diff --git a/deploy/kubernetes/console/README.md b/deploy/kubernetes/console/README.md index 01aaa8df64..ad042ec99f 100644 --- a/deploy/kubernetes/console/README.md +++ b/deploy/kubernetes/console/README.md @@ -124,6 +124,10 @@ The following table lists the configurable parameters of the Stratos Helm chart |console.nodeSelector|Node selectors to use for the console Pod|| |mariadb.nodeSelector|Node selectors to use for the database Pod|| |configInit.nodeSelector|Node selectors to use for the configuration Pod|| +|console.pspEnabled|Enable Pod Security Policies. Set this to true if you cluster is configured with PSPs enabled|false| +|console.pspName|Name of an existing Pod Security Policy to use instead of the one created by the chart when PSPs are enabled|| +|console.pspAnnotations|Annotations to be added to all pod security policy resources|| +|console.pspExtraLabels|Additional labels to be added to all pod security policy resources|| ## Accessing the Console diff --git a/deploy/kubernetes/console/templates/analyzers.yaml b/deploy/kubernetes/console/templates/analyzers.yaml index 963f0dbc42..2f722d4083 100644 --- a/deploy/kubernetes/console/templates/analyzers.yaml +++ b/deploy/kubernetes/console/templates/analyzers.yaml @@ -63,6 +63,9 @@ spec: imagePullSecrets: - name: {{.Values.dockerRegistrySecret}} {{- end }} + {{- if and (eq (printf "%s" .Values.kube.auth) "rbac") (.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1") }} + serviceAccountName: "stratos" + {{- end }} {{- if not .Values.console.reportsVolumeDisabled }} volumes: - name: data diff --git a/deploy/kubernetes/console/templates/config-init.yaml b/deploy/kubernetes/console/templates/config-init.yaml index 6ed17f1e88..3a0f788d7d 100644 --- a/deploy/kubernetes/console/templates/config-init.yaml +++ b/deploy/kubernetes/console/templates/config-init.yaml @@ -26,6 +26,16 @@ metadata: app.kubernetes.io/version: "{{ .Chart.AppVersion }}" helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" rules: +{{- if .Values.console.pspEnabled }} +- apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ default (printf "%s-psp" .Release.Name) .Values.console.pspName }} +{{- end }} - apiGroups: - "" resources: diff --git a/deploy/kubernetes/console/templates/database.yaml b/deploy/kubernetes/console/templates/database.yaml index 5f64b162a7..c62f5466e1 100644 --- a/deploy/kubernetes/console/templates/database.yaml +++ b/deploy/kubernetes/console/templates/database.yaml @@ -1,5 +1,63 @@ {{- if not .Values.mariadb.external }} --- +# Service account "stratos-db" for the database, if needed +{{- if and (eq (printf "%s" .Values.kube.auth) "rbac") (.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1") (.Values.console.pspEnabled) }} +apiVersion: "v1" +kind: "ServiceAccount" +metadata: + name: "stratos-db" + labels: + app.kubernetes.io/component: "stratos-db" + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/name: "stratos" + app.kubernetes.io/version: "{{ .Chart.AppVersion }}" + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" +{{- end }} +--- +# Role "stratos-db-role" only used by account "[- stratos-db]" +{{- if and (eq (printf "%s" .Values.kube.auth) "rbac") (.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1") (.Values.console.pspEnabled) }} +apiVersion: "rbac.authorization.k8s.io/v1" +kind: "Role" +metadata: + name: "stratos-db-role" + labels: + app.kubernetes.io/component: "stratos-db-role" + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/name: "stratos" + app.kubernetes.io/version: "{{ .Chart.AppVersion }}" + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" +rules: +- apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ default (printf "%s-psp" .Release.Name) .Values.console.pspName }} +{{- end }} +--- +# Role binding for service account "stratos-db" and role "stratos-db-role" +{{- if and (eq (printf "%s" .Values.kube.auth) "rbac") (.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1") (.Values.console.pspEnabled) }} +apiVersion: "rbac.authorization.k8s.io/v1" +kind: "RoleBinding" +metadata: + name: "stratos-db-role-binding" + labels: + app.kubernetes.io/component: "stratos-db-role-binding" + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/name: "stratos" + app.kubernetes.io/version: "{{ .Chart.AppVersion }}" + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" +subjects: +- kind: "ServiceAccount" + name: "stratos-db" +roleRef: + apiGroup: "rbac.authorization.k8s.io" + kind: "Role" + name: "stratos-db-role" +{{- end }} +--- {{- if semverCompare ">=1.16" (printf "%s.%s" .Capabilities.KubeVersion.Major (trimSuffix "+" .Capabilities.KubeVersion.Minor) )}} apiVersion: apps/v1 {{- else }} @@ -107,6 +165,9 @@ spec: imagePullSecrets: - name: {{.Values.dockerRegistrySecret}} {{- end }} + {{- if and (eq (printf "%s" .Values.kube.auth) "rbac") (.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1") (.Values.console.pspEnabled) }} + serviceAccountName: "stratos-db" + {{- end }} volumes: - name: data {{- if .Values.mariadb.persistence.enabled }} diff --git a/deploy/kubernetes/console/templates/psp.yaml b/deploy/kubernetes/console/templates/psp.yaml new file mode 100644 index 0000000000..2910521ba0 --- /dev/null +++ b/deploy/kubernetes/console/templates/psp.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.console.pspEnabled (not .Values.console.pspName) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ .Release.Name }}-psp +{{- if .Values.console.pspAnnotations }} + annotations: +{{ toYaml .Values.console.pspAnnotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: "stratos" + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/version: "{{ .Chart.AppVersion }}" + app.kubernetes.io/component: "console-psp" + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" +{{- if .Values.console.pspExtraLabels }} +{{ toYaml .Values.console.pspExtraLabels | indent 4 }} +{{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + allowedCapabilities: + - '*' + volumes: + - 'configMap' + - 'downwardAPI' + - 'emptyDir' + - 'persistentVolumeClaim' + - 'secret' + - 'projected' + hostNetwork: false + hostPID: false + hostIPC: false + runAsUser: + rule: 'RunAsAny' + runAsGroup: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} \ No newline at end of file diff --git a/deploy/kubernetes/console/templates/service-account.yaml b/deploy/kubernetes/console/templates/service-account.yaml index d8ef0e07d7..bdf6565de2 100644 --- a/deploy/kubernetes/console/templates/service-account.yaml +++ b/deploy/kubernetes/console/templates/service-account.yaml @@ -25,6 +25,16 @@ metadata: app.kubernetes.io/version: "{{ .Chart.AppVersion }}" helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" rules: +{{- if .Values.console.pspEnabled }} +- apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ default (printf "%s-psp" .Release.Name) .Values.console.pspName }} +{{- end }} - apiGroups: - "" resources: diff --git a/deploy/kubernetes/console/values.yaml b/deploy/kubernetes/console/values.yaml index 3a9f647bff..5c7b537ede 100644 --- a/deploy/kubernetes/console/values.yaml +++ b/deploy/kubernetes/console/values.yaml @@ -110,6 +110,18 @@ console: # Extra labels to apply to Pods podExtraLabels: {} + # Whether PodSecurityPolicy is enabled + pspEnabled: false + + # Optional name of a PodSecurityPolicy to use - if not specified, a default will be created + pspName: + + # Custom annotations to apply to Pod Security Policies + pspAnnotations: {} + + # Extra labels to apply to Pod Security Policies + pspExtraLabels: {} + # Node Selector for console Pod nodeSelector: {}