Merge "Added podsecuritypolicy for serviceaccounts"
This commit is contained in:
commit
b19c7f21c9
@ -1,4 +1,4 @@
|
|||||||
{{/*
|
{{- /*
|
||||||
Copyright 2018, AT&T Intellectual Property
|
Copyright 2018, AT&T Intellectual Property
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
@ -17,8 +17,9 @@ limitations under the License.
|
|||||||
{{- if .Values.manifests.podsecuritypolicy }}
|
{{- if .Values.manifests.podsecuritypolicy }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
|
|
||||||
{{/* Create one ClusterRole and PSP per PSP definition in values */}}
|
{{- /* Create one ClusterRole and PSP per PSP definition in values */}}
|
||||||
{{- range $pspName, $pspDetails := .Values.data }}
|
{{- range $pspName, $pspDetails := .Values.data }}
|
||||||
|
{{- if and $pspName $pspDetails }}
|
||||||
---
|
---
|
||||||
apiVersion: policy/v1beta1
|
apiVersion: policy/v1beta1
|
||||||
kind: PodSecurityPolicy
|
kind: PodSecurityPolicy
|
||||||
@ -46,19 +47,21 @@ rules:
|
|||||||
resourceNames:
|
resourceNames:
|
||||||
- {{ $pspName }}
|
- {{ $pspName }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
{{/* Configure ClusterRoles to bind to different subjects as defaults */}}
|
{{- /* Configure ClusterRoles to bind to different subjects as defaults */}}
|
||||||
|
{{- if .Values.conf.defaults }}
|
||||||
{{- range $rbacSubject, $defaultRole := .Values.conf.defaults }}
|
{{- range $rbacSubject, $defaultRole := .Values.conf.defaults }}
|
||||||
{{ if and $defaultRole (not (eq "nil" $defaultRole)) }}
|
{{- if and $defaultRole (not (eq "nil" $defaultRole)) }}
|
||||||
---
|
---
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
metadata:
|
metadata:
|
||||||
{{/* NOTE: the role name is included in the name of the binding below
|
{{- /* NOTE: the role name is included in the name of the binding below
|
||||||
for the sake of chart upgrades. The roleRef for a binding is immutable,
|
for the sake of chart upgrades. The roleRef for a binding is immutable,
|
||||||
so if the the defaultRole changes, we need a different binding to
|
so if the the defaultRole changes, we need a different binding to
|
||||||
reflect that. This issue was only sporadic! */}}
|
reflect that. This issue was only sporadic! */}}
|
||||||
name: psp-binding-for-{{- $rbacSubject -}}-{{- $defaultRole }}
|
name: psp-binding-for-{{- $rbacSubject | replace ":" "-" -}}-{{- $defaultRole }}
|
||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
roleRef:
|
roleRef:
|
||||||
@ -72,3 +75,32 @@ subjects:
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- /* Configure ClusterRoles to bind to non-default subjects */}}
|
||||||
|
{{- if .Values.conf.serviceaccounts }}
|
||||||
|
{{- range $rbacSubject, $rbacRole := .Values.conf.serviceaccounts }}
|
||||||
|
{{- if and $rbacSubject (not (eq "nil" $rbacRole)) }}
|
||||||
|
{{- $subjectName := ( $rbacSubject | split ":" )._1 | default "default" }}
|
||||||
|
{{- $subjectNamespace := ($rbacSubject | split ":" )._0 }}
|
||||||
|
---
|
||||||
|
apiVersion: "rbac.authorization.k8s.io/v1"
|
||||||
|
kind: "ClusterRoleBinding"
|
||||||
|
metadata:
|
||||||
|
{{- /* NOTE: the role name is included in the name of the binding below
|
||||||
|
for the sake of chart upgrades. The roleRef for a binding is immutable,
|
||||||
|
so if the the defaultRole changes, we need a different binding to
|
||||||
|
reflect that. This issue was only sporadic! */}}
|
||||||
|
name: psp-binding-for-{{- $subjectNamespace -}}-{{- $subjectName -}}-{{- $rbacRole }}
|
||||||
|
labels:
|
||||||
|
{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
|
roleRef:
|
||||||
|
kind: "ClusterRole"
|
||||||
|
name: {{ $rbacRole | quote }}
|
||||||
|
apiGroup: "rbac.authorization.k8s.io"
|
||||||
|
subjects:
|
||||||
|
- kind: "ServiceAccount"
|
||||||
|
name: {{ $subjectName | quote }}
|
||||||
|
namespace: {{ $subjectNamespace| quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
@ -13,6 +13,18 @@
|
|||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
conf:
|
conf:
|
||||||
|
# The keys under serviceaccounts define specific serviceaccounts, for
|
||||||
|
# which this tempalte creates clusterRoleBindigs to bind the serviceaccounts
|
||||||
|
# to the clusterRole. The cluserRole names are defined by the value for
|
||||||
|
# each each key.
|
||||||
|
# Each clusterRoles uses a podSecurityPolicy with the same name, defined
|
||||||
|
# in the data section below.
|
||||||
|
# Kubernetes controllers use the podSecurityPolicy, bound to the serviceaccount,
|
||||||
|
# assigned to a pod, to assess if it is allowed to create the pod and its
|
||||||
|
# listed containers with the securityContexts defined in thier specs.
|
||||||
|
serviceaccounts: {}
|
||||||
|
# namespace-1:service-account-1: psp-all-permissive
|
||||||
|
|
||||||
# This defines creation of ClusterRoleBindings that configure
|
# This defines creation of ClusterRoleBindings that configure
|
||||||
# default PodSecurityPolicies for the subjects below.
|
# default PodSecurityPolicies for the subjects below.
|
||||||
# `nil` avoids creation of a default binding for the subject.
|
# `nil` avoids creation of a default binding for the subject.
|
||||||
|
Loading…
Reference in New Issue
Block a user