refact(charts): add pod security policy for cstor charts (#249)

Signed-off-by: prateekpandey14 <[email protected]>
openebs-archive · Feb 15, 2021 · 509823f · 509823f
1 parent 1e03600
commit 509823f
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 3 deletions.
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -16,6 +16,8 @@ name: ci
 
 on:
   pull_request:
+    paths-ignore:
+      - 'deploy/helm/**'
     branches:
       # on pull requests to master and release branches
       - master

diff --git a/deploy/helm/charts/Chart.yaml b/deploy/helm/charts/Chart.yaml
@@ -4,7 +4,7 @@ description: CStor-Operator helm chart for Kubernetes
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 2.5.2
+version: 2.5.3
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
 appVersion: 2.5.0

diff --git a/deploy/helm/charts/templates/csi-node-rbac.yaml b/deploy/helm/charts/templates/csi-node-rbac.yaml
@@ -40,4 +40,34 @@ roleRef:
   kind: ClusterRole
   name: openebs-cstor-csi-registrar-role
   apiGroup: rbac.authorization.k8s.io
+{{- if .Values.rbac.pspEnabled }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openebs-cstor-csi-node-role
+  labels:
+    {{- include "cstor.csiNode.labels" . | nindent 4 }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - openebs-cstor-csi-node-psp
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: openebs-cstor-csi-node-binding
+  labels:
+    {{- include "cstor.csiNode.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: openebs-cstor-csi-node-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount.csiNode.name }}
+    namespace: {{ $.Release.Namespace }}
+{{- end }}
 {{- end }}
diff --git a/deploy/helm/charts/templates/csi-node.yaml b/deploy/helm/charts/templates/csi-node.yaml
@@ -55,8 +55,6 @@ spec:
         - name: {{ .Values.cstorCSIPlugin.name }}
           securityContext:
             privileged: true
-            capabilities:
-              add: ["CAP_MKNOD", "CAP_SYS_ADMIN", "SYS_ADMIN"]
             allowPrivilegeEscalation: true
           image: "{{ .Values.cstorCSIPlugin.image.registry }}{{ .Values.cstorCSIPlugin.image.repository }}:{{ .Values.cstorCSIPlugin.image.tag }}"
           imagePullPolicy: {{ .Values.cstorCSIPlugin.image.pullPolicy }}

diff --git a/deploy/helm/charts/templates/psp.yaml b/deploy/helm/charts/templates/psp.yaml
@@ -0,0 +1,24 @@
+{{- if .Values.rbac.pspEnabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: openebs-cstor-csi-node-psp
+  labels:
+    {{- include "cstor.csiNode.labels" . | nindent 4 }}
+spec:
+  privileged: true
+  allowPrivilegeEscalation: true
+  allowedCapabilities: ['*']
+  volumes: ['*']
+  hostNetwork: true
+  hostIPC: true
+  hostPID: true
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+{{- end }}