PSP for kubedb operator

chart/kubedb-catalog/templates/elasticsearch-psp.yaml

@@ -8,21 +8,21 @@ spec:
   privileged: true  #Allowing privileged pods is necessary for ES db only!
   allowPrivilegeEscalation: true #Allowing privilege escalation is necessary for ES db only!
   volumes:
-    - '*'
+  - "*"
   hostNetwork: false
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   fsGroup:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   allowedCapabilities:
-    - IPC_LOCK
-    - SYS_RESOURCE
+  - IPC_LOCK
+  - SYS_RESOURCE
 
 ---
 apiVersion: policy/v1beta1
@@ -35,15 +35,15 @@ spec:
   privileged: false
   allowPrivilegeEscalation: false
   volumes:
-    - '*'
+  - "*"
   hostNetwork: false
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   fsGroup:
-    rule: 'RunAsAny'
+    rule: RunAsAny

chart/kubedb-catalog/templates/memcached-psp.yaml

@@ -8,15 +8,15 @@ spec:
   privileged: false
   allowPrivilegeEscalation: false
   volumes:
-    - '*'
+  - "*"
   hostNetwork: false
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   fsGroup:
-    rule: 'RunAsAny'
+    rule: RunAsAny

chart/kubedb-catalog/templates/mongodb-psp.yaml

@@ -8,18 +8,18 @@ spec:
   privileged: false
   allowPrivilegeEscalation: false
   volumes:
-    - '*'
+  - "*"
   hostNetwork: false
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   fsGroup:
-    rule: 'RunAsAny'
+    rule: RunAsAny
 
 ---
 apiVersion: policy/v1beta1
@@ -32,15 +32,15 @@ spec: #same spec as db
   privileged: false
   allowPrivilegeEscalation: false
   volumes:
-    - '*'
+  - "*"
   hostNetwork: false
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   fsGroup:
-    rule: 'RunAsAny'
+    rule: RunAsAny

chart/kubedb-catalog/templates/mysql-psp.yaml

@@ -8,18 +8,18 @@ spec:
   privileged: false
   allowPrivilegeEscalation: false
   volumes:
-    - '*'
+  - "*"
   hostNetwork: false
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   fsGroup:
-    rule: 'RunAsAny'
+    rule: RunAsAny
 
 ---
 apiVersion: policy/v1beta1
@@ -32,15 +32,15 @@ spec: #same spec as db
   privileged: false
   allowPrivilegeEscalation: false
   volumes:
-    - '*'
+  - "*"
   hostNetwork: false
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   fsGroup:
-    rule: 'RunAsAny'
+    rule: RunAsAny

chart/kubedb-catalog/templates/postgres-psp.yaml

@@ -8,21 +8,21 @@ spec:
   privileged: false
   allowPrivilegeEscalation: false
   volumes:
-    - '*'
+  - "*"
   hostNetwork: false
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   fsGroup:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   allowedCapabilities:
-    - IPC_LOCK
-    - SYS_RESOURCE
+  - IPC_LOCK
+  - SYS_RESOURCE
 
 ---
 apiVersion: policy/v1beta1
@@ -35,15 +35,15 @@ spec:
   privileged: false
   allowPrivilegeEscalation: false
   volumes:
-    - '*'
+  - "*"
   hostNetwork: false
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   fsGroup:
-    rule: 'RunAsAny'
+    rule: RunAsAny

chart/kubedb-catalog/templates/redis-psp.yaml

@@ -8,15 +8,15 @@ spec:
   privileged: false
   allowPrivilegeEscalation: false
   volumes:
-    - '*'
+  - "*"
   hostNetwork: false
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   fsGroup:
-    rule: 'RunAsAny'
+    rule: RunAsAny

