[stable/jaeger-operator] Add PodSecurityPolicy and SecurityContext (#…

…13964) Signed-off-by: mwieczorek <wieczorek-michal@wp.pl>
helm · May 31, 2019 · 0007ebb · 0007ebb
1 parent 7fcc169
commit 0007ebb
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 1 deletion.
diff --git a/stable/jaeger-operator/Chart.yaml b/stable/jaeger-operator/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 description: jaeger-operator Helm chart for Kubernetes
 name: jaeger-operator
-version: 2.5.0
+version: 2.6.0
 appVersion: 1.12.0
 home: https://www.jaegertracing.io/
 icon: https://www.jaegertracing.io/img/jaeger-icon-reverse-color.svg

diff --git a/stable/jaeger-operator/README.md b/stable/jaeger-operator/README.md
@@ -48,11 +48,13 @@ The following table lists the configurable parameters of the jaeger-operator cha
 | `image.pullPolicy`      | Controller container image pull policy                                                                      | `IfNotPresent`                  |
 | `rbac.create`           | All required roles and rolebindings will be created                                                         | `true`                          |
 | `serviceAccount.create` | Service account to use                                                                                      | `true`                          |
+| `rbac.pspEnabled`       | Pod security policy for pod will be created and included in rbac role                                       | `false`                         |
 | `serviceAccount.name`   | Service account name to use. If not set and create is true, a name is generated using the fullname template | ``                              |
 | `resources`             | K8s pod resorces                                                                                            | `None`                          |
 | `nodeSelector`          | Node labels for pod assignment                                                                              | `{}`                            |
 | `tolerations`           | Toleration labels for pod assignment                                                                        | `[]`                            |
 | `affinity`              | Affinity settings for pod assignment                                                                        | `{}`                            |
+| `securityContext`       | Security context for pod                                                                                    | `{}`                            |
 
 Specify each parameter you'd like to override using a YAML file as described above in the [installation](#installing-the-chart) section.
 

diff --git a/stable/jaeger-operator/templates/_helpers.tpl b/stable/jaeger-operator/templates/_helpers.tpl
@@ -41,3 +41,11 @@ Create chart name and version as used by the chart label.
 {{- define "jaeger-operator.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{/* Generate basic labels */}}
+{{- define "jaeger-operator.labels" }}
+app.kubernetes.io/name: {{ include "jaeger-operator.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+helm.sh/chart: {{ include "jaeger-operator.chart" . }}
+{{- end }}
diff --git a/stable/jaeger-operator/templates/deployment.yaml b/stable/jaeger-operator/templates/deployment.yaml
@@ -24,6 +24,10 @@ spec:
     spec:
       {{- if .Values.serviceAccount.create }}
       serviceAccountName: {{ include "jaeger-operator.serviceAccountName" . }}
+      {{- end }}
+      {{- with .Values.securityContext }}
+      securityContext:
+{{ toYaml . | indent 8 }}
       {{- end }}
       containers:
         - name: {{ include "jaeger-operator.fullname" . }}

diff --git a/stable/jaeger-operator/templates/psp.yaml b/stable/jaeger-operator/templates/psp.yaml
@@ -0,0 +1,36 @@
+{{- if and .Values.rbac.create .Values.rbac.pspEnabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ include "jaeger-operator.fullname" . }}-operator-psp
+  labels:
+{{ include "jaeger-operator.labels" . | indent 4 }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  volumes:
+    - 'configMap'
+    - 'emptyDir'
+    - 'projected'
+    - 'secret'
+    - 'downwardAPI'
+    - 'persistentVolumeClaim'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}
diff --git a/stable/jaeger-operator/templates/role.yaml b/stable/jaeger-operator/templates/role.yaml
@@ -76,4 +76,11 @@ rules:
   - '*'
   verbs:
   - '*'
+{{- if .Values.rbac.pspEnabled }}
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ include "jaeger-operator.fullname" . }}-operator-psp
+{{- end }}
 {{- end }}
diff --git a/stable/jaeger-operator/values.yaml b/stable/jaeger-operator/values.yaml
@@ -9,6 +9,7 @@ image:
 rbac:
   # Specifies whether RBAC resources should be created
   create: true
+  pspEnabled: false
 
 serviceAccount:
   # Specifies whether a ServiceAccount should be created
@@ -30,3 +31,5 @@ nodeSelector: {}
 tolerations: []
 
 affinity: {}
+
+securityContext: {}