From c20a415fffda622d07261c2bb76b37450e8dd779 Mon Sep 17 00:00:00 2001 From: Matteo Ruina Date: Tue, 30 Jun 2020 16:43:39 +0200 Subject: [PATCH] Add argocd-redis psp --- charts/argo-cd/templates/_helpers.tpl | 11 ++++ .../argo-cd/templates/redis/deployment.yaml | 1 + charts/argo-cd/templates/redis/psp.yaml | 66 +++++++++++++++++++ .../templates/redis/serviceaccount.yaml | 13 ++++ 4 files changed, 91 insertions(+) create mode 100644 charts/argo-cd/templates/redis/psp.yaml create mode 100644 charts/argo-cd/templates/redis/serviceaccount.yaml diff --git a/charts/argo-cd/templates/_helpers.tpl b/charts/argo-cd/templates/_helpers.tpl index 8edaf216..62cf99fd 100644 --- a/charts/argo-cd/templates/_helpers.tpl +++ b/charts/argo-cd/templates/_helpers.tpl @@ -52,6 +52,17 @@ Create redis name and version as used by the chart label. {{- end -}} {{- end -}} +{{/* +Create the name of the redis service account to use +*/}} +{{- define "argo-cd.redisServiceAccountName" -}} +{{- if .Values.redis.serviceAccount.create -}} + {{ default (include "argo-cd.fullname" .) .Values.redis.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.redis.serviceAccount.name }} +{{- end -}} +{{- end -}} + {{/* Create argocd server name and version as used by the chart label. */}} diff --git a/charts/argo-cd/templates/redis/deployment.yaml b/charts/argo-cd/templates/redis/deployment.yaml index e5c673de..9600db04 100755 --- a/charts/argo-cd/templates/redis/deployment.yaml +++ b/charts/argo-cd/templates/redis/deployment.yaml @@ -81,6 +81,7 @@ spec: affinity: {{- toYaml .Values.redis.affinity | nindent 8 }} {{- end }} + serviceAccountName: {{ template "argo-cd.redisServiceAccountName" . }} {{- if .Values.redis.volumes }} volumes: {{- toYaml .Values.redis.volumes | nindent 8}} diff --git a/charts/argo-cd/templates/redis/psp.yaml b/charts/argo-cd/templates/redis/psp.yaml new file mode 100644 index 00000000..95c2d2f4 --- /dev/null +++ b/charts/argo-cd/templates/redis/psp.yaml @@ -0,0 +1,66 @@ +{{- if .Values.redis.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "argo-cd.redis.fullname" . }} + labels: + helm.sh/chart: {{ include "argo-cd.chart" . }} + app.kubernetes.io/name: {{ include "argo-cd.name" . }}-{{ .Values.redis.name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' +spec: + privileged: false + hostIPC: false + hostNetwork: false + hostPID: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + allowedCapabilities: + - '*' + fsGroup: + rule: RunAsAny + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - '*' +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "argo-cd.redis.fullname" . }}-psp + labels: + helm.sh/chart: {{ include "argo-cd.chart" . }} + app.kubernetes.io/name: {{ include "argo-cd.name" . }}-{{ .Values.redis.name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +rules: + - apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "argo-cd.redis.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "argo-cd.redis.fullname" . }}-psp + labels: + helm.sh/chart: {{ include "argo-cd.chart" . }} + app.kubernetes.io/name: {{ include "argo-cd.name" . }}-{{ .Values.redis.name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "argo-cd.redis.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: {{ template "argo-cd.redisServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/argo-cd/templates/redis/serviceaccount.yaml b/charts/argo-cd/templates/redis/serviceaccount.yaml new file mode 100644 index 00000000..a65b3c2c --- /dev/null +++ b/charts/argo-cd/templates/redis/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.redis.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "argo-cd.redisServiceAccountName" . }} + labels: + app.kubernetes.io/name: {{ include "argo-cd.name" . }}-{{ .Values.redis.name }} + helm.sh/chart: {{ include "argo-cd.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/part-of: argocd + app.kubernetes.io/component: {{ .Values.redis.name }} +{{- end }}