chart/kubedb/README.md

@@ -76,6 +76,7 @@ The following table lists the configurable parameters of the KubeDB chart and th
 | `monitoring.agent`                      | Specify which monitoring agent to use for monitoring KubeDB operator. It accepts either `prometheus.io/builtin` or `prometheus.io/coreos-operator`.                        | `none`                                                    |
 | `monitoring.prometheus.namespace`       | Specify the namespace where Prometheus server is running or will be deployed.                                                                                              | Release namespace                                         |
 | `monitoring.serviceMonitor.labels`      | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/coreos-operator`. | `app: <generated app name>` and `release: <release name>` |
+| `additionalPodSecurityPolicies`         | Additional psp names passed to operator                                                                                                                                    | `[]`                                                      |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example:
 

chart/kubedb/templates/cluster-role.yaml

@@ -107,4 +107,25 @@ rules:
   resources:
   - "pods/exec"
   verbs: ["create"]
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs: ["use"]
+  resourceNames:
+  - {{ template "kubedb.fullname" . }}
+  - elasticsearch-db
+  - etcd-db
+  - memcached-db
+  - mongodb-db
+  - mysql-db
+  - postgres-db
+  - redis-db
+  - elasticsearch-snapshot
+  - mongodb-snapshot
+  - mysql-snapshot
+  - postgres-snapshot
+  {{- range $x := .Values.additionalPodSecurityPolicies }}
+  - {{ $x }}
+  {{- end }}
 {{ end }}

chart/kubedb/templates/operator-psp.yaml

@@ -0,0 +1,25 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "kubedb.fullname" . }}
+  labels:
+    {{- include "kubedb.labels" . | nindent 4 }}
+spec:
+  privileged: true  #Allowing privileged pods is necessary for ES db
+  allowPrivilegeEscalation: true #Allowing privilege escalation is necessary for ES db
+  volumes:
+  - "*"
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  fsGroup:
+    rule: RunAsAny
+  allowedCapabilities:
+  - IPC_LOCK
+  - SYS_RESOURCE

chart/kubedb/values.yaml

@@ -100,3 +100,9 @@ monitoring:
     namespace: ""
   serviceMonitor:
     labels: {}
+
+# Additional psp names passed to operator
+# example: helm template ./chart/kubedb \
+#            --set additionalPodSecurityPolicies[0]=abc \
+#            --set additionalPodSecurityPolicies[1]=xyz
+additionalPodSecurityPolicies: []

hack/deploy/kubedb.sh

@@ -469,6 +469,7 @@ if [ "$KUBEDB_ENABLE_RBAC" = true ]; then
 fi
 
 echo "Applying Pod Sucurity Policies"
+${SCRIPT_LOCATION}hack/deploy/psp/operator.yaml | $ONESSL envsubst | kubectl apply -f -
 ${SCRIPT_LOCATION}hack/deploy/psp/elasticsearch.yaml | $ONESSL envsubst | kubectl apply -f -
 ${SCRIPT_LOCATION}hack/deploy/psp/memcached.yaml | $ONESSL envsubst | kubectl apply -f -
 ${SCRIPT_LOCATION}hack/deploy/psp/mongodb.yaml | $ONESSL envsubst | kubectl apply -f -

hack/deploy/psp/elasticsearch.yaml

@@ -8,21 +8,21 @@ spec:
   privileged: true  #Allowing privileged pods is necessary for ES db only!
   allowPrivilegeEscalation: true #Allowing privilege escalation is necessary for ES db only!
   volumes:
-    - '*'
+  - "*"
   hostNetwork: false
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   fsGroup:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   allowedCapabilities:
-    - IPC_LOCK
-    - SYS_RESOURCE
+  - IPC_LOCK
+  - SYS_RESOURCE
 
 ---
 # Snapshot YAMls
@@ -36,15 +36,15 @@ spec:
   privileged: false
   allowPrivilegeEscalation: false
   volumes:
-    - '*'
+  - "*"
   hostNetwork: false
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   fsGroup:
-    rule: 'RunAsAny'
+    rule: RunAsAny

hack/deploy/psp/memcached.yaml

@@ -8,15 +8,15 @@ spec:
   privileged: false
   allowPrivilegeEscalation: false
   volumes:
-    - '*'
+  - "*"
   hostNetwork: false
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   fsGroup:
-    rule: 'RunAsAny'
+    rule: RunAsAny