From 509823f1c92e3e720c51a8badd964c851ae98af5 Mon Sep 17 00:00:00 2001 From: Prateek Pandey Date: Mon, 15 Feb 2021 17:34:47 +0530 Subject: [PATCH] refact(charts): add pod security policy for cstor charts (#249) Signed-off-by: prateekpandey14 --- .github/workflows/pull_request.yml | 2 ++ deploy/helm/charts/Chart.yaml | 2 +- .../helm/charts/templates/csi-node-rbac.yaml | 30 +++++++++++++++++++ deploy/helm/charts/templates/csi-node.yaml | 2 -- deploy/helm/charts/templates/psp.yaml | 24 +++++++++++++++ 5 files changed, 57 insertions(+), 3 deletions(-) create mode 100644 deploy/helm/charts/templates/psp.yaml diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 8b0a218b..42990d96 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -16,6 +16,8 @@ name: ci on: pull_request: + paths-ignore: + - 'deploy/helm/**' branches: # on pull requests to master and release branches - master diff --git a/deploy/helm/charts/Chart.yaml b/deploy/helm/charts/Chart.yaml index 0459bc46..7f5b30a6 100644 --- a/deploy/helm/charts/Chart.yaml +++ b/deploy/helm/charts/Chart.yaml @@ -4,7 +4,7 @@ description: CStor-Operator helm chart for Kubernetes type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.5.2 +version: 2.5.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. appVersion: 2.5.0 diff --git a/deploy/helm/charts/templates/csi-node-rbac.yaml b/deploy/helm/charts/templates/csi-node-rbac.yaml index 08f852bf..4af703b2 100644 --- a/deploy/helm/charts/templates/csi-node-rbac.yaml +++ b/deploy/helm/charts/templates/csi-node-rbac.yaml @@ -40,4 +40,34 @@ roleRef: kind: ClusterRole name: openebs-cstor-csi-registrar-role apiGroup: rbac.authorization.k8s.io +{{- if .Values.rbac.pspEnabled }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: openebs-cstor-csi-node-role + labels: + {{- include "cstor.csiNode.labels" . | nindent 4 }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - openebs-cstor-csi-node-psp +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: openebs-cstor-csi-node-binding + labels: + {{- include "cstor.csiNode.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: openebs-cstor-csi-node-role +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.csiNode.name }} + namespace: {{ $.Release.Namespace }} +{{- end }} {{- end }} diff --git a/deploy/helm/charts/templates/csi-node.yaml b/deploy/helm/charts/templates/csi-node.yaml index 3acb8c1f..c30f9d38 100644 --- a/deploy/helm/charts/templates/csi-node.yaml +++ b/deploy/helm/charts/templates/csi-node.yaml @@ -55,8 +55,6 @@ spec: - name: {{ .Values.cstorCSIPlugin.name }} securityContext: privileged: true - capabilities: - add: ["CAP_MKNOD", "CAP_SYS_ADMIN", "SYS_ADMIN"] allowPrivilegeEscalation: true image: "{{ .Values.cstorCSIPlugin.image.registry }}{{ .Values.cstorCSIPlugin.image.repository }}:{{ .Values.cstorCSIPlugin.image.tag }}" imagePullPolicy: {{ .Values.cstorCSIPlugin.image.pullPolicy }} diff --git a/deploy/helm/charts/templates/psp.yaml b/deploy/helm/charts/templates/psp.yaml new file mode 100644 index 00000000..138b52e0 --- /dev/null +++ b/deploy/helm/charts/templates/psp.yaml @@ -0,0 +1,24 @@ +{{- if .Values.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: openebs-cstor-csi-node-psp + labels: + {{- include "cstor.csiNode.labels" . | nindent 4 }} +spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: ['*'] + volumes: ['*'] + hostNetwork: true + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }}