @@ CVE-2023-25809 until=2024-01-31 # pkg:golang/golang.org/x/net@v0.7.0 CVE-2023-3978 until=2024-01-31 +CVE-2023-39325 until=2023-11-30 # pkg:golang/helm.sh/helm/v3@v3.10.3 CVE-2023-25165 until=2024-01-31 diff --git a/CHANGELOG.md b/CHANGELOG.md index ffca6bc22..b1dd87cfd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s ## [Unreleased] +### Changed + +- Add a switch for PSP CR installation. + ## [6.8.1] - 2023-09-14 ### Fixed diff --git a/helm/app-operator/templates/psp.yaml b/helm/app-operator/templates/psp.yaml index 6759499bd..96aba2ea9 100644 --- a/helm/app-operator/templates/psp.yaml +++ b/helm/app-operator/templates/psp.yaml @@ -1,4 +1,4 @@ -{{- if .Capabilities.APIVersions.Has "policy/v1beta1" }} +{{- if not .Values.podSecurityStandards.enforced }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/helm/app-operator/templates/rbac.yaml b/helm/app-operator/templates/rbac.yaml index 2b0d472b8..d6341572d 100644 --- a/helm/app-operator/templates/rbac.yaml +++ b/helm/app-operator/templates/rbac.yaml @@ -224,6 +224,7 @@ roleRef: name: {{ include "resource.default.name" . }}-catalog apiGroup: rbac.authorization.k8s.io --- +{{- if not .Values.podSecurityStandards.enforced }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -254,3 +255,4 @@ roleRef: kind: ClusterRole name: {{ include "resource.psp.name" . }} apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/helm/app-operator/values.schema.json b/helm/app-operator/values.schema.json index fa677061e..746e99f7a 100644 --- a/helm/app-operator/values.schema.json +++ b/helm/app-operator/values.schema.json @@ -1,227 +1,235 @@ { - "$schema": "http://json-schema.org/schema#", - "type": "object", - "properties": { - "app": { - "type": "object", - "properties": { - "dependencyWaitTimeoutMinutes": { - "type": "integer" - }, - "watchNamespace": { - "type": "string" - }, - "workloadClusterID": { - "type": "string" - } - } - }, - "bootstrapMode": { - "type": "object", - "properties": { - "apiServerPodPort": { - "type": "integer" + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "app": { + "type": "object", + "properties": { + "dependencyWaitTimeoutMinutes": { + "type": "integer" + }, + "watchNamespace": { + "type": "string" + }, + "workloadClusterID": { + "type": "string" + } + } + }, + "bootstrapMode": { + "type": "object", + "properties": { + "apiServerPodPort": { + "type": "integer" + }, + "enabled": { + "type": "boolean" + } + } + }, + "deployment": { + "type": "object", + "properties": { + "management": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "string" }, - "enabled": { - "type": "boolean" + "memory": { + "type": "string" } - } - }, - "deployment": { - "type": "object", - "properties": { - "management": { - "type": "object", - "properties": { - "limits": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - }, - "requests": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - } - } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" }, - "workload": { - "type": "object", - "properties": { - "limits": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - }, - "requests": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - } - } - } - } - }, - "groupID": { - "type": "integer" - }, - "helm": { - "type": "object", - "properties": { - "http": { - "type": "object", - "properties": { - "clientTimeout": { - "type": "string" - } - } + "memory": { + "type": "string" } + } } - }, - "image": { - "type": "object", - "properties": { - "repository": { - "type": "string" + } + }, + "workload": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "string" }, - "tag": { - "type": "string" - } - } - }, - "name": { - "type": "string" - }, - "namespace": { - "type": "string" - }, - "operatorkit": { - "type": "object", - "properties": { - "resyncPeriod": { - "type": "string" + "memory": { + "type": "string" } - } - }, - "podSecurityContext": { - "type": "object", - "properties": { - "runAsNonRoot": { - "type": "boolean" + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" }, - "seccompProfile": { - "type": "object", - "properties": { - "type": { - "type": "string" - } - } + "memory": { + "type": "string" } + } } - }, - "port": { - "type": "integer" - }, - "project": { - "type": "object", - "properties": { - "branch": { - "type": "string" - }, - "commit": { - "type": "string" - } + } + } + } + }, + "groupID": { + "type": "integer" + }, + "helm": { + "type": "object", + "properties": { + "http": { + "type": "object", + "properties": { + "clientTimeout": { + "type": "string" } - }, - "protocol": { - "type": "string" - }, - "provider": { - "type": "object", - "properties": { - "kind": { - "type": "string" - } + } + } + } + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + }, + "operatorkit": { + "type": "object", + "properties": { + "resyncPeriod": { + "type": "string" + } + } + }, + "podSecurityContext": { + "type": "object", + "properties": { + "runAsNonRoot": { + "type": "boolean" + }, + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" } - }, - "registry": { - "type": "object", - "properties": { - "domain": { - "type": "string" - } + } + } + } + }, + "port": { + "type": "integer" + }, + "project": { + "type": "object", + "properties": { + "branch": { + "type": "string" + }, + "commit": { + "type": "string" + } + } + }, + "protocol": { + "type": "string" + }, + "provider": { + "type": "object", + "properties": { + "kind": { + "type": "string" + } + } + }, + "registry": { + "type": "object", + "properties": { + "domain": { + "type": "string" + } + } + }, + "replicas": { + "type": "integer" + }, + "securityContext": { + "type": "object", + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "items": { + "type": "string" + } } + } }, - "replicas": { - "type": "integer" - }, - "securityContext": { - "type": "object", - "properties": { - "allowPrivilegeEscalation": { - "type": "boolean" - }, - "capabilities": { - "type": "object", - "properties": { - "drop": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "privileged": { - "type": "boolean" - }, - "runAsNonRoot": { - "type": "boolean" - }, - "seccompProfile": { - "type": "object", - "properties": { - "type": { - "type": "string" - } - } - } - } + "privileged": { + "type": "boolean" }, - "userID": { - "type": "integer" + "runAsNonRoot": { + "type": "boolean" }, - "verticalPodAutoscaler": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" } + } + } + } + }, + "userID": { + "type": "integer" + }, + "verticalPodAutoscaler": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "podSecurityStandards": { + "type": "object", + "properties": { + "enforced": { + "type": "boolean" } + } } + } } diff --git a/helm/app-operator/values.yaml b/helm/app-operator/values.yaml index 409d2169a..fcff27818 100644 --- a/helm/app-operator/values.yaml +++ b/helm/app-operator/values.yaml @@ -93,3 +93,6 @@ serviceMonitor: interval: "60s" # -- (duration) Prometheus scrape timeout. scrapeTimeout: "45s" + +podSecurityStandards: + enforced: false