From 7f5ac29d2f2755ec9634518bc0d424912e15f0cf Mon Sep 17 00:00:00 2001
From: Christian Zunker <christian.zunker@codecentric.cloud>
Date: Fri, 27 Dec 2019 14:59:28 +0100
Subject: [PATCH] Add configuration switch for use of apparmor in PSP

Fixes #2293

Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>
---
 deploy/charts/cert-manager/README.md                     | 1 +
 deploy/charts/cert-manager/templates/cainjector-psp.yaml | 4 +++-
 deploy/charts/cert-manager/templates/psp.yaml            | 4 +++-
 deploy/charts/cert-manager/templates/webhook-psp.yaml    | 4 +++-
 deploy/charts/cert-manager/values.yaml                   | 1 +
 5 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/deploy/charts/cert-manager/README.md b/deploy/charts/cert-manager/README.md
index 7d949a560..a2b13ac14 100644
--- a/deploy/charts/cert-manager/README.md
+++ b/deploy/charts/cert-manager/README.md
@@ -77,6 +77,7 @@ The following table lists the configurable parameters of the cert-manager chart
 | `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` |
 | `global.priorityClassName`| Priority class name for cert-manager and webhook pods | `""` |
 | `global.podSecurityPolicy.enabled` | If `true`, create and use PodSecurityPolicy (includes sub-charts) | `false` |
+| `global.podSecurityPolicy.useAppArmor` | If `true`, use Apparmor seccomp profile in PSP | `true` |
 | `global.leaderElection.namespace` | Override the namespace used to store the ConfigMap for leader election | `kube-system` |
 | `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` |
 | `image.tag` | Image tag | `v0.13.0-alpha.0` |
diff --git a/deploy/charts/cert-manager/templates/cainjector-psp.yaml b/deploy/charts/cert-manager/templates/cainjector-psp.yaml
index 55ea2d3b5..ebc465318 100644
--- a/deploy/charts/cert-manager/templates/cainjector-psp.yaml
+++ b/deploy/charts/cert-manager/templates/cainjector-psp.yaml
@@ -10,9 +10,11 @@ metadata:
     heritage: {{ .Release.Service }}
   annotations:
     seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
     seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+    {{- if .Values.global.podSecurityPolicy.useAppArmor }}
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
     apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+    {{- end }}
 spec:
   privileged: false
   allowPrivilegeEscalation: false
diff --git a/deploy/charts/cert-manager/templates/psp.yaml b/deploy/charts/cert-manager/templates/psp.yaml
index c4941c3d9..61cd86e8f 100644
--- a/deploy/charts/cert-manager/templates/psp.yaml
+++ b/deploy/charts/cert-manager/templates/psp.yaml
@@ -10,9 +10,11 @@ metadata:
     heritage: {{ .Release.Service }}
   annotations:
     seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
     seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+    {{- if .Values.global.podSecurityPolicy.useAppArmor }}
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
     apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+    {{- end }}
 spec:
   privileged: false
   allowPrivilegeEscalation: false
diff --git a/deploy/charts/cert-manager/templates/webhook-psp.yaml b/deploy/charts/cert-manager/templates/webhook-psp.yaml
index 64808905b..a21b6d5b7 100644
--- a/deploy/charts/cert-manager/templates/webhook-psp.yaml
+++ b/deploy/charts/cert-manager/templates/webhook-psp.yaml
@@ -10,9 +10,11 @@ metadata:
     heritage: {{ .Release.Service }}
   annotations:
     seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
     seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+    {{- if .Values.global.podSecurityPolicy.useAppArmor }}
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
     apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+    {{- end }}
 spec:
   privileged: false
   allowPrivilegeEscalation: false
diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml
index 278673936..b153f031b 100644
--- a/deploy/charts/cert-manager/values.yaml
+++ b/deploy/charts/cert-manager/values.yaml
@@ -16,6 +16,7 @@ global:
 
   podSecurityPolicy:
     enabled: false
+    useAppArmor: true
 
   # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose.
   logLevel: 2