DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

added SCC support

Browse source
This commit is contained in:
Anas El Barkani 2021-05-22 17:52:51 +02:00
parent 293071ae02
commit 2d7b1efa44
7 changed files with 166 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
View file

@ -17,4 +17,15 @@ rules:
verbs: verbs:
- get - get
- create - create
{{- if .Values.securityContextConstraints.enabled }}
- apiGroups: ['security.openshift.io']
resources: ['securitycontextconstraints']
verbs: ['use']
resourceNames:
{{- with .Values.controller.admissionWebhooks.existingScc }}
- {{ . }}
{{- else }}
- {{ include "ingress-nginx.fullname" . }}-admission
{{- end }}
{{- end }}
{{- end }} {{- end }}

40
charts/ingress-nginx/templates/admission-webhooks/job-patch/scc.yaml Normal file
View file

@ -0,0 +1,40 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.securityContextConstraints.enabled (empty .Values.controller.admissionWebhooks.existingScc) -}}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
- NET_BIND_SERVICE
requiredDropCapabilities:
- ALL
fsGroup:
type: MustRunAs
priority: null
readOnlyRootFilesystem: false
runAsUser:
type: MustRunAsNonRoot
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
{{- end }}

10
charts/ingress-nginx/templates/controller-role.yaml
View file

@ -88,4 +88,14 @@ rules:
resourceNames: [{{ include "ingress-nginx.fullname" . }}] resourceNames: [{{ include "ingress-nginx.fullname" . }}]
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.securityContextConstraints.enabled }}
- apiGroups: ['security.openshift.io']
resources: ['securitycontextconstraints']
verbs: ['use']
{{- with .Values.controller.existingScc }}
resourceNames: [{{ . }}]
{{- else }}
resourceNames: [{{ include "ingress-nginx.fullname" . }}]
{{- end }}
{{- end }}
{{- end }} {{- end }}

39
charts/ingress-nginx/templates/controller-scc.yaml Normal file
View file

@ -0,0 +1,39 @@
{{- if and .Values.securityContextConstraints.enabled (empty .Values.controller.existingScc) -}}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: {{ include "ingress-nginx.fullname" . }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
- NET_BIND_SERVICE
requiredDropCapabilities:
- ALL
fsGroup:
type: MustRunAs
priority: null
readOnlyRootFilesystem: false
runAsUser:
type: MustRunAsNonRoot
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
{{- end }}

14
charts/ingress-nginx/templates/default-backend-role.yaml
View file

@ -1,4 +1,4 @@
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} {{- if and .Values.rbac.create (or .Values.podSecurityPolicy.enabled .Values.securityContextConstraints.enabled) .Values.defaultBackend.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
@ -7,6 +7,7 @@ metadata:
app.kubernetes.io/component: default-backend app.kubernetes.io/component: default-backend
name: {{ include "ingress-nginx.fullname" . }}-backend name: {{ include "ingress-nginx.fullname" . }}-backend
rules: rules:
{{- if .Values.securityContextConstraints.enabled }}
- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies'] resources: ['podsecuritypolicies']
verbs: ['use'] verbs: ['use']
@ -16,3 +17,14 @@ rules:
resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend] resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend]
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.securityContextConstraints.enabled }}
- apiGroups: ['security.openshift.io']
resources: ['securitycontextconstraints']
verbs: ['use']
{{- with .Values.defaultBackend.existingScc }}
resourceNames: [{{ . }}]
{{- else }}
resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend]
{{- end }}
{{- end }}
{{- end }}

39
charts/ingress-nginx/templates/default-backend-scc.yaml Normal file
View file

@ -0,0 +1,39 @@
{{- if and .Values.securityContextConstraints.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingScc) -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}-backend
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: default-backend
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
- NET_BIND_SERVICE
requiredDropCapabilities:
- ALL
fsGroup:
type: MustRunAs
priority: null
readOnlyRootFilesystem: false
runAsUser:
type: MustRunAsNonRoot
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
{{- end }}

14
charts/ingress-nginx/values.yaml
View file

@ -21,6 +21,9 @@ controller:
# Use an existing PSP instead of creating one # Use an existing PSP instead of creating one
existingPsp: "" existingPsp: ""
# Use an existing SCC instead of creating one
existingScc: ""
# Configures the controller container name # Configures the controller container name
containerName: controller containerName: controller
@ -502,6 +505,9 @@ controller:
# Use an existing PSP instead of creating one # Use an existing PSP instead of creating one
existingPsp: "" existingPsp: ""
# Use an existing SCC instead of creating one
existingScc: ""
service: service:
annotations: {} annotations: {}
# clusterIP: "" # clusterIP: ""
@ -643,6 +649,9 @@ defaultBackend:
# Use an existing PSP instead of creating one # Use an existing PSP instead of creating one
existingPsp: "" existingPsp: ""
# Use an existing SCC instead of creating one
existingScc: ""
extraArgs: {} extraArgs: {}
serviceAccount: serviceAccount:
@ -756,6 +765,11 @@ rbac:
podSecurityPolicy: podSecurityPolicy:
enabled: false enabled: false
# If true, create & use SecurityContextConstraints resources
# https://docs.openshift.com/container-platform/4.7/authentication/managing-security-context-constraints.html
securityContextConstraints:
enabled: false
serviceAccount: serviceAccount:
create: true create: true
name: "" name: ""