From e9474dfe8f6cd3dbb71ec8b8ddd8de1a540cd24c Mon Sep 17 00:00:00 2001 From: Fabrice Date: Wed, 17 Jun 2020 07:43:41 -0700 Subject: [PATCH] [stable/spinnaker] Add psp option (#22743) Signed-off-by: Fabrice Rabaute Signed-off-by: camelusluo --- stable/spinnaker/Chart.yaml | 2 +- .../templates/hooks/install-using-hal.yaml | 8 ++++++ .../templates/rbac/psp-halyard-role.yaml | 14 ++++++++++ .../rbac/psp-halyard-rolebinding.yaml | 20 ++++++++++++++ .../spinnaker/templates/rbac/psp-halyard.yaml | 27 +++++++++++++++++++ stable/spinnaker/values.yaml | 2 ++ 6 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 stable/spinnaker/templates/rbac/psp-halyard-role.yaml create mode 100644 stable/spinnaker/templates/rbac/psp-halyard-rolebinding.yaml create mode 100644 stable/spinnaker/templates/rbac/psp-halyard.yaml diff --git a/stable/spinnaker/Chart.yaml b/stable/spinnaker/Chart.yaml index 175dddb2d9ba..f66f288adba0 100644 --- a/stable/spinnaker/Chart.yaml +++ b/stable/spinnaker/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: Open source, multi-cloud continuous delivery platform for releasing software changes with high velocity and confidence. name: spinnaker -version: 2.0.0-rc5 +version: 2.0.0-rc6 appVersion: 1.16.2 home: http://spinnaker.io/ sources: diff --git a/stable/spinnaker/templates/hooks/install-using-hal.yaml b/stable/spinnaker/templates/hooks/install-using-hal.yaml index 44b46c6ab162..c2c8f63957a7 100644 --- a/stable/spinnaker/templates/hooks/install-using-hal.yaml +++ b/stable/spinnaker/templates/hooks/install-using-hal.yaml @@ -19,6 +19,14 @@ spec: labels: {{ include "spinnaker.standard-labels" . | indent 8 }} spec: + {{- if .Values.serviceAccount.halyardName }} + serviceAccountName: {{ .Values.serviceAccount.halyardName }} + {{- else }} + serviceAccountName: {{ template "spinnaker.fullname" . }}-halyard + {{- end }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + fsGroup: {{ .Values.securityContext.fsGroup }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} diff --git a/stable/spinnaker/templates/rbac/psp-halyard-role.yaml b/stable/spinnaker/templates/rbac/psp-halyard-role.yaml new file mode 100644 index 000000000000..aed57d83c56c --- /dev/null +++ b/stable/spinnaker/templates/rbac/psp-halyard-role.yaml @@ -0,0 +1,14 @@ +{{- if .Values.rbac.pspEnabled }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "spinnaker.fullname" . }}-halyard-psp + labels: +{{ include "spinnaker.standard-labels" . | indent 4 }} +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "spinnaker.fullname" . }}-halyard +{{- end }} diff --git a/stable/spinnaker/templates/rbac/psp-halyard-rolebinding.yaml b/stable/spinnaker/templates/rbac/psp-halyard-rolebinding.yaml new file mode 100644 index 000000000000..37b1ed84eb9e --- /dev/null +++ b/stable/spinnaker/templates/rbac/psp-halyard-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.pspEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "spinnaker.fullname" . }}-halyard-psp + labels: +{{ include "spinnaker.standard-labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "spinnaker.fullname" . }}-halyard-psp +subjects: +- kind: ServiceAccount + {{- if .Values.serviceAccount.halyardName }} + name: {{ .Values.serviceAccount.halyardName }} + {{- else }} + name: {{ template "spinnaker.fullname" . }}-halyard + {{- end }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/stable/spinnaker/templates/rbac/psp-halyard.yaml b/stable/spinnaker/templates/rbac/psp-halyard.yaml new file mode 100644 index 000000000000..d6910e0326c7 --- /dev/null +++ b/stable/spinnaker/templates/rbac/psp-halyard.yaml @@ -0,0 +1,27 @@ +{{- if .Values.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "spinnaker.fullname" . }}-halyard + labels: +{{ include "spinnaker.standard-labels" . | indent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'persistentVolumeClaim' + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/stable/spinnaker/values.yaml b/stable/spinnaker/values.yaml index 7d205260ccd1..79d43f6e9918 100644 --- a/stable/spinnaker/values.yaml +++ b/stable/spinnaker/values.yaml @@ -306,6 +306,8 @@ azs: rbac: # Specifies whether RBAC resources should be created create: true + # Specifies whether PSP resources should be created + pspEnabled: false serviceAccount: # Specifies whether a ServiceAccount should be created