From 94fc2b0845b51540905231855e2de47f39b151c8 Mon Sep 17 00:00:00 2001 From: Sam Cogan Date: Tue, 15 Oct 2019 22:27:06 +0100 Subject: [PATCH] Fixes for PSP Issues Adding missing "-psp" to cert-manager psp cluster role binding Create PSP, ClusterRole and ClusterRole binding for webhook service account Signed-off-by: Sam Cogan --- .../templates/psp-clusterrolebinding.yaml | 2 +- .../templates/webhook-psp-clusterrole.yaml | 17 +++++++ .../webhook-psp-clusterrolebinding.yaml | 19 ++++++++ .../cert-manager/templates/webhook-psp.yaml | 46 +++++++++++++++++++ 4 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 deploy/charts/cert-manager/templates/webhook-psp-clusterrole.yaml create mode 100644 deploy/charts/cert-manager/templates/webhook-psp-clusterrolebinding.yaml create mode 100644 deploy/charts/cert-manager/templates/webhook-psp.yaml diff --git a/deploy/charts/cert-manager/templates/psp-clusterrolebinding.yaml b/deploy/charts/cert-manager/templates/psp-clusterrolebinding.yaml index 41bebf032..4690e24af 100644 --- a/deploy/charts/cert-manager/templates/psp-clusterrolebinding.yaml +++ b/deploy/charts/cert-manager/templates/psp-clusterrolebinding.yaml @@ -11,7 +11,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "cert-manager.fullname" . }} + name: {{ template "cert-manager.fullname" . }}-psp subjects: - kind: ServiceAccount name: {{ include "cert-manager.fullname" . }} diff --git a/deploy/charts/cert-manager/templates/webhook-psp-clusterrole.yaml b/deploy/charts/cert-manager/templates/webhook-psp-clusterrole.yaml new file mode 100644 index 000000000..9a6acefc2 --- /dev/null +++ b/deploy/charts/cert-manager/templates/webhook-psp-clusterrole.yaml @@ -0,0 +1,17 @@ +{{- if .Values.global.podSecurityPolicy.enabled }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "webhook.fullname" . }}-psp + labels: + app: {{ include "webhook.name" . }} + chart: {{ include "webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "webhook.fullname" . }} +{{- end }} diff --git a/deploy/charts/cert-manager/templates/webhook-psp-clusterrolebinding.yaml b/deploy/charts/cert-manager/templates/webhook-psp-clusterrolebinding.yaml new file mode 100644 index 000000000..4faa37f08 --- /dev/null +++ b/deploy/charts/cert-manager/templates/webhook-psp-clusterrolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.podSecurityPolicy.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "webhook.fullname" . }}-psp + labels: + app: {{ include "webhook.name" . }} + chart: {{ include "webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "webhook.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: {{ include "webhook.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/deploy/charts/cert-manager/templates/webhook-psp.yaml b/deploy/charts/cert-manager/templates/webhook-psp.yaml new file mode 100644 index 000000000..59bec14ec --- /dev/null +++ b/deploy/charts/cert-manager/templates/webhook-psp.yaml @@ -0,0 +1,46 @@ +{{- if .Values.global.podSecurityPolicy.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "webhook.fullname" . }} + labels: + app: {{ include "webhook.name" . }} + chart: {{ include "webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotation: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + privileged: false + allowPrivilegeEscalation: false + allowedCapabilities: [] # default set of capabilities are implicitly allowed + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1000 + max: 1000 +{{- end }}