From 3c4ebf017209396f85094eaeba7ec7c5fbf46a43 Mon Sep 17 00:00:00 2001 From: Phil Sphicas Date: Sun, 1 Aug 2021 07:08:15 +0000 Subject: [PATCH] namespace-config: Grant access to existing PSP This change updates the namespace-config chart to (optionally) create RBAC rules allowing service accounts in the namespace 'use' access to an existing Pod Security Policy in the cluster. The policy is specified as: podSecurityPolicy: existingPsp: name-of-existing-psp This aligns with the PSP deprecation guidance provided to date [0], which suggests easing the transition to the "PSP Replacement Policy" by establishing the standard PSPs (Restricted, Baseline, and Privileged), assigning a cluster-wide default, and binding more-permissive policies as needed in certain namespaces. [0] https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/ Change-Id: I46da230abf822e0cc3553561fd779444439c34a7 --- namespace-config/Chart.yaml | 2 +- namespace-config/templates/psp-rbac.yaml | 29 ++++++++++++++++++++++++ namespace-config/values.yaml | 6 +++++ releasenotes/notes/namespace-config.yaml | 1 + 4 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 namespace-config/templates/psp-rbac.yaml diff --git a/namespace-config/Chart.yaml b/namespace-config/Chart.yaml index 2e7e60b3d..f6da8d2e9 100644 --- a/namespace-config/Chart.yaml +++ b/namespace-config/Chart.yaml @@ -15,6 +15,6 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Namespace Config name: namespace-config -version: 0.1.0 +version: 0.1.1 home: https://kubernetes.io/docs/concepts/policy/limit-range/ ... diff --git a/namespace-config/templates/psp-rbac.yaml b/namespace-config/templates/psp-rbac.yaml new file mode 100644 index 000000000..916a2c1c6 --- /dev/null +++ b/namespace-config/templates/psp-rbac.yaml @@ -0,0 +1,29 @@ +{{- if (not (empty .Values.podSecurityPolicy.existingPsp)) -}} +{{- $name := printf "psp:%s:%s" .Release.Name .Values.podSecurityPolicy.existingPsp -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $name }} +subjects: +- kind: Group + name: system:serviceaccounts:{{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $name }} +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ .Values.podSecurityPolicy.existingPsp }} +{{- end -}} diff --git a/namespace-config/values.yaml b/namespace-config/values.yaml index 1df4eb122..ae3311d81 100644 --- a/namespace-config/values.yaml +++ b/namespace-config/values.yaml @@ -24,4 +24,10 @@ limits: defaultRequest: cpu: 0.1 memory: 64Mi + +podSecurityPolicy: + # Optionally specify the name of an existing pod security policy. + # If specified, a role and rolebinding will be created granting access for + # service accounts in this namespace to use existingPsp. + existingPsp: "" ... diff --git a/releasenotes/notes/namespace-config.yaml b/releasenotes/notes/namespace-config.yaml index deb05966e..42d525ee3 100644 --- a/releasenotes/notes/namespace-config.yaml +++ b/releasenotes/notes/namespace-config.yaml @@ -1,4 +1,5 @@ --- namespace-config: - 0.1.0 Initial Chart + - 0.1.1 Grant access to existing PodSecurityPolicy ...