Skip to content

Commit

Permalink
api-gateway: allow controller to bind PodSecurityPolicy to ServiceAcc…
Browse files Browse the repository at this point in the history
…ounts that it creates (#1672)

* Add PodSecurityPolicy for all Gateway Deployments

* Allow API gateway controller to manage roles + bindings

* Add entry to CHANGELOG

* Consolidate controller ClusterRole mods for enablePodSecurityPolicies

* Update/add unit test coverage for controller ClusterRole

* Check for additional verbs on cluster role
  • Loading branch information
nathancoleman authored Nov 4, 2022
1 parent 4caac01 commit c7d9462
Show file tree
Hide file tree
Showing 5 changed files with 78 additions and 8 deletions.
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ IMPROVEMENTS:
* Add `tolerations` and `nodeSelector` to Server ACL init jobs and `nodeSelector` to Webhook cert manager. [[GH-1581](https://github.com/hashicorp/consul-k8s/pull/1581)]
* API Gateway: Add `tolerations` to `apiGateway.managedGatewayClass` and `apiGateway.controller` [[GH-1650](https://github.com/hashicorp/consul-k8s/pull/1650)]
* API Gateway: Create PodSecurityPolicy for controller when `global.enablePodSecurityPolicies=true`. [[GH-1656](https://github.com/hashicorp/consul-k8s/pull/1656)]

* API Gateway: Create PodSecurityPolicy and allow controller to bind it to ServiceAccounts that it creates for Gateway Deployments when `global.enablePodSecurityPolicies=true`. [[GH-1672](https://github.com/hashicorp/consul-k8s/pull/1672)]

## 1.0.0-beta4 (October 28, 2022)

Expand Down
20 changes: 15 additions & 5 deletions charts/consul/templates/api-gateway-controller-clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -245,11 +245,21 @@ rules:
- patch
- update
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
resourceNames:
- {{ template "consul.fullname" . }}-api-gateway-controller
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- use
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- use
- create
- get
- list
- watch
{{- end }}
{{- end }}
3 changes: 3 additions & 0 deletions charts/consul/templates/api-gateway-gatewayclassconfig.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ spec:
{{- if .Values.global.acls.manageSystemACLs }}
managed: true
method: {{ template "consul.fullname" . }}-k8s-auth-method
{{- if .Values.global.enablePodSecurityPolicies }}
podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway
{{- end }}
{{- end }}
{{- if .Values.global.tls.enabled }}
scheme: https
Expand Down
45 changes: 45 additions & 0 deletions charts/consul/templates/api-gateway-podsecuritypolicy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "consul.fullname" . }}-api-gateway
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: api-gateway-controller
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
allowedCapabilities:
- NET_BIND_SERVICE
hostNetwork: false
hostIPC: false
hostPID: false
hostPorts:
- max: 65535
min: 1025
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: true
{{- end }}
16 changes: 14 additions & 2 deletions charts/consul/test/unit/api-gateway-controller-clusterrole.bats
Original file line number Diff line number Diff line change
Expand Up @@ -20,14 +20,26 @@ load _helpers
[ "${actual}" = "true" ]
}

@test "apiGateway/ClusterRole: uses PodSecurityPolicy with apiGateway.enabled=true and global.enablePodSecurityPolicies=true" {
@test "apiGateway/ClusterRole: can use podsecuritypolicies with apiGateway.enabled=true and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-s templates/api-gateway-controller-clusterrole.yaml \
--set 'global.enablePodSecurityPolicies=true' \
--set 'apiGateway.enabled=true' \
--set 'apiGateway.image=foo' \
. | tee /dev/stderr |
yq '.rules[] | select((.resourceNames[0] == "release-name-consul-api-gateway-controller") and (.resources[0] == "podsecuritypolicies")) | length > 0' | tee /dev/stderr)
yq '.rules[] | select((.resources[0] == "podsecuritypolicies") and (.verbs[0] == "use")) | length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

@test "apiGateway/ClusterRole: can create roles and rolebindings with apiGateway.enabled=true and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-s templates/api-gateway-controller-clusterrole.yaml \
--set 'global.enablePodSecurityPolicies=true' \
--set 'apiGateway.enabled=true' \
--set 'apiGateway.image=foo' \
. | tee /dev/stderr |
yq '.rules[] | select((.resources[0] == "roles") and (.resources[1] == "rolebindings") and (.verbs | contains(["create","get","list","watch"]))) | length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

0 comments on commit c7d9462

Please sign in to comment.