From 9fd4613e3e1b0ea60a984265af256da47a66046e Mon Sep 17 00:00:00 2001
From: Fabrice Rabaute <fabrice@arista.com>
Date: Wed, 10 Jun 2020 12:07:45 -0700
Subject: [PATCH] [stable/spinnaker] Add psp option

---
 stable/spinnaker/Chart.yaml                   |  2 +-
 .../templates/hooks/install-using-hal.yaml    |  8 ++++++
 .../rbac/psp-halyard-clusterrole.yaml         | 14 ++++++++++
 .../rbac/psp-halyard-clusterrolebinding.yaml  | 20 ++++++++++++++
 .../spinnaker/templates/rbac/psp-halyard.yaml | 27 +++++++++++++++++++
 stable/spinnaker/values.yaml                  |  2 ++
 6 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 stable/spinnaker/templates/rbac/psp-halyard-clusterrole.yaml
 create mode 100644 stable/spinnaker/templates/rbac/psp-halyard-clusterrolebinding.yaml
 create mode 100644 stable/spinnaker/templates/rbac/psp-halyard.yaml

diff --git a/stable/spinnaker/Chart.yaml b/stable/spinnaker/Chart.yaml
index ade067987ce5..175dddb2d9ba 100644
--- a/stable/spinnaker/Chart.yaml
+++ b/stable/spinnaker/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 description: Open source, multi-cloud continuous delivery platform for releasing software changes with high velocity and confidence.
 name: spinnaker
-version: 2.0.0-rc4
+version: 2.0.0-rc5
 appVersion: 1.16.2
 home: http://spinnaker.io/
 sources:
diff --git a/stable/spinnaker/templates/hooks/install-using-hal.yaml b/stable/spinnaker/templates/hooks/install-using-hal.yaml
index b968dee5bb6d..25b681de48f5 100644
--- a/stable/spinnaker/templates/hooks/install-using-hal.yaml
+++ b/stable/spinnaker/templates/hooks/install-using-hal.yaml
@@ -19,6 +19,14 @@ spec:
       labels:
 {{ include "spinnaker.standard-labels" . | indent 8 }}
     spec:
+      {{- if .Values.serviceAccount.halyardName }}
+      serviceAccountName: {{ .Values.serviceAccount.halyardName }}
+      {{- else }}
+      serviceAccountName: {{ template "spinnaker.fullname" . }}-halyard
+      {{- end }}
+      securityContext:
+        runAsUser: {{ .Values.securityContext.runAsUser }}
+        fsGroup: {{ .Values.securityContext.fsGroup }}
       {{- if .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 8 }}
diff --git a/stable/spinnaker/templates/rbac/psp-halyard-clusterrole.yaml b/stable/spinnaker/templates/rbac/psp-halyard-clusterrole.yaml
new file mode 100644
index 000000000000..dc7d7e0132a1
--- /dev/null
+++ b/stable/spinnaker/templates/rbac/psp-halyard-clusterrole.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.rbac.pspEnabled }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "spinnaker.fullname" . }}-halyard
+  labels:
+{{ include "spinnaker.standard-labels" . | indent 4 }}
+rules:
+- apiGroups: ['extensions']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ template "spinnaker.fullname" . }}-halyard
+{{- end }}
diff --git a/stable/spinnaker/templates/rbac/psp-halyard-clusterrolebinding.yaml b/stable/spinnaker/templates/rbac/psp-halyard-clusterrolebinding.yaml
new file mode 100644
index 000000000000..40610d676ba8
--- /dev/null
+++ b/stable/spinnaker/templates/rbac/psp-halyard-clusterrolebinding.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.rbac.pspEnabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "spinnaker.fullname" . }}-halyard
+  labels:
+{{ include "spinnaker.standard-labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "spinnaker.fullname" . }}-halyard
+subjects:
+- kind: ServiceAccount
+  {{- if .Values.serviceAccount.halyardName }}
+  name: {{ .Values.serviceAccount.halyardName }}
+  {{- else }}
+  name: {{ template "spinnaker.fullname" . }}-halyard
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/stable/spinnaker/templates/rbac/psp-halyard.yaml b/stable/spinnaker/templates/rbac/psp-halyard.yaml
new file mode 100644
index 000000000000..d6910e0326c7
--- /dev/null
+++ b/stable/spinnaker/templates/rbac/psp-halyard.yaml
@@ -0,0 +1,27 @@
+{{- if .Values.rbac.pspEnabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "spinnaker.fullname" . }}-halyard
+  labels:
+{{ include "spinnaker.standard-labels" . | indent 4 }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  volumes:
+  - 'configMap'
+  - 'emptyDir'
+  - 'persistentVolumeClaim'
+  - 'secret'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+{{- end }}
diff --git a/stable/spinnaker/values.yaml b/stable/spinnaker/values.yaml
index 3d67947ba387..36bdae6ef32a 100644
--- a/stable/spinnaker/values.yaml
+++ b/stable/spinnaker/values.yaml
@@ -306,6 +306,8 @@ azs:
 rbac:
   # Specifies whether RBAC resources should be created
   create: true
+  # Specifies whether PSP resources should be created
+  pspEnabled: false
 
 serviceAccount:
   # Specifies whether a ServiceAccount should be created