From a7b5af6eb4f0b37f3e214a2e050ead0ff85a7971 Mon Sep 17 00:00:00 2001 From: Bastian Hofmann Date: Fri, 8 Jan 2021 17:41:33 +0100 Subject: [PATCH] Add PodSecurityPolicies for rancher-istio,rancher-tracing and rancher-kiali-server Signed-off-by: Bastian Hofmann --- packages/rancher-istio/charts/Chart.yaml | 2 +- .../charts/templates/clusterrole.yaml | 8 ++ .../charts/templates/istio-cni-psp.yaml | 47 +++++++++++ .../charts/templates/istio-install-job.yaml | 3 + .../charts/templates/istio-install-psp.yaml | 28 +++++++ .../charts/templates/istio-psp.yaml | 79 +++++++++++++++++ .../charts/templates/istio-uninstall-job.yaml | 3 + packages/rancher-istio/package.yaml | 2 +- .../overlay/templates/psp.yaml | 65 ++++++++++++++ packages/rancher-kiali-server/package.yaml | 2 +- .../charts/templates/deployment.yaml | 4 + .../rancher-tracing/charts/templates/psp.yaml | 84 +++++++++++++++++++ packages/rancher-tracing/package.yaml | 2 +- 13 files changed, 325 insertions(+), 4 deletions(-) create mode 100644 packages/rancher-istio/charts/templates/istio-cni-psp.yaml create mode 100644 packages/rancher-istio/charts/templates/istio-install-psp.yaml create mode 100644 packages/rancher-istio/charts/templates/istio-psp.yaml create mode 100644 packages/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml create mode 100644 packages/rancher-tracing/charts/templates/psp.yaml diff --git a/packages/rancher-istio/charts/Chart.yaml b/packages/rancher-istio/charts/Chart.yaml index d64c2d08083..a0a2c4e5717 100644 --- a/packages/rancher-istio/charts/Chart.yaml +++ b/packages/rancher-istio/charts/Chart.yaml @@ -13,7 +13,7 @@ annotations: catalog.cattle.io/release-name: rancher-istio catalog.cattle.io/ui-component: istio catalog.cattle.io/provides-gvr: networking.istio.io.virtualservice/v1beta1 - catalog.cattle.io/auto-install: rancher-kiali-server-crd=1.29.000-rc00 + catalog.cattle.io/auto-install: rancher-kiali-server-crd=1.29.000-rc01 catalog.cattle.io/display-name: "Istio" catalog.cattle.io/os: linux catalog.cattle.io/requests-cpu: "710m" diff --git a/packages/rancher-istio/charts/templates/clusterrole.yaml b/packages/rancher-istio/charts/templates/clusterrole.yaml index 3e621d8974e..a93b3df95d0 100644 --- a/packages/rancher-istio/charts/templates/clusterrole.yaml +++ b/packages/rancher-istio/charts/templates/clusterrole.yaml @@ -110,3 +110,11 @@ rules: - serviceaccounts verbs: - '*' +- apiGroups: + - policy + resourceNames: + - istio-installer + resources: + - podsecuritypolicies + verbs: + - use diff --git a/packages/rancher-istio/charts/templates/istio-cni-psp.yaml b/packages/rancher-istio/charts/templates/istio-cni-psp.yaml new file mode 100644 index 00000000000..69f94abfe0c --- /dev/null +++ b/packages/rancher-istio/charts/templates/istio-cni-psp.yaml @@ -0,0 +1,47 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: psp-istio-cni + namespace: istio-system +spec: + allowPrivilegeEscalation: true + fsGroup: + rule: RunAsAny + hostNetwork: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - secret + - configMap + - emptyDir + - hostPath +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: psp-istio-cni +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: psp-istio-cni +subjects: + - kind: ServiceAccount + name: istio-cni +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: psp-istio-cni +rules: +- apiGroups: + - policy + resourceNames: + - psp-istio-cni + resources: + - podsecuritypolicies + verbs: + - use diff --git a/packages/rancher-istio/charts/templates/istio-install-job.yaml b/packages/rancher-istio/charts/templates/istio-install-job.yaml index 0e9c732e17c..6186dafd55f 100644 --- a/packages/rancher-istio/charts/templates/istio-install-job.yaml +++ b/packages/rancher-istio/charts/templates/istio-install-job.yaml @@ -42,4 +42,7 @@ spec: name: istio-installer-overlay {{- end }} serviceAccountName: istio-installer + securityContext: + runAsUser: 101 + runAsGroup: 101 restartPolicy: Never diff --git a/packages/rancher-istio/charts/templates/istio-install-psp.yaml b/packages/rancher-istio/charts/templates/istio-install-psp.yaml new file mode 100644 index 00000000000..ee5b270e4f3 --- /dev/null +++ b/packages/rancher-istio/charts/templates/istio-install-psp.yaml @@ -0,0 +1,28 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-installer + namespace: istio-system +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'configMap' + - 'secret' diff --git a/packages/rancher-istio/charts/templates/istio-psp.yaml b/packages/rancher-istio/charts/templates/istio-psp.yaml new file mode 100644 index 00000000000..2c29b6d7b13 --- /dev/null +++ b/packages/rancher-istio/charts/templates/istio-psp.yaml @@ -0,0 +1,79 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-psp + namespace: istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-psp +subjects: + - kind: ServiceAccount + name: istio-egressgateway-service-account + - kind: ServiceAccount + name: istio-ingressgateway-service-account + - kind: ServiceAccount + name: istio-mixer-service-account + - kind: ServiceAccount + name: istio-operator-authproxy + - kind: ServiceAccount + name: istiod-service-account + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + - kind: ServiceAccount + name: istiocoredns-service-account + - kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-psp + namespace: istio-system +rules: +- apiGroups: + - policy + resourceNames: + - istio-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: istio-psp + namespace: istio-system +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim diff --git a/packages/rancher-istio/charts/templates/istio-uninstall-job.yaml b/packages/rancher-istio/charts/templates/istio-uninstall-job.yaml index b5946e55f5f..a7f15632579 100644 --- a/packages/rancher-istio/charts/templates/istio-uninstall-job.yaml +++ b/packages/rancher-istio/charts/templates/istio-uninstall-job.yaml @@ -39,4 +39,7 @@ spec: name: istio-installer-overlay {{ end }} serviceAccountName: istio-installer + securityContext: + runAsUser: 101 + runAsGroup: 101 restartPolicy: OnFailure diff --git a/packages/rancher-istio/package.yaml b/packages/rancher-istio/package.yaml index 69ee3e9d1c4..d1f9aeec4d3 100644 --- a/packages/rancher-istio/package.yaml +++ b/packages/rancher-istio/package.yaml @@ -1,3 +1,3 @@ url: local packageVersion: 00 -releaseCandidateVersion: 01 +releaseCandidateVersion: 02 diff --git a/packages/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml b/packages/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml new file mode 100644 index 00000000000..1673d616fec --- /dev/null +++ b/packages/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml @@ -0,0 +1,65 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kiali-psp + namespace: istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kiali-psp +subjects: + - kind: ServiceAccount + name: kiali +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kiali-psp + namespace: istio-system +rules: +- apiGroups: + - policy + resourceNames: + - kiali-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: kiali-psp + namespace: istio-system +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim \ No newline at end of file diff --git a/packages/rancher-kiali-server/package.yaml b/packages/rancher-kiali-server/package.yaml index 072abd3d3bf..d000cca1400 100644 --- a/packages/rancher-kiali-server/package.yaml +++ b/packages/rancher-kiali-server/package.yaml @@ -1,6 +1,6 @@ url: https://kiali.org/helm-charts/kiali-server-1.29.0.tgz packageVersion: 00 -releaseCandidateVersion: 00 +releaseCandidateVersion: 01 additionalCharts: - workingDir: charts-crd crdOptions: diff --git a/packages/rancher-tracing/charts/templates/deployment.yaml b/packages/rancher-tracing/charts/templates/deployment.yaml index e7ecfadd88d..a56308b3ba4 100644 --- a/packages/rancher-tracing/charts/templates/deployment.yaml +++ b/packages/rancher-tracing/charts/templates/deployment.yaml @@ -68,6 +68,10 @@ spec: affinity: {{- include "nodeAffinity" . | indent 6 }} {{- include "podAntiAffinity" . | indent 6 }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + serviceAccountName: {{ include "tracing.fullname" . }} {{- if eq .Values.jaeger.spanStorageType "badger" }} volumes: - name: data diff --git a/packages/rancher-tracing/charts/templates/psp.yaml b/packages/rancher-tracing/charts/templates/psp.yaml new file mode 100644 index 00000000000..4e761fc5b98 --- /dev/null +++ b/packages/rancher-tracing/charts/templates/psp.yaml @@ -0,0 +1,84 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "tracing.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "tracing.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "tracing.fullname" . }} + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + allowPrivilegeEscalation: false + forbiddenSysctls: + - '*' + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - emptyDir + - secret + - persistentVolumeClaim diff --git a/packages/rancher-tracing/package.yaml b/packages/rancher-tracing/package.yaml index 0774348790b..5605d61096e 100644 --- a/packages/rancher-tracing/package.yaml +++ b/packages/rancher-tracing/package.yaml @@ -1,3 +1,3 @@ url: local -packageVersion: 01 +packageVersion: 02 releaseCandidateVersion: 00