Add annotations to podsecuritypolicy

Provide support to add annotations to the podsecuritypolicy. This will
allow to add annotations related to seccomp and apparmor in psp.

Change-Id: I78718ae1f60e8ebee8ac8ba86145bb9ae26491d5
This commit is contained in:
Hemanth Nakkina 2019-03-04 10:28:09 +05:30 committed by Tin Lam
parent 469b31356d
commit 154f1700b1
3 changed files with 31 additions and 23 deletions

View File

@ -26,8 +26,12 @@ metadata:
name: {{ $pspName }}
labels:
{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- if $pspDetails.annotations }}
annotations:
{{ toYaml $pspDetails.annotations | indent 4 }}
{{- end }}
spec:
{{ toYaml $pspDetails | indent 2 }}
{{ toYaml $pspDetails.spec | indent 2 }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1

View File

@ -33,25 +33,27 @@ data:
# Note: you can define as many PSPs here as you need.
#
psp-default: # This will be the `metadata.name` of the PodSecurityPolicy
privileged: true
allowPrivilegeEscalation: true
hostNetwork: true
hostPID: true
hostIPC: true
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
allowedCapabilities:
- '*'
hostPorts:
- min: 1
max: 65536
annotations: {} # Placeholder to add seccomp/apparmor default annotations
spec:
privileged: true
allowPrivilegeEscalation: true
hostNetwork: true
hostPID: true
hostIPC: true
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
allowedCapabilities:
- '*'
hostPorts:
- min: 1
max: 65536
manifests:
podsecuritypolicy: true

View File

@ -35,7 +35,7 @@ EOF
#NOTE: Deploy with host networking off, and test for failure
helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
--namespace=kube-system \
--set data.psp-default.hostNetwork=false \
--set data.psp-default.spec.hostNetwork=false \
${OSH_INFRA_EXTRA_HELM_ARGS} \
${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}
@ -50,12 +50,14 @@ if kubectl apply -f /tmp/psp-test-pod.yaml; then
echo "ERROR: podsecuritypolicy incorrectly admitted a privileged pod"
kubectl delete pod psp-test
exit 1
else
echo "Failure above is expected. Continuing."
fi
#NOTE: Deploy with host networking on, and test for success
helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
--namespace=kube-system \
--set data.psp-default.hostNetwork=true \
--set data.psp-default.spec.hostNetwork=true \
${OSH_INFRA_EXTRA_HELM_ARGS} \
${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}