Merge pull request #478 from pierluigilenoci/podsecuritypolicy

k8s-ci-robot · web-flow · commit 9673abd1db85 · 2021-04-23T12:59:40.000-07:00
Added Pod Security Policy to the chart
diff --git a/manifest_staging/charts/secrets-store-csi-driver/README.md b/manifest_staging/charts/secrets-store-csi-driver/README.md
@@ -80,6 +80,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p
 | `livenessProbe.port`                    | Liveness probe port                                                                                                               | `9808`                                              |
 | `livenessProbe.logLevel`                | Liveness probe container logging verbosity level                                                                                  | `2`                                                 |
 | `rbac.install`                          | Install default rbac roles and bindings                                                                                           | true                                                |
+| `rbac.pspEnabled`                       | If `true`, create and use a restricted pod security policy for Secrets Store CSI Driver pod(s)                                    | `false`                                                                                             |
 | `syncSecret.enabled`                    | Enable rbac roles and bindings required for syncing to Kubernetes native secrets (the default will change to false after v0.0.14) | true                                                |
 | `minimumProviderVersions`               | [**DEPRECATED**] A comma delimited list of key-value pairs of minimum provider versions with driver                               | `""`                                                |
 | `enableSecretRotation`                  | Enable secret rotation feature [alpha]                                                                                            | `false`                                             |
diff --git a/manifest_staging/charts/secrets-store-csi-driver/templates/_helpers.tpl b/manifest_staging/charts/secrets-store-csi-driver/templates/_helpers.tpl
@@ -33,6 +33,10 @@ labels:
   helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
 {{- end -}}
 
+{{- define "sscd-psp.fullname" -}}
+{{- printf "%s-psp" (include "sscd.name" .) -}}
+{{- end }}
+
 {{/*
 Return the appropriate apiVersion for CSIDriver.
 */}}
diff --git a/manifest_staging/charts/secrets-store-csi-driver/templates/podsecuritypolicy.yaml b/manifest_staging/charts/secrets-store-csi-driver/templates/podsecuritypolicy.yaml
@@ -0,0 +1,30 @@
+{{- if .Values.rbac.pspEnabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "sscd-psp.fullname" . }}
+{{ include "sscd.labels" . | indent 2 }}
+spec:
+  seLinux:
+    rule: RunAsAny
+  privileged: true
+  volumes:
+    - hostPath
+    - secret
+  hostNetwork: false
+  hostPorts:
+    - min: 0
+      max: 65535
+  fsGroup:
+    ranges:
+      - max: 65535
+        min: 1
+    rule: MustRunAs
+  runAsUser:
+    rule: RunAsAny
+  supplementalGroups:
+    ranges:
+      - max: 65535
+        min: 1
+    rule: MustRunAs
+{{- end }}
diff --git a/manifest_staging/charts/secrets-store-csi-driver/templates/role.yaml b/manifest_staging/charts/secrets-store-csi-driver/templates/role.yaml
@@ -50,4 +50,14 @@ rules:
   - get
   - patch
   - update
+{{- if .Values.rbac.pspEnabled }}
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - {{ template "sscd-psp.fullname" . }}
+{{- end }}
 {{ end }}
diff --git a/manifest_staging/charts/secrets-store-csi-driver/values.yaml b/manifest_staging/charts/secrets-store-csi-driver/values.yaml
@@ -156,6 +156,7 @@ livenessProbe:
 ## Install Default RBAC roles and bindings
 rbac:
   install: true
+  pspEnabled: false
 
 ## Install RBAC roles and bindings required for K8S Secrets syncing. Change this
 ## to false after v0.0.14
