From 63e35ac32baab6ca3fc2c5e965b074c1749475f8 Mon Sep 17 00:00:00 2001 From: Eric Bailey Date: Tue, 23 Feb 2021 18:31:56 -0600 Subject: [PATCH] Support existing PSPs in Helm chart --- charts/ingress-nginx/CHANGELOG.md | 2 ++ charts/ingress-nginx/Chart.yaml | 2 +- .../admission-webhooks/job-patch/clusterrole.yaml | 4 ++++ .../templates/admission-webhooks/job-patch/psp.yaml | 2 +- charts/ingress-nginx/templates/controller-psp.yaml | 2 +- charts/ingress-nginx/templates/controller-role.yaml | 4 ++++ charts/ingress-nginx/templates/default-backend-psp.yaml | 2 +- charts/ingress-nginx/templates/default-backend-role.yaml | 4 ++++ charts/ingress-nginx/values.yaml | 9 +++++++++ 9 files changed, 27 insertions(+), 4 deletions(-) diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md index 09aed21a7..060263550 100644 --- a/charts/ingress-nginx/CHANGELOG.md +++ b/charts/ingress-nginx/CHANGELOG.md @@ -4,6 +4,8 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku ### Unreleased +- [ ] [#6900](https://github.com/kubernetes/ingress-nginx/pull/6900) Support existing PSPs + ### 3.27.0 - Update ingress-nginx v0.45.0 diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 3eb0db28c..7f69fdbcc 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: ingress-nginx # When the version is modified, make sure the artifacthub.io/changes list is updated # Also update CHANGELOG.md -version: 3.27.0 +version: 3.28.0 appVersion: 0.45.0 home: https://github.com/kubernetes/ingress-nginx description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml index 7eb57388d..fd762f935 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -22,6 +22,10 @@ rules: resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: + {{- with .Values.controller.admissionWebhooks.existingPsp }} + - {{ . }} + {{- else }} - {{ include "ingress-nginx.fullname" . }}-admission + {{- end }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml index e8c8da94b..d2c7de685 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/ingress-nginx/templates/controller-psp.yaml b/charts/ingress-nginx/templates/controller-psp.yaml index 3b98b4666..bdb856310 100644 --- a/charts/ingress-nginx/templates/controller-psp.yaml +++ b/charts/ingress-nginx/templates/controller-psp.yaml @@ -1,4 +1,4 @@ -{{- if .Values.podSecurityPolicy.enabled -}} +{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml index e10091829..52f830315 100644 --- a/charts/ingress-nginx/templates/controller-role.yaml +++ b/charts/ingress-nginx/templates/controller-role.yaml @@ -82,6 +82,10 @@ rules: - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] resources: ['podsecuritypolicies'] verbs: ['use'] + {{- with .Values.controller.existingPsp }} + resourceNames: [{{ . }}] + {{- else }} resourceNames: [{{ include "ingress-nginx.fullname" . }}] + {{- end }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-psp.yaml b/charts/ingress-nginx/templates/default-backend-psp.yaml index 055f434db..716dbf16f 100644 --- a/charts/ingress-nginx/templates/default-backend-psp.yaml +++ b/charts/ingress-nginx/templates/default-backend-psp.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/ingress-nginx/templates/default-backend-role.yaml b/charts/ingress-nginx/templates/default-backend-role.yaml index 23498de22..53b63b6bf 100644 --- a/charts/ingress-nginx/templates/default-backend-role.yaml +++ b/charts/ingress-nginx/templates/default-backend-role.yaml @@ -10,5 +10,9 @@ rules: - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] resources: ['podsecuritypolicies'] verbs: ['use'] + {{- with .Values.defaultBackend.existingPsp }} + resourceNames: [{{ . }}] + {{- else }} resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend] + {{- end }} {{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 6204f8d67..49b9ca942 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -18,6 +18,9 @@ controller: runAsUser: 101 allowPrivilegeEscalation: true + # Use an existing PSP instead of creating one + existingPsp: "" + # Configures the ports the nginx-controller listens on containerPort: http: 80 @@ -473,6 +476,9 @@ controller: namespaceSelector: {} objectSelector: {} + # Use an existing PSP instead of creating one + existingPsp: "" + service: annotations: {} # clusterIP: "" @@ -609,6 +615,9 @@ defaultBackend: readOnlyRootFilesystem: true allowPrivilegeEscalation: false + # Use an existing PSP instead of creating one + existingPsp: "" + extraArgs: {} serviceAccount: