From 7c469a5355253089cf2c0e4a3e1f240d59d66359 Mon Sep 17 00:00:00 2001 From: prateekpandey14 Date: Mon, 15 Feb 2021 13:36:37 +0530 Subject: [PATCH 1/2] refact(charts): add pod security policy for cstor charts Signed-off-by: prateekpandey14 --- .github/workflows/pull_request.yml | 2 ++ deploy/helm/charts/Chart.yaml | 2 +- deploy/helm/charts/templates/csi-node.yaml | 2 -- deploy/helm/charts/templates/psp.yaml | 27 ++++++++++++++++++++++ 4 files changed, 30 insertions(+), 3 deletions(-) create mode 100644 deploy/helm/charts/templates/psp.yaml diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 8b0a218b..42990d96 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -16,6 +16,8 @@ name: ci on: pull_request: + paths-ignore: + - 'deploy/helm/**' branches: # on pull requests to master and release branches - master diff --git a/deploy/helm/charts/Chart.yaml b/deploy/helm/charts/Chart.yaml index 0459bc46..7f5b30a6 100644 --- a/deploy/helm/charts/Chart.yaml +++ b/deploy/helm/charts/Chart.yaml @@ -4,7 +4,7 @@ description: CStor-Operator helm chart for Kubernetes type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.5.2 +version: 2.5.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. appVersion: 2.5.0 diff --git a/deploy/helm/charts/templates/csi-node.yaml b/deploy/helm/charts/templates/csi-node.yaml index 3acb8c1f..c30f9d38 100644 --- a/deploy/helm/charts/templates/csi-node.yaml +++ b/deploy/helm/charts/templates/csi-node.yaml @@ -55,8 +55,6 @@ spec: - name: {{ .Values.cstorCSIPlugin.name }} securityContext: privileged: true - capabilities: - add: ["CAP_MKNOD", "CAP_SYS_ADMIN", "SYS_ADMIN"] allowPrivilegeEscalation: true image: "{{ .Values.cstorCSIPlugin.image.registry }}{{ .Values.cstorCSIPlugin.image.repository }}:{{ .Values.cstorCSIPlugin.image.tag }}" imagePullPolicy: {{ .Values.cstorCSIPlugin.image.pullPolicy }} diff --git a/deploy/helm/charts/templates/psp.yaml b/deploy/helm/charts/templates/psp.yaml new file mode 100644 index 00000000..f3ff690d --- /dev/null +++ b/deploy/helm/charts/templates/psp.yaml @@ -0,0 +1,27 @@ +{{- if .Values.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "cstor.fullname" . }}-psp + {{- with .Values.csiNode.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "cstor.csiNode.labels" . | nindent 4 }} +spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: ['*'] + volumes: ['*'] + hostNetwork: true + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} From 7db3df71ad16ad9c945a18464dc2b624a867f52c Mon Sep 17 00:00:00 2001 From: prateekpandey14 Date: Mon, 15 Feb 2021 15:43:36 +0530 Subject: [PATCH 2/2] add missing psp rbac files Signed-off-by: prateekpandey14 --- .../helm/charts/templates/csi-node-rbac.yaml | 30 +++++++++++++++++++ deploy/helm/charts/templates/psp.yaml | 5 +--- 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/deploy/helm/charts/templates/csi-node-rbac.yaml b/deploy/helm/charts/templates/csi-node-rbac.yaml index 08f852bf..4af703b2 100644 --- a/deploy/helm/charts/templates/csi-node-rbac.yaml +++ b/deploy/helm/charts/templates/csi-node-rbac.yaml @@ -40,4 +40,34 @@ roleRef: kind: ClusterRole name: openebs-cstor-csi-registrar-role apiGroup: rbac.authorization.k8s.io +{{- if .Values.rbac.pspEnabled }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: openebs-cstor-csi-node-role + labels: + {{- include "cstor.csiNode.labels" . | nindent 4 }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - openebs-cstor-csi-node-psp +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: openebs-cstor-csi-node-binding + labels: + {{- include "cstor.csiNode.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: openebs-cstor-csi-node-role +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.csiNode.name }} + namespace: {{ $.Release.Namespace }} +{{- end }} {{- end }} diff --git a/deploy/helm/charts/templates/psp.yaml b/deploy/helm/charts/templates/psp.yaml index f3ff690d..138b52e0 100644 --- a/deploy/helm/charts/templates/psp.yaml +++ b/deploy/helm/charts/templates/psp.yaml @@ -2,10 +2,7 @@ apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ template "cstor.fullname" . }}-psp - {{- with .Values.csiNode.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} + name: openebs-cstor-csi-node-psp labels: {{- include "cstor.csiNode.labels" . | nindent 4 }} spec: