Fix for issue where you can't deploy via Helm to a cluster with PSP enabled

deploy/kubernetes/console/README.md

@@ -124,6 +124,10 @@ The following table lists the configurable parameters of the Stratos Helm chart
 |console.nodeSelector|Node selectors to use for the console Pod||
 |mariadb.nodeSelector|Node selectors to use for the database Pod||
 |configInit.nodeSelector|Node selectors to use for the configuration Pod||
+|console.pspEnabled|Enable Pod Security Policies. Set this to true if you cluster is configured with PSPs enabled|false|
+|console.pspName|Name of an existing Pod Security Policy to use instead of the one created by the chart when PSPs are enabled||
+|console.pspAnnotations|Annotations to be added to all pod security policy resources||
+|console.pspExtraLabels|Additional labels to be added to all pod security policy resources||
 
 ## Accessing the Console
 

deploy/kubernetes/console/templates/analyzers.yaml

@@ -63,6 +63,9 @@ spec:
       imagePullSecrets:
       - name: {{.Values.dockerRegistrySecret}}
       {{- end }}
+      {{- if and (eq (printf "%s" .Values.kube.auth) "rbac") (.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1") }}
+      serviceAccountName: "stratos"
+      {{- end }}
       {{- if not .Values.console.reportsVolumeDisabled }}
       volumes:
       - name: data

deploy/kubernetes/console/templates/config-init.yaml

@@ -26,6 +26,16 @@ metadata:
     app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
     helm.sh/chart:  "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
 rules:
+{{- if .Values.console.pspEnabled }}
+- apiGroups:
+  - extensions
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - {{ default (printf "%s-psp" .Release.Name) .Values.console.pspName }}
+{{- end }}  
 - apiGroups:
   - ""
   resources:

deploy/kubernetes/console/templates/database.yaml

@@ -1,5 +1,63 @@
 {{- if not .Values.mariadb.external }}
 ---
+# Service account "stratos-db" for the database, if needed
+{{- if and (eq (printf "%s" .Values.kube.auth) "rbac") (.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1") (.Values.console.pspEnabled) }}
+apiVersion: "v1"
+kind: "ServiceAccount"
+metadata:
+  name: "stratos-db"
+  labels:
+    app.kubernetes.io/component: "stratos-db"
+    app.kubernetes.io/instance: "{{ .Release.Name }}"
+    app.kubernetes.io/name: "stratos"
+    app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
+    helm.sh/chart:  "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+{{- end }}
+---
+# Role "stratos-db-role" only used by account "[- stratos-db]"
+{{- if and (eq (printf "%s" .Values.kube.auth) "rbac") (.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1") (.Values.console.pspEnabled) }}
+apiVersion: "rbac.authorization.k8s.io/v1"
+kind: "Role"
+metadata:
+  name: "stratos-db-role"
+  labels:
+    app.kubernetes.io/component: "stratos-db-role"
+    app.kubernetes.io/instance: "{{ .Release.Name }}"
+    app.kubernetes.io/name: "stratos"
+    app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
+    helm.sh/chart:  "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+rules:
+- apiGroups:
+  - extensions
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - {{ default (printf "%s-psp" .Release.Name) .Values.console.pspName }}
+{{- end }}
+---
+# Role binding for service account "stratos-db" and role "stratos-db-role"
+{{- if and (eq (printf "%s" .Values.kube.auth) "rbac") (.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1") (.Values.console.pspEnabled) }}
+apiVersion: "rbac.authorization.k8s.io/v1"
+kind: "RoleBinding"
+metadata:
+  name: "stratos-db-role-binding"
+  labels:
+    app.kubernetes.io/component: "stratos-db-role-binding"
+    app.kubernetes.io/instance: "{{ .Release.Name }}"
+    app.kubernetes.io/name: "stratos"
+    app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
+    helm.sh/chart:  "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+subjects:
+- kind: "ServiceAccount"
+  name: "stratos-db"
+roleRef:
+  apiGroup: "rbac.authorization.k8s.io"
+  kind: "Role"
+  name: "stratos-db-role"
+{{- end }}
+---
 {{- if semverCompare ">=1.16" (printf "%s.%s" .Capabilities.KubeVersion.Major (trimSuffix "+" .Capabilities.KubeVersion.Minor) )}}
 apiVersion: apps/v1
 {{- else }}
@@ -107,6 +165,9 @@ spec:
       imagePullSecrets:
       - name: {{.Values.dockerRegistrySecret}}
       {{- end }}
+      {{- if and (eq (printf "%s" .Values.kube.auth) "rbac") (.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1") (.Values.console.pspEnabled) }}
+      serviceAccountName: "stratos-db"
+      {{- end }}
       volumes:
       - name: data
       {{- if .Values.mariadb.persistence.enabled }}

deploy/kubernetes/console/templates/psp.yaml

@@ -0,0 +1,45 @@
+{{- if and .Values.console.pspEnabled (not .Values.console.pspName) }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ .Release.Name }}-psp
+{{- if .Values.console.pspAnnotations }}
+  annotations:
+{{ toYaml .Values.console.pspAnnotations | indent 4 }}
+{{- end }}
+  labels:
+    app.kubernetes.io/name: "stratos"
+    app.kubernetes.io/instance: "{{ .Release.Name }}"
+    app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
+    app.kubernetes.io/component: "console-psp"
+    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+{{- if .Values.console.pspExtraLabels }}
+{{ toYaml .Values.console.pspExtraLabels | indent 4 }}
+{{- end }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities:
+    - '*'
+  volumes:
+    - 'configMap'
+    - 'downwardAPI'
+    - 'emptyDir'
+    - 'persistentVolumeClaim'
+    - 'secret'
+    - 'projected'
+  hostNetwork: false
+  hostPID: false
+  hostIPC: false
+  runAsUser:
+    rule: 'RunAsAny'
+  runAsGroup:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false
+{{- end }}

deploy/kubernetes/console/templates/service-account.yaml

@@ -25,6 +25,16 @@ metadata:
     app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
     helm.sh/chart:  "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
 rules:
+{{- if .Values.console.pspEnabled }}
+- apiGroups:
+  - extensions
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - {{ default (printf "%s-psp" .Release.Name) .Values.console.pspName }}
+{{- end }}  
 - apiGroups:
   - ""
   resources:

deploy/kubernetes/console/values.yaml

@@ -110,6 +110,18 @@ console:
   # Extra labels to apply to Pods
   podExtraLabels: {}
 
+  # Whether PodSecurityPolicy is enabled
+  pspEnabled: false
+
+  # Optional name of a PodSecurityPolicy to use - if not specified, a default will be created
+  pspName:  
+
+  # Custom annotations to apply to Pod Security Policies
+  pspAnnotations: {}  
+
+  # Extra labels to apply to Pod Security Policies
+  pspExtraLabels: {}  
+
   # Node Selector for console Pod
   nodeSelector: {}