diff --git a/podsecuritypolicy/.helmignore b/podsecuritypolicy/.helmignore new file mode 100644 index 000000000..8fdbe6895 --- /dev/null +++ b/podsecuritypolicy/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.pyc +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/podsecuritypolicy/Chart.yaml b/podsecuritypolicy/Chart.yaml new file mode 100644 index 000000000..ecf2c3715 --- /dev/null +++ b/podsecuritypolicy/Chart.yaml @@ -0,0 +1,21 @@ +# Copyright 2018, AT&T Intellectual Property +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: OpenStack-Helm PodSecurityPolicy Chart +name: podsecuritypolicy +version: 0.1.0 +home: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +maintainers: + - name: OpenStack-Helm Authors diff --git a/podsecuritypolicy/requirements.yaml b/podsecuritypolicy/requirements.yaml new file mode 100644 index 000000000..443fcd66c --- /dev/null +++ b/podsecuritypolicy/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright 2018, AT&T Intellectual Property +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: helm-toolkit + repository: http://localhost:8879/charts + version: 0.1.0 diff --git a/podsecuritypolicy/templates/podsecuritypolicy.yaml b/podsecuritypolicy/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000..46d1cd24f --- /dev/null +++ b/podsecuritypolicy/templates/podsecuritypolicy.yaml @@ -0,0 +1,70 @@ +{{/* +Copyright 2018, AT&T Intellectual Property + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.podsecuritypolicy }} +{{- $envAll := . }} + +{{/* Create one ClusterRole and PSP per PSP definition in values */}} +{{- range $pspName, $pspDetails := .Values.data }} +--- +apiVersion: extensions/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ $pspName }} + labels: +{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: +{{ toYaml $pspDetails | indent 2 }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $pspName }} + labels: +{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ $pspName }} +{{- end }} + +{{/* Configure ClusterRoles to bind to different subjects as defaults */}} +{{- range $rbacSubject, $defaultRole := .Values.conf.defaults }} +{{ if and $defaultRole (not (eq "nil" $defaultRole)) }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: +{{/* NOTE: the role name is included in the name of the binding below + for the sake of chart upgrades. The roleRef for a binding is immutable, + so if the the defaultRole changes, we need a different binding to + reflect that. This issue was only sporadic! */}} + name: psp-binding-for-{{- $rbacSubject -}}-{{- $defaultRole }} + labels: +{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +roleRef: + kind: ClusterRole + name: {{ $defaultRole }} + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: Group + name: system:{{- $rbacSubject }} + apiGroup: rbac.authorization.k8s.io +{{- end }} +{{- end }} +{{- end }} diff --git a/podsecuritypolicy/values.yaml b/podsecuritypolicy/values.yaml new file mode 100644 index 000000000..355000f5f --- /dev/null +++ b/podsecuritypolicy/values.yaml @@ -0,0 +1,57 @@ +# Copyright 2018, AT&T Intellectual Property +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +conf: + # This defines creation of ClusterRoleBindings that configure + # default PodSecurityPolicies for the subjects below. + # `nil` avoids creation of a default binding for the subject. + # + defaults: + serviceaccounts: psp-default + authenticated: psp-default + unauthenticated: nil + +data: + # Each of these corresponds to the `spec` of a PodSecurityPolicy object. + # Note that this default PodSecurityPolicy is incredibly permissive. It is + # intended to be tuned over time as a default, and to be overridden by + # operators as appropriate. + # + # A ClusterRole will be created for the PSP, with the same `metadata.name`. + # + # Note: you can define as many PSPs here as you need. + # + psp-default: # This will be the `metadata.name` of the PodSecurityPolicy + privileged: true + allowPrivilegeEscalation: true + hostNetwork: true + hostPID: true + hostIPC: true + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - '*' + allowedCapabilities: + - '*' + hostPorts: + - min: 1 + max: 65536 +manifests: + podsecuritypolicy: true