Merge pull request #6900 from yurrriq/existing-psp

Support existing PSPs in Helm chart

charts/ingress-nginx/CHANGELOG.md

@@ -4,6 +4,8 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku
 
 ### Unreleased
 
+- [ ] [#6900](https://github.com/kubernetes/ingress-nginx/pull/6900) Support existing PSPs
+
 ### 3.27.0
 
 - Update ingress-nginx v0.45.0

charts/ingress-nginx/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 3.27.0
+version: 3.28.0
 appVersion: 0.45.0
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer

charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml

@@ -22,6 +22,10 @@ rules:
     resources: ['podsecuritypolicies']
     verbs:     ['use']
     resourceNames:
+    {{- with .Values.controller.admissionWebhooks.existingPsp }}
+    - {{ . }}
+    {{- else }}
     - {{ include "ingress-nginx.fullname" . }}-admission
     {{- end }}
 {{- end }}
+{{- end }}

charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled -}}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

charts/ingress-nginx/templates/controller-psp.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.podSecurityPolicy.enabled -}}
+{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

charts/ingress-nginx/templates/controller-role.yaml

@@ -82,6 +82,10 @@ rules:
   - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
     resources:      ['podsecuritypolicies']
     verbs:          ['use']
+    {{- with .Values.controller.existingPsp }}
+    resourceNames:  [{{ . }}]
+    {{- else }}
     resourceNames:  [{{ include "ingress-nginx.fullname" . }}]
     {{- end }}
 {{- end }}
+{{- end }}

charts/ingress-nginx/templates/default-backend-psp.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}}
+{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

charts/ingress-nginx/templates/default-backend-role.yaml

@@ -10,5 +10,9 @@ rules:
   - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
     resources:      ['podsecuritypolicies']
     verbs:          ['use']
+    {{- with .Values.defaultBackend.existingPsp }}
+    resourceNames:  [{{ . }}]
+    {{- else }}
     resourceNames:  [{{ include "ingress-nginx.fullname" . }}-backend]
     {{- end }}
+{{- end }}

charts/ingress-nginx/values.yaml

@@ -18,6 +18,9 @@ controller:
     runAsUser: 101
     allowPrivilegeEscalation: true
 
+  # Use an existing PSP instead of creating one
+  existingPsp: ""
+
   # Configures the ports the nginx-controller listens on
   containerPort:
     http: 80
@@ -473,6 +476,9 @@ controller:
     namespaceSelector: {}
     objectSelector: {}
 
+    # Use an existing PSP instead of creating one
+    existingPsp: ""
+
     service:
       annotations: {}
       # clusterIP: ""
@@ -609,6 +615,9 @@ defaultBackend:
     readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
 
+  # Use an existing PSP instead of creating one
+  existingPsp: ""
+
   extraArgs: {}
 
   serviceAccount: