From 2d7b1efa44095d69aa34a70b059f33266cd10ff2 Mon Sep 17 00:00:00 2001 From: Anas El Barkani Date: Sat, 22 May 2021 17:52:51 +0200 Subject: [PATCH] added SCC support --- .../admission-webhooks/job-patch/role.yaml | 11 +++++ .../admission-webhooks/job-patch/scc.yaml | 40 +++++++++++++++++++ .../templates/controller-role.yaml | 10 +++++ .../templates/controller-scc.yaml | 39 ++++++++++++++++++ .../templates/default-backend-role.yaml | 14 ++++++- .../templates/default-backend-scc.yaml | 39 ++++++++++++++++++ charts/ingress-nginx/values.yaml | 14 +++++++ 7 files changed, 166 insertions(+), 1 deletion(-) create mode 100644 charts/ingress-nginx/templates/admission-webhooks/job-patch/scc.yaml create mode 100644 charts/ingress-nginx/templates/controller-scc.yaml create mode 100644 charts/ingress-nginx/templates/default-backend-scc.yaml diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml index fe1c2ee7f..6499b5082 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml @@ -17,4 +17,15 @@ rules: verbs: - get - create +{{- if .Values.securityContextConstraints.enabled }} + - apiGroups: ['security.openshift.io'] + resources: ['securitycontextconstraints'] + verbs: ['use'] + resourceNames: + {{- with .Values.controller.admissionWebhooks.existingScc }} + - {{ . }} + {{- else }} + - {{ include "ingress-nginx.fullname" . }}-admission + {{- end }} +{{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/scc.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/scc.yaml new file mode 100644 index 000000000..2cf830184 --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/scc.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.securityContextConstraints.enabled (empty .Values.controller.admissionWebhooks.existingScc) -}} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: +- NET_BIND_SERVICE +requiredDropCapabilities: +- ALL +fsGroup: + type: MustRunAs + +priority: null +readOnlyRootFilesystem: false +runAsUser: + type: MustRunAsNonRoot +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +volumes: +- configMap +- emptyDir +- projected +- secret +- downwardAPI +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml index 52f830315..bb3e14e6a 100644 --- a/charts/ingress-nginx/templates/controller-role.yaml +++ b/charts/ingress-nginx/templates/controller-role.yaml @@ -88,4 +88,14 @@ rules: resourceNames: [{{ include "ingress-nginx.fullname" . }}] {{- end }} {{- end }} +{{- if .Values.securityContextConstraints.enabled }} + - apiGroups: ['security.openshift.io'] + resources: ['securitycontextconstraints'] + verbs: ['use'] + {{- with .Values.controller.existingScc }} + resourceNames: [{{ . }}] + {{- else }} + resourceNames: [{{ include "ingress-nginx.fullname" . }}] + {{- end }} +{{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-scc.yaml b/charts/ingress-nginx/templates/controller-scc.yaml new file mode 100644 index 000000000..e0c4336b6 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-scc.yaml @@ -0,0 +1,39 @@ +{{- if and .Values.securityContextConstraints.enabled (empty .Values.controller.existingScc) -}} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ include "ingress-nginx.fullname" . }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: +- NET_BIND_SERVICE +requiredDropCapabilities: +- ALL +fsGroup: + type: MustRunAs + +priority: null +readOnlyRootFilesystem: false +runAsUser: + type: MustRunAsNonRoot +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny + +volumes: +- configMap +- emptyDir +- projected +- secret +- downwardAPI +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/default-backend-role.yaml b/charts/ingress-nginx/templates/default-backend-role.yaml index 53b63b6bf..2b19ba53f 100644 --- a/charts/ingress-nginx/templates/default-backend-role.yaml +++ b/charts/ingress-nginx/templates/default-backend-role.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +{{- if and .Values.rbac.create (or .Values.podSecurityPolicy.enabled .Values.securityContextConstraints.enabled) .Values.defaultBackend.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -7,6 +7,7 @@ metadata: app.kubernetes.io/component: default-backend name: {{ include "ingress-nginx.fullname" . }}-backend rules: +{{- if .Values.securityContextConstraints.enabled }} - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] resources: ['podsecuritypolicies'] verbs: ['use'] @@ -16,3 +17,14 @@ rules: resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend] {{- end }} {{- end }} +{{- if .Values.securityContextConstraints.enabled }} + - apiGroups: ['security.openshift.io'] + resources: ['securitycontextconstraints'] + verbs: ['use'] + {{- with .Values.defaultBackend.existingScc }} + resourceNames: [{{ . }}] + {{- else }} + resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend] + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-scc.yaml b/charts/ingress-nginx/templates/default-backend-scc.yaml new file mode 100644 index 000000000..4a02a83c5 --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-scc.yaml @@ -0,0 +1,39 @@ +{{- if and .Values.securityContextConstraints.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingScc) -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "ingress-nginx.fullname" . }}-backend + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: +- NET_BIND_SERVICE +requiredDropCapabilities: +- ALL +fsGroup: + type: MustRunAs + +priority: null +readOnlyRootFilesystem: false +runAsUser: + type: MustRunAsNonRoot +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny + +volumes: +- configMap +- emptyDir +- projected +- secret +- downwardAPI +{{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index cd1f90760..f7fb718fe 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -21,6 +21,9 @@ controller: # Use an existing PSP instead of creating one existingPsp: "" + # Use an existing SCC instead of creating one + existingScc: "" + # Configures the controller container name containerName: controller @@ -502,6 +505,9 @@ controller: # Use an existing PSP instead of creating one existingPsp: "" + # Use an existing SCC instead of creating one + existingScc: "" + service: annotations: {} # clusterIP: "" @@ -643,6 +649,9 @@ defaultBackend: # Use an existing PSP instead of creating one existingPsp: "" + # Use an existing SCC instead of creating one + existingScc: "" + extraArgs: {} serviceAccount: @@ -756,6 +765,11 @@ rbac: podSecurityPolicy: enabled: false +# If true, create & use SecurityContextConstraints resources +# https://docs.openshift.com/container-platform/4.7/authentication/managing-security-context-constraints.html +securityContextConstraints: + enabled: false + serviceAccount: create: true name: ""