added SCC support
This commit is contained in:
Anas El Barkani
parent
293071ae02
commit
2d7b1efa44
7 changed files with 166 additions and 1 deletions
|
|
@ -17,4 +17,15 @@ rules:
|
|||
verbs:
|
||||
- get
|
||||
- create
|
||||
{{- if .Values.securityContextConstraints.enabled }}
|
||||
- apiGroups: ['security.openshift.io']
|
||||
resources: ['securitycontextconstraints']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
{{- with .Values.controller.admissionWebhooks.existingScc }}
|
||||
- {{ . }}
|
||||
{{- else }}
|
||||
- {{ include "ingress-nginx.fullname" . }}-admission
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,40 @@
|
|||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.securityContextConstraints.enabled (empty .Values.controller.admissionWebhooks.existingScc) -}}
|
||||
apiVersion: security.openshift.io/v1
|
||||
kind: SecurityContextConstraints
|
||||
metadata:
|
||||
name: {{ include "ingress-nginx.fullname" . }}-admission
|
||||
annotations:
|
||||
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
|
||||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||
labels:
|
||||
{{- include "ingress-nginx.labels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: admission-webhook
|
||||
allowHostDirVolumePlugin: false
|
||||
allowHostIPC: false
|
||||
allowHostNetwork: false
|
||||
allowHostPID: false
|
||||
allowHostPorts: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowPrivilegedContainer: false
|
||||
allowedCapabilities:
|
||||
- NET_BIND_SERVICE
|
||||
requiredDropCapabilities:
|
||||
- ALL
|
||||
fsGroup:
|
||||
type: MustRunAs
|
||||
|
||||
priority: null
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser:
|
||||
type: MustRunAsNonRoot
|
||||
seLinuxContext:
|
||||
type: MustRunAs
|
||||
supplementalGroups:
|
||||
type: RunAsAny
|
||||
volumes:
|
||||
- configMap
|
||||
- emptyDir
|
||||
- projected
|
||||
- secret
|
||||
- downwardAPI
|
||||
{{- end }}
|
||||
|
|
@ -88,4 +88,14 @@ rules:
|
|||
resourceNames: [{{ include "ingress-nginx.fullname" . }}]
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.securityContextConstraints.enabled }}
|
||||
- apiGroups: ['security.openshift.io']
|
||||
resources: ['securitycontextconstraints']
|
||||
verbs: ['use']
|
||||
{{- with .Values.controller.existingScc }}
|
||||
resourceNames: [{{ . }}]
|
||||
{{- else }}
|
||||
resourceNames: [{{ include "ingress-nginx.fullname" . }}]
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
39
charts/ingress-nginx/templates/controller-scc.yaml
Normal file
39
charts/ingress-nginx/templates/controller-scc.yaml
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
{{- if and .Values.securityContextConstraints.enabled (empty .Values.controller.existingScc) -}}
|
||||
apiVersion: security.openshift.io/v1
|
||||
kind: SecurityContextConstraints
|
||||
metadata:
|
||||
name: {{ include "ingress-nginx.fullname" . }}
|
||||
labels:
|
||||
{{- include "ingress-nginx.labels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: controller
|
||||
|
||||
allowHostDirVolumePlugin: false
|
||||
allowHostIPC: false
|
||||
allowHostNetwork: false
|
||||
allowHostPID: false
|
||||
allowHostPorts: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowPrivilegedContainer: false
|
||||
allowedCapabilities:
|
||||
- NET_BIND_SERVICE
|
||||
requiredDropCapabilities:
|
||||
- ALL
|
||||
fsGroup:
|
||||
type: MustRunAs
|
||||
|
||||
priority: null
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser:
|
||||
type: MustRunAsNonRoot
|
||||
seLinuxContext:
|
||||
type: MustRunAs
|
||||
supplementalGroups:
|
||||
type: RunAsAny
|
||||
|
||||
volumes:
|
||||
- configMap
|
||||
- emptyDir
|
