Skip to content

Commit

Permalink
PSP for kubedb operator (#411)
Browse files Browse the repository at this point in the history
  • Loading branch information
@iamrz1 @tamalsaha
iamrz1 authored and tamalsaha committed Mar 18, 2019
1 parent 83f9556 commit 02828a9
Show file tree
Hide file tree
Showing 19 changed files with 208 additions and 108 deletions.
24 changes: 12 additions & 12 deletions chart/kubedb-catalog/templates/elasticsearch-psp.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,21 +8,21 @@ spec:
privileged: true #Allowing privileged pods is necessary for ES db only!
allowPrivilegeEscalation: true #Allowing privilege escalation is necessary for ES db only!
volumes:
- '*'
- "*"
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
rule: RunAsAny
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'RunAsAny'
rule: RunAsAny
fsGroup:
rule: 'RunAsAny'
rule: RunAsAny
allowedCapabilities:
- IPC_LOCK
- SYS_RESOURCE
- IPC_LOCK
- SYS_RESOURCE

---
apiVersion: policy/v1beta1
Expand All @@ -35,15 +35,15 @@ spec:
privileged: false
allowPrivilegeEscalation: false
volumes:
- '*'
- "*"
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
rule: RunAsAny
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'RunAsAny'
rule: RunAsAny
fsGroup:
rule: 'RunAsAny'
rule: RunAsAny
10 changes: 5 additions & 5 deletions chart/kubedb-catalog/templates/memcached-psp.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,15 @@ spec:
privileged: false
allowPrivilegeEscalation: false
volumes:
- '*'
- "*"
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
rule: RunAsAny
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'RunAsAny'
rule: RunAsAny
fsGroup:
rule: 'RunAsAny'
rule: RunAsAny
20 changes: 10 additions & 10 deletions chart/kubedb-catalog/templates/mongodb-psp.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,18 +8,18 @@ spec:
privileged: false
allowPrivilegeEscalation: false
volumes:
- '*'
- "*"
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
rule: RunAsAny
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'RunAsAny'
rule: RunAsAny
fsGroup:
rule: 'RunAsAny'
rule: RunAsAny

---
apiVersion: policy/v1beta1
Expand All @@ -32,15 +32,15 @@ spec: #same spec as db
privileged: false
allowPrivilegeEscalation: false
volumes:
- '*'
- "*"
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
rule: RunAsAny
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'RunAsAny'
rule: RunAsAny
fsGroup:
rule: 'RunAsAny'
rule: RunAsAny
20 changes: 10 additions & 10 deletions chart/kubedb-catalog/templates/mysql-psp.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,18 +8,18 @@ spec:
privileged: false
allowPrivilegeEscalation: false
volumes:
- '*'
- "*"
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
rule: RunAsAny
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'RunAsAny'
rule: RunAsAny
fsGroup:
rule: 'RunAsAny'
rule: RunAsAny

---
apiVersion: policy/v1beta1
Expand All @@ -32,15 +32,15 @@ spec: #same spec as db
privileged: false
allowPrivilegeEscalation: false
volumes:
- '*'
- "*"
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
rule: RunAsAny
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'RunAsAny'
rule: RunAsAny
fsGroup:
rule: 'RunAsAny'
rule: RunAsAny
24 changes: 12 additions & 12 deletions chart/kubedb-catalog/templates/postgres-psp.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,21 +8,21 @@ spec:
privileged: false
allowPrivilegeEscalation: false
volumes:
- '*'
- "*"
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
rule: RunAsAny
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'RunAsAny'
rule: RunAsAny
fsGroup:
rule: 'RunAsAny'
rule: RunAsAny
allowedCapabilities:
- IPC_LOCK
- SYS_RESOURCE
- IPC_LOCK
- SYS_RESOURCE

---
apiVersion: policy/v1beta1
Expand All @@ -35,15 +35,15 @@ spec:
privileged: false
allowPrivilegeEscalation: false
volumes:
- '*'
- "*"
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
rule: RunAsAny
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'RunAsAny'
rule: RunAsAny
fsGroup:
rule: 'RunAsAny'
rule: RunAsAny
10 changes: 5 additions & 5 deletions chart/kubedb-catalog/templates/redis-psp.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,15 @@ spec:
privileged: false
allowPrivilegeEscalation: false
volumes:
- '*'
- "*"
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
rule: RunAsAny
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'RunAsAny'
rule: RunAsAny
fsGroup:
rule: 'RunAsAny'
rule: RunAsAny
1 change: 1 addition & 0 deletions chart/kubedb/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ The following table lists the configurable parameters of the KubeDB chart and th
| `monitoring.agent` | Specify which monitoring agent to use for monitoring KubeDB operator. It accepts either `prometheus.io/builtin` or `prometheus.io/coreos-operator`. | `none` |
| `monitoring.prometheus.namespace` | Specify the namespace where Prometheus server is running or will be deployed. | Release namespace |
| `monitoring.serviceMonitor.labels` | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/coreos-operator`. | `app: <generated app name>` and `release: <release name>` |
| `additionalPodSecurityPolicies` | Additional psp names passed to operator | `[]` |

Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example:

Expand Down
21 changes: 21 additions & 0 deletions chart/kubedb/templates/cluster-role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,4 +107,25 @@ rules:
resources:
- "pods/exec"
verbs: ["create"]
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs: ["use"]
resourceNames:
- {{ template "kubedb.fullname" . }}
- elasticsearch-db
- etcd-db
- memcached-db
- mongodb-db
- mysql-db
- postgres-db
- redis-db
- elasticsearch-snapshot
- mongodb-snapshot
- mysql-snapshot
- postgres-snapshot
{{- range $x := .Values.additionalPodSecurityPolicies }}
- {{ $x }}
{{- end }}
{{ end }}
25 changes: 25 additions & 0 deletions chart/kubedb/templates/operator-psp.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "kubedb.fullname" . }}
labels:
{{- include "kubedb.labels" . | nindent 4 }}
spec:
privileged: true #Allowing privileged pods is necessary for ES db
allowPrivilegeEscalation: true #Allowing privilege escalation is necessary for ES db
volumes:
- "*"
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
fsGroup:
rule: RunAsAny
allowedCapabilities:
- IPC_LOCK
- SYS_RESOURCE
6 changes: 6 additions & 0 deletions chart/kubedb/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,3 +100,9 @@ monitoring:
namespace: ""
serviceMonitor:
labels: {}

# Additional psp names passed to operator
# example: helm template ./chart/kubedb \
# --set additionalPodSecurityPolicies[0]=abc \
# --set additionalPodSecurityPolicies[1]=xyz
additionalPodSecurityPolicies: []
1 change: 1 addition & 0 deletions hack/deploy/kubedb.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -469,6 +469,7 @@ if [ "$KUBEDB_ENABLE_RBAC" = true ]; then
fi

echo "Applying Pod Sucurity Policies"
${SCRIPT_LOCATION}hack/deploy/psp/operator.yaml | $ONESSL envsubst | kubectl apply -f -
${SCRIPT_LOCATION}hack/deploy/psp/elasticsearch.yaml | $ONESSL envsubst | kubectl apply -f -
${SCRIPT_LOCATION}hack/deploy/psp/memcached.yaml | $ONESSL envsubst | kubectl apply -f -
${SCRIPT_LOCATION}hack/deploy/psp/mongodb.yaml | $ONESSL envsubst | kubectl apply -f -
Expand Down
24 changes: 12 additions & 12 deletions hack/deploy/psp/elasticsearch.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,21 +8,21 @@ spec:
privileged: true #Allowing privileged pods is necessary for ES db only!
allowPrivilegeEscalation: true #Allowing privilege escalation is necessary for ES db only!
volumes:
- '*'
- "*"
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
rule: RunAsAny
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'RunAsAny'
rule: RunAsAny
fsGroup:
rule: 'RunAsAny'
rule: RunAsAny
allowedCapabilities:
- IPC_LOCK
- SYS_RESOURCE
- IPC_LOCK
- SYS_RESOURCE

---
# Snapshot YAMls
Expand All @@ -36,15 +36,15 @@ spec:
privileged: false
allowPrivilegeEscalation: false
volumes:
- '*'
- "*"
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
rule: RunAsAny
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'RunAsAny'
rule: RunAsAny
fsGroup:
rule: 'RunAsAny'
rule: RunAsAny
10 changes: 5 additions & 5 deletions hack/deploy/psp/memcached.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,15 @@ spec:
privileged: false
allowPrivilegeEscalation: false
volumes:
- '*'
- "*"
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
rule: RunAsAny
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'RunAsAny'
rule: RunAsAny
fsGroup:
rule: 'RunAsAny'
rule: RunAsAny
Loading

0 comments on commit 02828a9

Please sign in to comment.