From 9833901278d958a761fc56068c2a59751a992e10 Mon Sep 17 00:00:00 2001 From: Youssef Bel Mekki <38552193+ybelMekk@users.noreply.github.com> Date: Fri, 30 Aug 2024 14:46:22 +0200 Subject: [PATCH 1/2] feat(charts): securityContect to cleanup-leases job * In a cluster with https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/ does not clean up Signed-off-by: Youssef Bel Mekki <38552193+ybelMekk@users.noreply.github.com> --- charts/policy-controller/README.md | 8 ++++++++ .../templates/webhook/cleanup-leases.yaml | 12 ++++++++++++ charts/policy-controller/values.yaml | 12 ++++++++++++ 3 files changed, 32 insertions(+) diff --git a/charts/policy-controller/README.md b/charts/policy-controller/README.md index c64cb857..c1925ae1 100644 --- a/charts/policy-controller/README.md +++ b/charts/policy-controller/README.md @@ -159,6 +159,14 @@ helm uninstall [RELEASE_NAME] | leasescleanup.image.pullPolicy | string | `"IfNotPresent"` | | | leasescleanup.image.repository | string | `"cgr.dev/chainguard/kubectl"` | | | leasescleanup.image.version | string | `"latest-dev"` | | +| leasescleanup.podSecurityContext.allowPrivilegeEscalation | bool | `false` | | +| leasescleanup.podSecurityContext.capabilities.drop[0] | string | `"ALL"` | | +| leasescleanup.podSecurityContext.enabled | bool | `true` | | +| leasescleanup.podSecurityContext.readOnlyRootFilesystem | bool | `true` | | +| leasescleanup.podSecurityContext.runAsUser | int | `1000` | | +| leasescleanup.securityContext.enabled | bool | `false` | | +| leasescleanup.securityContext.runAsNonRoot | bool | `true` | | +| leasescleanup.securityContext.runAsUser | int | `1000` | | | loglevel | string | `"info"` | | | serviceMonitor.enabled | bool | `false` | | | webhook.configData | object | `{}` | | diff --git a/charts/policy-controller/templates/webhook/cleanup-leases.yaml b/charts/policy-controller/templates/webhook/cleanup-leases.yaml index 0cccbb16..c05d8d1c 100644 --- a/charts/policy-controller/templates/webhook/cleanup-leases.yaml +++ b/charts/policy-controller/templates/webhook/cleanup-leases.yaml @@ -24,6 +24,18 @@ spec: - /bin/sh - -c - kubectl delete leases --all --ignore-not-found -n {{ .Release.Namespace }} + {{- if .Values.leasescleanup.podSecurityContext.enabled }} + securityContext: + {{- with .Values.leasescleanup.podSecurityContext }} + {{- omit . "enabled" | toYaml | nindent 10}} + {{- end }} + {{- end }} + {{- if .Values.leasescleanup.securityContext.enabled }} + securityContext: + {{- with .Values.leasescleanup.securityContext }} + {{- omit . "enabled" | toYaml | nindent 8}} + {{- end }} + {{- end }} restartPolicy: OnFailure --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/charts/policy-controller/values.yaml b/charts/policy-controller/values.yaml index c9627e3a..1855a5e7 100644 --- a/charts/policy-controller/values.yaml +++ b/charts/policy-controller/values.yaml @@ -72,6 +72,18 @@ leasescleanup: repository: cgr.dev/chainguard/kubectl version: latest-dev pullPolicy: IfNotPresent + securityContext: + enabled: false + runAsUser: 1000 + runAsNonRoot: true + podSecurityContext: + enabled: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1000 + capabilities: + drop: + - ALL ## common node selector for all the pods commonNodeSelector: {} From 2ae8f657678806abb21b95abb903e897de82f11f Mon Sep 17 00:00:00 2001 From: Youssef Bel Mekki <38552193+ybelMekk@users.noreply.github.com> Date: Fri, 30 Aug 2024 14:54:12 +0200 Subject: [PATCH 2/2] feat(charts): securityContect to cleanup-leases job * In a cluster with https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/ does not clean up Signed-off-by: Youssef Bel Mekki <38552193+ybelMekk@users.noreply.github.com> --- charts/policy-controller/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/policy-controller/Chart.yaml b/charts/policy-controller/Chart.yaml index 58a96f79..3fb5ca8b 100644 --- a/charts/policy-controller/Chart.yaml +++ b/charts/policy-controller/Chart.yaml @@ -8,7 +8,7 @@ sources: type: application name: policy-controller -version: 0.6.9 +version: 0.6.10 appVersion: 0.8.2 maintainers: