From 62e5b57d906746029c7b7510528f10356d3dd376 Mon Sep 17 00:00:00 2001 From: Prateek Pandey Date: Mon, 15 Feb 2021 15:03:40 +0530 Subject: [PATCH] refact(charts): add pod security policy for zfslocalpv charts (#290) Signed-off-by: prateekpandey14 --- deploy/helm/charts/Chart.yaml | 2 +- deploy/helm/charts/README.md | 1 + deploy/helm/charts/templates/psp.yaml | 27 +++++++++++++++++++++++++++ deploy/helm/charts/values.yaml | 5 +++++ 4 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 deploy/helm/charts/templates/psp.yaml diff --git a/deploy/helm/charts/Chart.yaml b/deploy/helm/charts/Chart.yaml index 347c3f8..ff4a39f 100644 --- a/deploy/helm/charts/Chart.yaml +++ b/deploy/helm/charts/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: zfs-localpv description: CSI Driver for dynamic provisioning of ZFS Persistent Local Volumes. -version: 1.3.0 +version: 1.3.1 appVersion: 1.3.0 icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/openebs/icon/color/openebs-icon-color.png home: http://www.openebs.io/ diff --git a/deploy/helm/charts/README.md b/deploy/helm/charts/README.md index e8492b4..37c37a9 100644 --- a/deploy/helm/charts/README.md +++ b/deploy/helm/charts/README.md @@ -118,6 +118,7 @@ The following table lists the configurable parameters of the OpenEBS ZFS Localpv | `zfsController.nodeSelector`| Nodeselector for zfs localpv controller statefulset pods| `""`| | `zfsController.tolerations` | zfs localpv controller statefulset's pod toleration values | `""`| | `zfsController.securityContext` | Seurity context for zfs localpv controller statefulset container | `""`| +| `rbac.pspEnabled` | Enable PodSecurityPolicy | `false` | | `serviceAccount.zfsNode.create` | Create a service account for zfsnode or not| `true`| | `serviceAccount.zfsNode.name` | Name for the zfsnode service account| `openebs-zfs-node-sa`| | `serviceAccount.zfsController.create` | Create a service account for zfs localpv controller or not| `true`| diff --git a/deploy/helm/charts/templates/psp.yaml b/deploy/helm/charts/templates/psp.yaml new file mode 100644 index 0000000..90313b5 --- /dev/null +++ b/deploy/helm/charts/templates/psp.yaml @@ -0,0 +1,27 @@ +{{- if .Values.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "zfslocalpv.fullname" . }}-psp + {{- with .Values.zfsNode.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "zfslocalpv.zfsNode.labels" . | nindent 4 }} +spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: ['*'] + volumes: ['*'] + hostNetwork: true + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/deploy/helm/charts/values.yaml b/deploy/helm/charts/values.yaml index bc77ff2..c123554 100644 --- a/deploy/helm/charts/values.yaml +++ b/deploy/helm/charts/values.yaml @@ -7,6 +7,11 @@ release: imagePullSecrets: # - name: "image-pull-secret" + +rbac: + # rbac.pspEnabled: `true` if PodSecurityPolicy resources should be created + pspEnabled: false + # zfsNode contains the configurables for # the zfs node daemonset zfsNode: