Merge pull request #325 from hashicorp/psps

Enterprise License Job PodSecurityPolicy
hashicorp · Jan 10, 2020 · 1e9f22f · 1e9f22f
2 parents 895f0a9 + 13030c4
commit 1e9f22f
Show file tree

Hide file tree

Showing 15 changed files with 156 additions and 118 deletions.
diff --git a/templates/client-podsecuritypolicy.yaml b/templates/client-podsecuritypolicy.yaml
@@ -41,7 +41,6 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    # Require the container to run without root privileges.
     rule: 'RunAsAny'
   seLinux:
     rule: 'RunAsAny'

diff --git a/templates/client-snapshot-agent-podsecuritypolicy.yaml b/templates/client-snapshot-agent-podsecuritypolicy.yaml
@@ -28,7 +28,6 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    # Require the container to run without root privileges.
     rule: 'RunAsAny'
   seLinux:
     rule: 'RunAsAny'

diff --git a/templates/connect-inject-podsecuritypolicy.yaml b/templates/connect-inject-podsecuritypolicy.yaml
@@ -27,7 +27,6 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    # Require the container to run without root privileges.
     rule: 'RunAsAny'
   seLinux:
     rule: 'RunAsAny'

diff --git a/templates/enterprise-license-clusterrole.yaml b/templates/enterprise-license-clusterrole.yaml
@@ -1,6 +1,4 @@
 {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
-{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
-{{- if .Values.global.bootstrapACLs }}
 {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -11,7 +9,9 @@ metadata:
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
+{{- if or .Values.global.bootstrapACLs .Values.global.enablePodSecurityPolicies }}
 rules:
+{{- if .Values.global.bootstrapACLs }}
   - apiGroups: [""]
     resources:
       - secrets
@@ -20,6 +20,16 @@ rules:
     verbs:
       - get
 {{- end }}
+{{- if .Values.global.enablePodSecurityPolicies }}
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    resourceNames:
+      - {{ template "consul.fullname" . }}-enterprise-license
+    verbs:
+      - use
+{{- end }}
+{{- else }}
+rules: []
 {{- end }}
 {{- end }}
 {{- end }}
diff --git a/templates/enterprise-license-clusterrolebinding.yaml b/templates/enterprise-license-clusterrolebinding.yaml
@@ -1,6 +1,4 @@
 {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
-{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
-{{- if .Values.global.bootstrapACLs }}
 {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -21,5 +19,3 @@ subjects:
     namespace: {{ .Release.Namespace }}
 {{- end }}
 {{- end }}
-{{- end }}
-{{- end }}
diff --git a/templates/enterprise-license-job.yaml b/templates/enterprise-license-job.yaml
@@ -30,9 +30,7 @@ spec:
         component: license
     spec:
       restartPolicy: Never
-      {{- if .Values.global.bootstrapACLs }}
       serviceAccountName: {{ template "consul.fullname" . }}-enterprise-license
-      {{- end }}
       containers:
         - name: apply-enterprise-license
           image: "{{ default .Values.global.image .Values.server.image }}"

diff --git a/templates/enterprise-license-podsecuritypolicy.yaml b/templates/enterprise-license-podsecuritypolicy.yaml
@@ -0,0 +1,37 @@
+{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
+{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
+{{- if .Values.global.enablePodSecurityPolicies }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "consul.fullname" . }}-enterprise-license
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  privileged: false
+  # Allow core volume types.
+  volumes:
+    - 'secret'
+  allowPrivilegeEscalation: false
+  # This is redundant with non-root + disallow privilege escalation,
+  # but we can provide it for defense in depth.
+  requiredDropCapabilities:
+    - ALL
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/templates/enterprise-license-serviceaccount.yaml b/templates/enterprise-license-serviceaccount.yaml
@@ -1,6 +1,4 @@
 {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
-{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
-{{- if .Values.global.bootstrapACLs }}
 {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
 apiVersion: v1
 kind: ServiceAccount
@@ -14,5 +12,3 @@ metadata:
     release: {{ .Release.Name }}
 {{- end }}
 {{- end }}
-{{- end }}
-{{- end }}
diff --git a/templates/mesh-gateway-podsecuritypolicy.yaml b/templates/mesh-gateway-podsecuritypolicy.yaml
@@ -28,7 +28,6 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    # Require the container to run without root privileges.
     rule: 'RunAsAny'
   seLinux:
     rule: 'RunAsAny'

diff --git a/templates/sync-catalog-podsecuritypolicy.yaml b/templates/sync-catalog-podsecuritypolicy.yaml
@@ -27,7 +27,6 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    # Require the container to run without root privileges.
     rule: 'RunAsAny'
   seLinux:
     rule: 'RunAsAny'

diff --git a/test/unit/enterprise-license-clusterrole.bats b/test/unit/enterprise-license-clusterrole.bats
@@ -11,72 +11,87 @@ load _helpers
   [ "${actual}" = "false" ]
 }
 
-@test "enterpriseLicense/ClusterRole: disabled with global.bootstrapACLs=true" {
+@test "enterpriseLicense/ClusterRole: disabled with server=false, ent secret defined" {
   cd `chart_dir`
   local actual=$(helm template \
       -x templates/enterprise-license-clusterrole.yaml  \
-      --set 'global.bootstrapACLs=true' \
+      --set 'server.enabled=false' \
+      --set 'server.enterpriseLicense.secretName=foo' \
+      --set 'server.enterpriseLicense.secretKey=bar' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
 
-@test "enterpriseLicense/ClusterRole: disabled with server=false, global.bootstrapACLs=true, ent secret defined" {
+@test "enterpriseLicense/ClusterRole: disabled when ent secretName missing" {
   cd `chart_dir`
   local actual=$(helm template \
       -x templates/enterprise-license-clusterrole.yaml  \
-      --set 'global.bootstrapACLs=true' \
-      --set 'server.enabled=false' \
-      --set 'server.enterpriseLicense.secretName=foo' \
       --set 'server.enterpriseLicense.secretKey=bar' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
 
-@test "enterpriseLicense/ClusterRole: disabled with client=false, global.bootstrapACLs=true, ent secret defined" {
+@test "enterpriseLicense/ClusterRole: disabled when ent secretKey missing" {
   cd `chart_dir`
   local actual=$(helm template \
       -x templates/enterprise-license-clusterrole.yaml  \
-      --set 'global.bootstrapACLs=true' \
-      --set 'client.enabled=false' \
       --set 'server.enterpriseLicense.secretName=foo' \
-      --set 'server.enterpriseLicense.secretKey=bar' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
 
-@test "enterpriseLicense/ClusterRole: disabled when ent secretName missing" {
+@test "enterpriseLicense/ClusterRole: enabled when ent license defined" {
   cd `chart_dir`
   local actual=$(helm template \
       -x templates/enterprise-license-clusterrole.yaml  \
-      --set 'global.bootstrapACLs=true' \
+      --set 'server.enterpriseLicense.secretName=foo' \
       --set 'server.enterpriseLicense.secretKey=bar' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
+  [ "${actual}" = "true" ]
 }
 
-@test "enterpriseLicense/ClusterRole: disabled when ent secretKey missing" {
+@test "enterpriseLicense/ClusterRole: rules are empty if global.bootstrapACLs and global.enablePodSecurityPolicies are false" {
   cd `chart_dir`
   local actual=$(helm template \
       -x templates/enterprise-license-clusterrole.yaml  \
-      --set 'global.bootstrapACLs=true' \
       --set 'server.enterpriseLicense.secretName=foo' \
+      --set 'server.enterpriseLicense.secretKey=bar' \
       . | tee /dev/stderr |
-      yq 'length > 0' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
+      yq '.rules | length' | tee /dev/stderr)
+  [ "${actual}" = "0" ]
 }
 
-@test "enterpriseLicense/ClusterRole: can be enabled" {
+#--------------------------------------------------------------------
+# global.bootstrapACLs
+
+@test "enterpriseLicense/ClusterRole: allows acl token when global.bootstrapACLs is true" {
   cd `chart_dir`
   local actual=$(helm template \
       -x templates/enterprise-license-clusterrole.yaml  \
+      --set 'server.enterpriseLicense.secretName=foo' \
+      --set 'server.enterpriseLicense.secretKey=bar' \
       --set 'global.bootstrapACLs=true' \
+      . | tee /dev/stderr |
+      yq -r '.rules | map(select(.resourceNames[0] == "release-name-consul-enterprise-license-acl-token")) | length' | tee /dev/stderr)
+  [ "${actual}" = "1" ]
+}
+
+
+#--------------------------------------------------------------------
+# global.enablePodSecurityPolicies
+
+@test "enterpriseLicense/ClusterRole: allows podsecuritypolicies access with global.enablePodSecurityPolicies=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/enterprise-license-clusterrole.yaml  \
       --set 'server.enterpriseLicense.secretName=foo' \
       --set 'server.enterpriseLicense.secretKey=bar' \
+      --set 'global.enablePodSecurityPolicies=true' \
       . | tee /dev/stderr |
-      yq 'length > 0' | tee /dev/stderr)
-  [ "${actual}" = "true" ]
+      yq -r '.rules | map(select(.resources[0] == "podsecuritypolicies")) | length' | tee /dev/stderr)
+  [ "${actual}" = "1" ]
 }
diff --git a/test/unit/enterprise-license-clusterrolebinding.bats b/test/unit/enterprise-license-clusterrolebinding.bats
@@ -11,21 +11,10 @@ load _helpers
   [ "${actual}" = "false" ]
 }
 
-@test "enterpriseLicense/ClusterRoleBinding: disabled with global.bootstrapACLs=true" {
+@test "enterpriseLicense/ClusterRoleBinding: disabled with server=false, ent secret defined" {
   cd `chart_dir`
   local actual=$(helm template \
       -x templates/enterprise-license-clusterrolebinding.yaml  \
-      --set 'global.bootstrapACLs=true' \
-      . | tee /dev/stderr |
-      yq 'length > 0' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
-}
-
-@test "enterpriseLicense/ClusterRoleBinding: disabled with server=false, global.bootstrapACLs=true, ent secret defined" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/enterprise-license-clusterrolebinding.yaml  \
-      --set 'global.bootstrapACLs=true' \
       --set 'server.enabled=false' \
       --set 'server.enterpriseLicense.secretName=foo' \
       --set 'server.enterpriseLicense.secretKey=bar' \
@@ -34,24 +23,10 @@ load _helpers
   [ "${actual}" = "false" ]
 }
 
-@test "enterpriseLicense/ClusterRoleBinding: disabled with client=false, global.bootstrapACLs=true, ent secret defined" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/enterprise-license-clusterrolebinding.yaml  \
-      --set 'global.bootstrapACLs=true' \
-      --set 'client.enabled=false' \
-      --set 'server.enterpriseLicense.secretName=foo' \
-      --set 'server.enterpriseLicense.secretKey=bar' \
-      . | tee /dev/stderr |
-      yq 'length > 0' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
-}
-
 @test "enterpriseLicense/ClusterRoleBinding: disabled when ent secretName missing" {
   cd `chart_dir`
   local actual=$(helm template \
       -x templates/enterprise-license-clusterrolebinding.yaml  \
-      --set 'global.bootstrapACLs=true' \
       --set 'server.enterpriseLicense.secretKey=bar' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
@@ -62,18 +37,16 @@ load _helpers
   cd `chart_dir`
   local actual=$(helm template \
       -x templates/enterprise-license-clusterrolebinding.yaml  \
-      --set 'global.bootstrapACLs=true' \
       --set 'server.enterpriseLicense.secretName=foo' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
 
-@test "enterpriseLicense/ClusterRoleBinding: can be enabled" {
+@test "enterpriseLicense/ClusterRoleBinding: enabled when ent license defined" {
   cd `chart_dir`
   local actual=$(helm template \
       -x templates/enterprise-license-clusterrolebinding.yaml  \
-      --set 'global.bootstrapACLs=true' \
       --set 'server.enterpriseLicense.secretName=foo' \
       --set 'server.enterpriseLicense.secretKey=bar' \
       . | tee /dev/stderr |

diff --git a/test/unit/enterprise-license-job.bats b/test/unit/enterprise-license-job.bats
@@ -87,26 +87,3 @@ load _helpers
       yq -r '.command | any(contains("consul-k8s acl-init"))' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
-
-@test "server/EnterpriseLicense: no service account specified when global.bootstrapACLS=false" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/enterprise-license-job.yaml  \
-      --set 'server.enterpriseLicense.secretName=foo' \
-      --set 'server.enterpriseLicense.secretKey=bar' \
-      . | tee /dev/stderr |
-      yq '.spec.template.spec.serviceAccountName' | tee /dev/stderr)
-  [ "${actual}" = "null" ]
-}
-
-@test "server/EnterpriseLicense: service account specified when global.bootstrapACLS=true" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -x templates/enterprise-license-job.yaml  \
-      --set 'server.enterpriseLicense.secretName=foo' \
-      --set 'server.enterpriseLicense.secretKey=bar' \
-      --set 'global.bootstrapACLs=true' \
-      . | tee /dev/stderr |
-      yq '.spec.template.spec.serviceAccountName | contains("consul-enterprise-license")' | tee /dev/stderr)
-  [ "${actual}" = "true" ]
-}