||||
- projected
|
||||
- secret
|
||||
- downwardAPI
|
||||
{{- end }}
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}}
|
||||
{{- if and .Values.rbac.create (or .Values.podSecurityPolicy.enabled .Values.securityContextConstraints.enabled) .Values.defaultBackend.enabled -}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
|
|
@ -7,6 +7,7 @@ metadata:
|
|||
app.kubernetes.io/component: default-backend
|
||||
name: {{ include "ingress-nginx.fullname" . }}-backend
|
||||
rules:
|
||||
{{- if .Values.securityContextConstraints.enabled }}
|
||||
- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
|
|
@ -16,3 +17,14 @@ rules:
|
|||
resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend]
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.securityContextConstraints.enabled }}
|
||||
- apiGroups: ['security.openshift.io']
|
||||
resources: ['securitycontextconstraints']
|
||||
verbs: ['use']
|
||||
{{- with .Values.defaultBackend.existingScc }}
|
||||
resourceNames: [{{ . }}]
|
||||
{{- else }}
|
||||
resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend]
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
39
charts/ingress-nginx/templates/default-backend-scc.yaml
Normal file
39
charts/ingress-nginx/templates/default-backend-scc.yaml
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
{{- if and .Values.securityContextConstraints.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingScc) -}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ include "ingress-nginx.fullname" . }}-backend
|
||||
labels:
|
||||
{{- include "ingress-nginx.labels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: default-backend
|
||||
|
||||
allowHostDirVolumePlugin: false
|
||||
allowHostIPC: false
|
||||
allowHostNetwork: false
|
||||
allowHostPID: false
|
||||
allowHostPorts: false
|
||||
allowPrivilegeEscalation: false
|
||||
allowPrivilegedContainer: false
|
||||
allowedCapabilities:
|
||||
- NET_BIND_SERVICE
|
||||
requiredDropCapabilities:
|
||||
- ALL
|
||||
fsGroup:
|
||||
type: MustRunAs
|
||||
|
||||
priority: null
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser:
|
||||
type: MustRunAsNonRoot
|
||||
seLinuxContext:
|
||||
type: MustRunAs
|
||||
supplementalGroups:
|
||||
type: RunAsAny
|
||||
|
||||
volumes:
|
||||
- configMap
|
||||
- emptyDir
|
||||
- projected
|
||||
- secret
|
||||
- downwardAPI
|
||||
{{- end }}
|
||||
|
|
@ -21,6 +21,9 @@ controller:
|
|||
# Use an existing PSP instead of creating one
|
||||
existingPsp: ""
|
||||
|
||||
# Use an existing SCC instead of creating one
|
||||
existingScc: ""
|
||||
|
||||
# Configures the controller container name
|
||||
containerName: controller
|
||||
|
||||
|
|
@ -502,6 +505,9 @@ controller:
|
|||
# Use an existing PSP instead of creating one
|
||||
existingPsp: ""
|
||||
|
||||
# Use an existing SCC instead of creating one
|
||||
existingScc: ""
|
||||
|
||||
service:
|
||||
annotations: {}
|
||||
# clusterIP: ""
|
||||
|
|
@ -643,6 +649,9 @@ defaultBackend:
|
|||
# Use an existing PSP instead of creating one
|
||||
existingPsp: ""
|
||||
|
||||
# Use an existing SCC instead of creating one
|
||||
existingScc: ""
|
||||
|
||||
extraArgs: {}
|
||||
|
||||
serviceAccount:
|
||||
|
|
@ -756,6 +765,11 @@ rbac:
|
|||
podSecurityPolicy:
|
||||
enabled: false
|
||||
|
||||
# If true, create & use SecurityContextConstraints resources
|
||||
# https://docs.openshift.com/container-platform/4.7/authentication/managing-security-context-constraints.html
|
||||
securityContextConstraints:
|
||||
enabled: false
|
||||
|
||||
serviceAccount:
|
||||
create: true
|
||||
name: ""
|
||||
|
|
|
|||
Loading…
Reference in a new issue