Skip to content
This repository has been archived by the owner on Feb 22, 2022. It is now read-only.

Commit

Permalink
[stable/spinnaker] Add psp option
Browse files Browse the repository at this point in the history 
Signed-off-by: Fabrice Rabaute <fabrice@arista.com>
  • Loading branch information
@jfrabaute
jfrabaute committed Jun 16, 2020
1 parent a81d25f commit 2a3ec63
Show file tree
Hide file tree
Showing 5 changed files with 71 additions and 0 deletions.
8 changes: 8 additions & 0 deletions stable/spinnaker/templates/hooks/install-using-hal.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,14 @@ spec:
labels:
{{ include "spinnaker.standard-labels" . | indent 8 }}
spec:
{{- if .Values.serviceAccount.halyardName }}
serviceAccountName: {{ .Values.serviceAccount.halyardName }}
{{- else }}
serviceAccountName: {{ template "spinnaker.fullname" . }}-halyard
{{- end }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
Expand Down
14 changes: 14 additions & 0 deletions stable/spinnaker/templates/rbac/psp-halyard-role.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{{- if .Values.rbac.pspEnabled }}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "spinnaker.fullname" . }}-halyard
labels:
{{ include "spinnaker.standard-labels" . | indent 4 }}
rules:
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "spinnaker.fullname" . }}-halyard
{{- end }}
20 changes: 20 additions & 0 deletions stable/spinnaker/templates/rbac/psp-halyard-rolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{{- if .Values.rbac.pspEnabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "spinnaker.fullname" . }}-halyard
labels:
{{ include "spinnaker.standard-labels" . | indent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "spinnaker.fullname" . }}-halyard
subjects:
- kind: ServiceAccount
{{- if .Values.serviceAccount.halyardName }}
name: {{ .Values.serviceAccount.halyardName }}
{{- else }}
name: {{ template "spinnaker.fullname" . }}-halyard
{{- end }}
namespace: {{ .Release.Namespace }}
{{- end }}
27 changes: 27 additions & 0 deletions stable/spinnaker/templates/rbac/psp-halyard.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
{{- if .Values.rbac.pspEnabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "spinnaker.fullname" . }}-halyard
labels:
{{ include "spinnaker.standard-labels" . | indent 4 }}
spec:
privileged: false
allowPrivilegeEscalation: false
volumes:
- 'configMap'
- 'emptyDir'
- 'persistentVolumeClaim'
- 'secret'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
{{- end }}
2 changes: 2 additions & 0 deletions stable/spinnaker/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -306,6 +306,8 @@ azs:
rbac:
# Specifies whether RBAC resources should be created
create: true
# Specifies whether PSP resources should be created
pspEnabled: false

serviceAccount:
# Specifies whether a ServiceAccount should be created
Expand Down

0 comments on commit 2a3ec63

Please sign in to comment.