openstack
/
openstack-helm-infra
Code Issues Proposed changes

Add annotations to podsecuritypolicy 

Provide support to add annotations to the podsecuritypolicy. This will
allow to add annotations related to seccomp and apparmor in psp.

Change-Id: I78718ae1f60e8ebee8ac8ba86145bb9ae26491d5
This commit is contained in:
Hemanth Nakkina 2019-03-04 10:28:09 +05:30 committed by Tin Lam
parent 469b31356d
commit 154f1700b1
3 changed files with 31 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
podsecuritypolicy/templates/podsecuritypolicy.yaml
View File

@ -26,8 +26,12 @@ metadata:
name: {{ $pspName }} name: {{ $pspName }}
labels: labels:
{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- if $pspDetails.annotations }}
annotations:
{{ toYaml $pspDetails.annotations | indent 4 }}
{{- end }}
spec: spec:
{{ toYaml $pspDetails | indent 2 }} {{ toYaml $pspDetails.spec | indent 2 }}
--- ---
kind: ClusterRole kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1

42
podsecuritypolicy/values.yaml
View File

@ -33,25 +33,27 @@ data:
# Note: you can define as many PSPs here as you need. # Note: you can define as many PSPs here as you need.
# #
psp-default: # This will be the `metadata.name` of the PodSecurityPolicy psp-default: # This will be the `metadata.name` of the PodSecurityPolicy
privileged: true annotations: {} # Placeholder to add seccomp/apparmor default annotations
allowPrivilegeEscalation: true spec:
hostNetwork: true privileged: true
hostPID: true allowPrivilegeEscalation: true
hostIPC: true hostNetwork: true
seLinux: hostPID: true
rule: RunAsAny hostIPC: true
supplementalGroups: seLinux:
rule: RunAsAny rule: RunAsAny
runAsUser: supplementalGroups:
rule: RunAsAny rule: RunAsAny
fsGroup: runAsUser:
rule: RunAsAny rule: RunAsAny
volumes: fsGroup:
- '*' rule: RunAsAny
allowedCapabilities: volumes:
- '*' - '*'
hostPorts: allowedCapabilities:
- min: 1 - '*'
max: 65536 hostPorts:
- min: 1
max: 65536
manifests: manifests:
podsecuritypolicy: true podsecuritypolicy: true

6
tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh
View File

@ -35,7 +35,7 @@ EOF
#NOTE: Deploy with host networking off, and test for failure #NOTE: Deploy with host networking off, and test for failure
helm upgrade --install podsecuritypolicy ./podsecuritypolicy \ helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
--namespace=kube-system \ --namespace=kube-system \
--set data.psp-default.hostNetwork=false \ --set data.psp-default.spec.hostNetwork=false \
${OSH_INFRA_EXTRA_HELM_ARGS} \ ${OSH_INFRA_EXTRA_HELM_ARGS} \
${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY} ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}
@ -50,12 +50,14 @@ if kubectl apply -f /tmp/psp-test-pod.yaml; then
echo "ERROR: podsecuritypolicy incorrectly admitted a privileged pod" echo "ERROR: podsecuritypolicy incorrectly admitted a privileged pod"
kubectl delete pod psp-test kubectl delete pod psp-test
exit 1 exit 1
else
echo "Failure above is expected. Continuing."
fi fi
#NOTE: Deploy with host networking on, and test for success #NOTE: Deploy with host networking on, and test for success
helm upgrade --install podsecuritypolicy ./podsecuritypolicy \ helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
--namespace=kube-system \ --namespace=kube-system \
--set data.psp-default.hostNetwork=true \ --set data.psp-default.spec.hostNetwork=true \
${OSH_INFRA_EXTRA_HELM_ARGS} \ ${OSH_INFRA_EXTRA_HELM_ARGS} \
${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY} ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}