PSP Toggle and PSS compliant (#15)

CHANGELOG.md

@@ -9,6 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+- Update deployment to be PSS compliant and PSP toggle.
+
 ## [0.2.1] - 2023-09-21
 
 ### Added

helm/teleport-operator/templates/deployment.yaml

@@ -34,6 +34,11 @@ spec:
         args:
         - "--namespace={{ include "resource.default.namespace"  . }}"
         securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
           {{- with .Values.securityContext }}
             {{- . | toYaml | nindent 10 }}
           {{- end }}

helm/teleport-operator/templates/psp.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.global.podSecurityStandards.enforced }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@@ -31,3 +32,4 @@ spec:
   volumes:
     - 'projected'
     - 'secret'
+{{- end }}

helm/teleport-operator/values.schema.json

@@ -2,6 +2,19 @@
     "$schema": "http://json-schema.org/schema#",
     "type": "object",
     "properties": {
+        "global": {
+            "type": "object",
+            "properties": {
+                "podSecurityStandards": {
+                    "type": "object",
+                    "properties": {
+                        "enforced": {
+                            "type": "boolean"
+                        }
+                    }
+                }
+            }
+        },
         "image": {
             "type": "object",
             "properties": {

helm/teleport-operator/values.yaml

@@ -1,3 +1,7 @@
+global:
+  podSecurityStandards:
+    enforced: false
+
 image:
   name: "giantswarm/teleport-operator"
 registry: