Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Helm chart RBAC and security context #5

Merged
merged 6 commits into from
Oct 3, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ RUN go mod download

# Copy the go source
COPY main.go main.go
COPY api/ api/
COPY internal/controller/ internal/controller/

# Build
Expand Down
75 changes: 75 additions & 0 deletions helm/kyverno-policy-operator/crd/policyexceptions.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
name: policyexceptions.policy.giantswarm.io
spec:
group: policy.giantswarm.io
names:
kind: PolicyException
listKind: PolicyExceptionList
plural: policyexceptions
shortNames:
- gspolex
singular: policyexception
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: PolicyException is the Schema for the policyexceptions API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: PolicyExceptionSpec defines the desired state of PolicyException
properties:
policies:
description: Policies defines the list of policies to be excluded
items:
type: string
type: array
targets:
description: Targes defines the list of target workloads where the
exceptions will be applied
items:
description: Target defines a resource to which a PolicyException
applies
properties:
kind:
type: string
names:
items:
type: string
type: array
namespaces:
items:
type: string
type: array
required:
- kind
- names
- namespaces
type: object
type: array
required:
- policies
- targets
type: object
type: object
served: true
storage: true
subresources:
status: {}
16 changes: 14 additions & 2 deletions helm/kyverno-policy-operator/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,24 @@ Common labels
*/}}
{{- define "labels.common" -}}
{{ include "labels.selector" . }}
app.giantswarm.io/branch: {{ .Chart.Annotations.branch | replace "#" "-" | replace "/" "-" | replace "." "-" | trunc 63 | trimSuffix "-" | quote }}
application.giantswarm.io/commit: {{ .Chart.Annotations.commit | quote }}
application.kubernetes.io/managed-by: {{ .Release.Service | quote }}
application.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }}
giantswarm.io/managed-by: {{ .Release.Name | quote }}
giantswarm.io/service-type: {{ .Values.serviceType }}
helm.sh/chart: {{ include "chart" . | quote }}
{{- end -}}

{{- define "kyverno-policy-operator.crdInstall" -}}
{{- printf "%s-%s" ( include "resource.default.name" . ) "crd-install" | replace "+" "_" | trimSuffix "-" -}}
{{- end -}}

{{- define "kyverno-policy-operator.CRDInstallAnnotations" -}}
"helm.sh/hook": "pre-install,pre-upgrade"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
{{- end -}}

{{/* Create a label which can be used to select any orphaned crd-install hook resources */}}
{{- define "kyverno-policy-operator.CRDInstallSelector" -}}
{{- printf "%s" "crd-install-hook" -}}
{{- end -}}
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{{/*
We have to create individual configmaps for each CRD - they exceed the total
allowed length for a configmap if they are combined.
*/}}
{{ $currentScope := . }}
{{- if .Values.crds.install }}
{{- range $path, $_ := .Files.Glob "crd/**" }}
{{- with $currentScope }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "kyverno-policy-operator.crdInstall" . }}-{{ $path | base | trimSuffix ".yaml" }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-5"
{{- include "kyverno-policy-operator.CRDInstallAnnotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 4 }}
role: {{ include "kyverno-policy-operator.CRDInstallSelector" . | quote }}
data:
content: |
{{ .Files.Get $path | indent 4 }}
{{- end }}
{{- end }}
{{- end }}
70 changes: 70 additions & 0 deletions helm/kyverno-policy-operator/templates/crd-install/crd-job.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
{{- if .Values.crds.install }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "kyverno-policy-operator.crdInstall" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-1"
{{- include "kyverno-policy-operator.CRDInstallAnnotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 4 }}
role: {{ include "kyverno-policy-operator.CRDInstallSelector" . | quote }}
spec:
template:
metadata:
labels:
app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 8 }}
spec:
serviceAccountName: {{ include "kyverno-policy-operator.crdInstall" . }}
securityContext:
seccompProfile:
type: RuntimeDefault
runAsUser: 65534
runAsGroup: 65534
tolerations:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
containers:
- name: kubectl
image: "{{ .Values.image.registry }}/giantswarm/docker-kubectl:{{ .Values.crds.image.tag }}"
command:
- sh
- -c
- |
set -o errexit ; set -o xtrace ; set -o nounset

