Skip to content

Commit

Permalink
Add PodSecurityPolicies for rancher-istio,rancher-tracing and rancher…
Browse files Browse the repository at this point in the history 
…-kiali-server

Signed-off-by: Bastian Hofmann <[email protected]>
  • Loading branch information
@bashofmann
bashofmann committed Mar 1, 2021
1 parent c84854f commit aed1108
Show file tree
Hide file tree
Showing 12 changed files with 326 additions and 5 deletions.
2 changes: 1 addition & 1 deletion packages/rancher-istio/charts/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ annotations:
catalog.cattle.io/release-name: rancher-istio
catalog.cattle.io/ui-component: istio
catalog.cattle.io/provides-gvr: networking.istio.io.virtualservice/v1beta1
catalog.cattle.io/auto-install: rancher-kiali-server-crd=1.29.000-rc00
catalog.cattle.io/auto-install: rancher-kiali-server-crd=1.29.001-rc00
catalog.cattle.io/display-name: "Istio"
catalog.cattle.io/os: linux
catalog.cattle.io/requests-cpu: "710m"
Expand Down
8 changes: 8 additions & 0 deletions packages/rancher-istio/charts/templates/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,3 +110,11 @@ rules:
- serviceaccounts
verbs:
- '*'
- apiGroups:
- policy
resourceNames:
- istio-installer
resources:
- podsecuritypolicies
verbs:
- use
47 changes: 47 additions & 0 deletions packages/rancher-istio/charts/templates/istio-cni-psp.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: psp-istio-cni
namespace: istio-system
spec:
allowPrivilegeEscalation: true
fsGroup:
rule: RunAsAny
hostNetwork: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- secret
- configMap
- emptyDir
- hostPath
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: psp-istio-cni
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: psp-istio-cni
subjects:
- kind: ServiceAccount
name: istio-cni
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: psp-istio-cni
rules:
- apiGroups:
- policy
resourceNames:
- psp-istio-cni
resources:
- podsecuritypolicies
verbs:
- use
3 changes: 3 additions & 0 deletions packages/rancher-istio/charts/templates/istio-install-job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,4 +42,7 @@ spec:
name: istio-installer-overlay
{{- end }}
serviceAccountName: istio-installer
securityContext:
runAsUser: 101
runAsGroup: 101
restartPolicy: Never
28 changes: 28 additions & 0 deletions packages/rancher-istio/charts/templates/istio-install-psp.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: istio-installer
namespace: istio-system
spec:
privileged: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
volumes:
- 'configMap'
- 'secret'
79 changes: 79 additions & 0 deletions packages/rancher-istio/charts/templates/istio-psp.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istio-psp
namespace: istio-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istio-psp
subjects:
- kind: ServiceAccount
name: istio-egressgateway-service-account
- kind: ServiceAccount
name: istio-ingressgateway-service-account
- kind: ServiceAccount
name: istio-mixer-service-account
- kind: ServiceAccount
name: istio-operator-authproxy
- kind: ServiceAccount
name: istiod-service-account
- kind: ServiceAccount
name: istio-sidecar-injector-service-account
- kind: ServiceAccount
name: istiocoredns-service-account
- kind: ServiceAccount
name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: istio-psp
namespace: istio-system
rules:
- apiGroups:
- policy
resourceNames:
- istio-psp
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: istio-psp
namespace: istio-system
spec:
allowPrivilegeEscalation: false
forbiddenSysctls:
- '*'
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
3 changes: 3 additions & 0 deletions packages/rancher-istio/charts/templates/istio-uninstall-job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,7 @@ spec:
name: istio-installer-overlay
{{ end }}
serviceAccountName: istio-installer
securityContext:
runAsUser: 101
runAsGroup: 101
restartPolicy: OnFailure
4 changes: 2 additions & 2 deletions packages/rancher-istio/package.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
url: local
packageVersion: 00
releaseCandidateVersion: 01
packageVersion: 01
releaseCandidateVersion: 00
65 changes: 65 additions & 0 deletions packages/rancher-kiali-server/generated-changes/overlay/templates/psp.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kiali-psp
namespace: istio-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kiali-psp
subjects:
- kind: ServiceAccount
name: kiali
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kiali-psp
namespace: istio-system
rules:
- apiGroups:
- policy
resourceNames:
- kiali-psp
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: kiali-psp
namespace: istio-system
spec:
allowPrivilegeEscalation: false
forbiddenSysctls:
- '*'
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
4 changes: 2 additions & 2 deletions packages/rancher-kiali-server/package.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
url: https://kiali.org/helm-charts/kiali-server-1.29.0.tgz
packageVersion: 00
releaseCandidateVersion: 01
packageVersion: 01
releaseCandidateVersion: 00
additionalCharts:
- workingDir: charts-crd
crdOptions:
Expand Down
4 changes: 4 additions & 0 deletions packages/rancher-tracing/charts/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,10 @@ spec:
affinity:
{{- include "nodeAffinity" . | indent 6 }}
{{- include "podAntiAffinity" . | indent 6 }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: {{ include "tracing.fullname" . }}
{{- if eq .Values.jaeger.spanStorageType "badger" }}
volumes:
- name: data
Expand Down
84 changes: 84 additions & 0 deletions packages/rancher-tracing/charts/templates/psp.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "tracing.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.provider }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "tracing.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.provider }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "tracing.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "tracing.fullname" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "tracing.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.provider }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups:
- policy
resourceNames:
- {{ include "tracing.fullname" . }}
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "tracing.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Values.provider }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
allowPrivilegeEscalation: false
forbiddenSysctls:
- '*'
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- emptyDir
- secret
- persistentVolumeClaim

0 comments on commit aed1108

Please sign in to comment.