Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

helm: Added Pod Security Policy #443

Merged
merged 2 commits into from
Apr 15, 2021
Merged

helm: Added Pod Security Policy #443

merged 2 commits into from
Apr 15, 2021

Conversation

pierluigilenoci
Copy link
Contributor

Reason for Change:
We want to deploy secrets-store-csi-driver-provider-azure successfully in k8s cluster with a restricted pod-security policy enabled.

Requirements

  • squashed commits
  • included documentation
  • added unit tests and e2e tests (if applicable).

Issue Fixed:
Fixes #404

Does this change contain code from or inspired by another project?

  • Yes
  • No

Special Notes for Reviewers:

This is inspired by @mo-saeed code from #404

@pierluigilenoci pierluigilenoci marked this pull request as ready for review March 15, 2021 14:24
@pierluigilenoci pierluigilenoci mentioned this pull request Mar 15, 2021
Closed
@aramase aramase requested a review from sozercan March 15, 2021 18:03
@codecov-io
Copy link

Codecov Report

Merging #443 (ed0e949) into master (e1071ff) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #443   +/-   ##
=======================================
  Coverage   64.03%   64.03%           
=======================================
  Files           7        7           
  Lines         506      506           
=======================================
  Hits          324      324           
  Misses        148      148           
  Partials       34       34

@pierluigilenoci
Copy link
Contributor Author

@aramase @sozercan can we push this forward? What is needed to do that?

aramase
aramase reviewed Apr 6, 2021
View reviewed changes
manifest_staging/charts/csi-secrets-store-provider-azure/templates/podsecuritypolicy.yaml
@@ -0,0 +1,23 @@
{{- if .Values.rbac.pspEnabled }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

{{- if .Values.rbac.pspEnabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: {{ template "sscdpa.psp.fullname" . }}
spec:
  hostNetwork: true
  seLinux:
    rule: RunAsAny
  privileged: {{ .Values.linux.privileged }}
  volumes:
    - hostPath
    - secret
  hostPorts:
    - min: 0
      max: 65535
  fsGroup:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  runAsUser:
    rule: RunAsAny
  supplementalGroups:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
{{- end }}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, please include the default labels in the PodSecurityPolicy, Role and RoleBinding

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aramase should this match deployment PSP here? https://github.com/Azure/secrets-store-csi-driver-provider-azure/blob/master/deployment/pod-security-policy.yaml#L57-L73

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sozercan Apart from the allowedHostPaths , the rest of the spec is very similar here. Imposing the different host paths can get tedious if users want to mount custom env file or more. WDYT?

Also, that file seems to be a little outdated. We should update it in a follow up PR.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds good. we can have a follow up to address that.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened #479 to track the change.

aramase
aramase requested changes Apr 6, 2021
View reviewed changes
Copy link
Member

@aramase aramase left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pierluigilenoci Added comments. PTAL and also rebase the PR when you get a chance.

@pierluigilenoci
Copy link
Contributor Author

@aramase sorry it took me a while but last week I just couldn't. 👍🏻

@aramase aramase added this to the 0.0.15 milestone Apr 12, 2021
@aramase aramase changed the title Added Pod Security Policy helm: Added Pod Security Policy Apr 12, 2021
@aramase aramase merged commit 5fed2b9 into Azure:master Apr 15, 2021
@pierluigilenoci pierluigilenoci deleted the podsecuritypolicy branch April 16, 2021 07:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sozercan sozercan sozercan approved these changes

@mo-saeed mo-saeed mo-saeed approved these changes

@aramase aramase Awaiting requested review from aramase aramase is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.0.15
Development

Successfully merging this pull request may close these issues.

Add pod security policy to the helm chart
5 participants
@pierluigilenoci @codecov-io @sozercan @aramase @mo-saeed