# piping stderr to stdout means kubectl's errors are surfaced
# in the pod's logs.
kubectl apply --server-side -f /data/ 2>&1
securityContext:
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
runAsUser: 65534
runAsGroup: 65534
volumeMounts:
{{- range $path, $_ := .Files.Glob "crd/**" }}
- name: {{ $path | base | trimSuffix ".yaml" }}
mountPath: /data/{{ $path | base }}
subPath: {{ $path | base }}
{{- end }}
resources: {{- toYaml .Values.crds.resources | nindent 10 }}
volumes:
{{ $currentScope := . }}
{{- range $path, $_ := .Files.Glob "crd/**" }}
{{- with $currentScope }}
- name: {{ $path | base | trimSuffix ".yaml" }}
configMap:
name: {{ include "kyverno-policy-operator.crdInstall" . }}-{{ $path | base | trimSuffix ".yaml" }}
items:
- key: content
path: {{ $path | base }}
{{- end }}
{{- end }}
restartPolicy: Never
backoffLimit: 4
{{- end }}
67 changes: 67 additions & 0 deletions helm/kyverno-policy-operator/templates/crd-install/crd-np.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
{{- if .Values.crds.install }}
{{- if .Capabilities.APIVersions.Has "cilium.io/v2" }}
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ include "kyverno-policy-operator.crdInstall" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-7"
{{- include "kyverno-policy-operator.CRDInstallAnnotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 4 }}
role: {{ include "kyverno-policy-operator.CRDInstallSelector" . | quote }}
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 6 }}
egress:
- toEntities:
- kube-apiserver
toPorts:
- ports:
- port: "443"
- ports:
- port: "6443"
{{- else}}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: {{ include "kyverno-policy-operator.crdInstall" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-7"
{{- include "kyverno-policy-operator.CRDInstallAnnotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 4 }}
role: {{ include "kyverno-policy-operator.CRDInstallSelector" . | quote }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 6 }}
# allow egress traffic to the Kubernetes API
egress:
- ports:
- port: 443
protocol: TCP
# legacy port kept for compatibility
- port: 6443
protocol: TCP
to:
{{- range tuple "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" }}
- ipBlock:
cidr: {{ . }}
{{- end }}
# deny ingress traffic
ingress: []
policyTypes:
- Egress
- Ingress
{{- end }}
{{- end }}
38 changes: 38 additions & 0 deletions helm/kyverno-policy-operator/templates/crd-install/crd-psp.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
{{- if .Values.crds.install }}
{{- if not .Values.global.podSecurityStandards.enforced }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "kyverno-policy-operator.crdInstall" . }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-6"
{{- include "kyverno-policy-operator.CRDInstallAnnotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 4 }}
role: {{ include "kyverno-policy-operator.CRDInstallSelector" . | quote }}
spec:
privileged: false
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
volumes:
- 'configMap'
hostPID: false
hostIPC: false
hostNetwork: false
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
{{- if .Values.crds.install }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kyverno-policy-operator.crdInstall" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-3"
{{- include "kyverno-policy-operator.CRDInstallAnnotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 4 }}
role: {{ include "kyverno-policy-operator.CRDInstallSelector" . | quote }}
rules:
- apiGroups:
- ""
resources:
- jobs
verbs:
- create
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- delete
- get
- patch
- update
- apiGroups:
- policy
resources:
- podsecuritypolicies
resourceNames:
- {{ include "kyverno-policy-operator.crdInstall" . }}
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kyverno-policy-operator.crdInstall" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-2"
{{- include "kyverno-policy-operator.CRDInstallAnnotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdInstall" . | quote }}
{{- include "labels.common" . | nindent 4 }}
role: {{ include "kyverno-policy-operator.CRDInstallSelector" . | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "kyverno-policy-operator.crdInstall" . }}
subjects:
- kind: ServiceAccount
name: {{ include "kyverno-policy-operator.crdInstall" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{- if .Values.crds.install }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kyverno-policy-operator.crdInstall" . }}
namespace: {{ .Release.Namespace }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-4"
{{- include "kyverno-policy-operator.CRDInstallAnnotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "kyverno-policy-operator.crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 4 }}
role: {{ include "kyverno-policy-operator.CRDInstallSelector" . | quote }}
{{- end }}
Loading