Merge pull request #294 from kinvolk/surajssd/add-seccomp-to-prom-op

prometheus operator: Add seccomp annotations to PSP
kinvolk · Apr 15, 2020 · 6ebc13a · 6ebc13a
2 parents ac214cf + 37534f2
commit 6ebc13a
Show file tree

Hide file tree

Showing 7 changed files with 41 additions and 10 deletions.
diff --git a/assets/components/prometheus-operator/manifests/templates/alertmanager/psp.yaml b/assets/components/prometheus-operator/manifests/templates/alertmanager/psp.yaml
@@ -6,6 +6,10 @@ metadata:
   namespace: {{ $.Release.Namespace }}
   labels:
     app: {{ template "prometheus-operator.name" . }}-alertmanager
+{{- if .Values.global.rbac.pspAnnotations }}
+  annotations:
+{{ toYaml .Values.global.rbac.pspAnnotations | indent 4 }}
+{{- end }}
 {{ include "prometheus-operator.labels" . | indent 4 }}
 spec:
   privileged: false

diff --git a/...us-operator/manifests/templates/prometheus-operator/admission-webhooks/job-patch/psp.yaml b/...us-operator/manifests/templates/prometheus-operator/admission-webhooks/job-patch/psp.yaml
@@ -9,6 +9,10 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
     app: {{ template "prometheus-operator.name" . }}-admission
+{{- if .Values.global.rbac.pspAnnotations }}
+  annotations:
+{{ toYaml .Values.global.rbac.pspAnnotations | indent 4 }}
+{{- end }}
 {{ include "prometheus-operator.labels" . | indent 4 }}
 spec:
   privileged: false

diff --git a/assets/components/prometheus-operator/manifests/templates/prometheus-operator/psp.yaml b/assets/components/prometheus-operator/manifests/templates/prometheus-operator/psp.yaml
@@ -6,6 +6,10 @@ metadata:
   namespace: {{ $.Release.Namespace }}
   labels:
     app: {{ template "prometheus-operator.name" . }}-operator
+{{- if .Values.global.rbac.pspAnnotations }}
+  annotations:
+{{ toYaml .Values.global.rbac.pspAnnotations | indent 4 }}
+{{- end }}
 {{ include "prometheus-operator.labels" . | indent 4 }}
 spec:
   privileged: false

diff --git a/assets/components/prometheus-operator/manifests/templates/prometheus/psp.yaml b/assets/components/prometheus-operator/manifests/templates/prometheus/psp.yaml
@@ -6,6 +6,10 @@ metadata:
   namespace: {{ $.Release.Namespace }}
   labels:
     app: {{ template "prometheus-operator.name" . }}-prometheus
+{{- if .Values.global.rbac.pspAnnotations }}
+  annotations:
+{{ toYaml .Values.global.rbac.pspAnnotations | indent 4 }}
+{{- end }}
 {{ include "prometheus-operator.labels" . | indent 4 }}
 spec:
   privileged: false

diff --git a/assets/components/prometheus-operator/manifests/values.yaml b/assets/components/prometheus-operator/manifests/values.yaml
@@ -60,6 +60,15 @@ global:
   rbac:
     create: true
     pspEnabled: true
+    pspAnnotations: {}
+      ## Specify pod annotations
+      ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
+      ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
+      ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl
+      ##
+      # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+      # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
+      # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
 
   ## Reference to one or more secrets to be used when pulling images
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

diff --git a/pkg/assets/generated_assets.go b/pkg/assets/generated_assets.go
diff --git a/pkg/components/prometheus-operator/template.go b/pkg/components/prometheus-operator/template.go
@@ -15,6 +15,12 @@
 package prometheus
 
 const chartValuesTmpl = `
+global:
+  rbac:
+    pspAnnotations:
+      seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+      seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+
 alertmanager:
 {{.AlertManagerConfig}}
   alertmanagerSpec: