From adf5bf65a90a61f8d789a8d81a9a34afb8407a60 Mon Sep 17 00:00:00 2001 From: Yong Wen Chua Date: Fri, 26 Jun 2020 14:42:52 +0800 Subject: [PATCH] Support PodSecurityPolicy (#177) * Add PSP for server * Add PSP for Injector * Allow annotations to be templated Co-authored-by: Theron Voran --- templates/_helpers.tpl | 15 ++ templates/injector-psp-role.yaml | 17 ++ templates/injector-psp-rolebinding.yaml | 18 ++ templates/injector-psp.yaml | 43 ++++ templates/server-psp-role.yaml | 18 ++ templates/server-psp-rolebinding.yaml | 19 ++ templates/server-psp.yaml | 47 ++++ test/unit/injector-psp-role.bats | 35 +++ test/unit/injector-psp-rolebinding.bats | 35 +++ test/unit/injector-psp.bats | 70 ++++++ test/unit/server-psp-role.bats | 111 +++++++++ test/unit/server-psp-rolebinding.bats | 111 +++++++++ test/unit/server-psp.bats | 285 ++++++++++++++++++++++++ values.yaml | 10 + 14 files changed, 834 insertions(+) create mode 100644 templates/injector-psp-role.yaml create mode 100644 templates/injector-psp-rolebinding.yaml create mode 100644 templates/injector-psp.yaml create mode 100644 templates/server-psp-role.yaml create mode 100644 templates/server-psp-rolebinding.yaml create mode 100644 templates/server-psp.yaml create mode 100644 test/unit/injector-psp-role.bats create mode 100644 test/unit/injector-psp-rolebinding.bats create mode 100644 test/unit/injector-psp.bats create mode 100644 test/unit/server-psp-role.bats create mode 100644 test/unit/server-psp-rolebinding.bats create mode 100644 test/unit/server-psp.bats diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 31872fc..028d3bf 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -348,6 +348,21 @@ Sets extra vault server Service annotations {{- end }} {{- end -}} +{{/* +Sets PodSecurityPolicy annotations +*/}} +{{- define "vault.psp.annotations" -}} + {{- if .Values.global.psp.annotations }} + annotations: + {{- $tp := typeOf .Values.global.psp.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.global.psp.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.global.psp.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Set's the container resources if the user has set any. */}} diff --git a/templates/injector-psp-role.yaml b/templates/injector-psp-role.yaml new file mode 100644 index 0000000..5fd2649 --- /dev/null +++ b/templates/injector-psp-role.yaml @@ -0,0 +1,17 @@ +{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-psp + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "vault.fullname" . }}-agent-injector +{{- end }} diff --git a/templates/injector-psp-rolebinding.yaml b/templates/injector-psp-rolebinding.yaml new file mode 100644 index 0000000..f7ae7fe --- /dev/null +++ b/templates/injector-psp-rolebinding.yaml @@ -0,0 +1,18 @@ +{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-psp + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + kind: Role + name: {{ template "vault.fullname" . }}-agent-injector-psp + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ template "vault.fullname" . }}-agent-injector +{{- end }} diff --git a/templates/injector-psp.yaml b/templates/injector-psp.yaml new file mode 100644 index 0000000..5871eb9 --- /dev/null +++ b/templates/injector-psp.yaml @@ -0,0 +1,43 @@ +{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- template "vault.psp.annotations" . }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: MustRunAsNonRoot + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml new file mode 100644 index 0000000..b4bea06 --- /dev/null +++ b/templates/server-psp-role.yaml @@ -0,0 +1,18 @@ +{{ template "vault.mode" . }} +{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-psp + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "vault.fullname" . }} +{{- end }} diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml new file mode 100644 index 0000000..9231027 --- /dev/null +++ b/templates/server-psp-rolebinding.yaml @@ -0,0 +1,19 @@ +{{ template "vault.mode" . }} +{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-psp + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + kind: Role + name: {{ template "vault.fullname" . }}-psp + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ template "vault.fullname" . }} +{{- end }} diff --git a/templates/server-psp.yaml b/templates/server-psp.yaml new file mode 100644 index 0000000..32c1526 --- /dev/null +++ b/templates/server-psp.yaml @@ -0,0 +1,47 @@ +{{ template "vault.mode" . }} +{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "vault.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- template "vault.psp.annotations" . }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + {{- if eq (.Values.server.dataStorage.enabled | toString) "true" }} + - persistentVolumeClaim + {{- end }} + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: MustRunAsNonRoot + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/test/unit/injector-psp-role.bats b/test/unit/injector-psp-role.bats new file mode 100644 index 0000000..c6dc522 --- /dev/null +++ b/test/unit/injector-psp-role.bats @@ -0,0 +1,35 @@ +#!/usr/bin/env bats + +load _helpers + +@test "injector/PodSecurityPolicy-Role: PodSecurityPolicy-Role not enabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-psp-role.yaml \ + . || echo "---" ) | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "injector/PodSecurityPolicy-Role: enable with injector.enabled and global.psp.enable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-psp-role.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "injector/PodSecurityPolicy-Role: disable with global.enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-psp-role.yaml \ + --set 'global.enabled=false' \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/injector-psp-rolebinding.bats b/test/unit/injector-psp-rolebinding.bats new file mode 100644 index 0000000..f8a8255 --- /dev/null +++ b/test/unit/injector-psp-rolebinding.bats @@ -0,0 +1,35 @@ +#!/usr/bin/env bats + +load _helpers + +@test "injector/PodSecurityPolicy-RoleBinding: PodSecurityPolicy-RoleBinding not enabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-psp-rolebinding.yaml \ + . || echo "---" ) | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "injector/PodSecurityPolicy-RoleBinding: enable with injector.enabled and global.psp.enable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-psp-rolebinding.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "injector/PodSecurityPolicy-RoleBinding: disable with global.enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-psp-rolebinding.yaml \ + --set 'global.enabled=false' \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/injector-psp.bats b/test/unit/injector-psp.bats new file mode 100644 index 0000000..fa14b0f --- /dev/null +++ b/test/unit/injector-psp.bats @@ -0,0 +1,70 @@ +#!/usr/bin/env bats + +load _helpers + +@test "injector/PodSecurityPolicy: PodSecurityPolicy not enabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-psp.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "injector/PodSecurityPolicy: enable with injector.enabled and global.psp.enable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-psp.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "injector/PodSecurityPolicy: disable with global.enabled" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/injector-psp.yaml \ + --set 'global.enabled=false' \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "injector/PodSecurityPolicy: annotations are templated correctly by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-psp.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq '.metadata.annotations | length == 4' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "injector/PodSecurityPolicy: annotations are added - string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-psp.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'global.psp.annotations=vault-is: amazing' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + [ "${actual}" = "amazing" ] +} + +@test "injector/PodSecurityPolicy: annotations are added - object" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-psp.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'global.psp.annotations.vault-is=amazing' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + [ "${actual}" = "amazing" ] +} diff --git a/test/unit/server-psp-role.bats b/test/unit/server-psp-role.bats new file mode 100644 index 0000000..1d3e62c --- /dev/null +++ b/test/unit/server-psp-role.bats @@ -0,0 +1,111 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/PSP-Role: PSP-Role not enabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'server.dev.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'server.standalone.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/PSP-Role: PSP-Role can be enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'server.dev.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/PSP-Role: disable with global.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'server.dev.enabled=true' \ + --set 'global.enabled=false' \ + --set 'global.psp.enable=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.enabled=false' \ + --set 'global.psp.enable=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.enabled=false' \ + --set 'global.psp.enable=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/PSP-Role: disable with global.psp.enable false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'server.dev.enabled=true' \ + --set 'global.psp.enable=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.psp.enable=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.psp.enable=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-psp-rolebinding.bats b/test/unit/server-psp-rolebinding.bats new file mode 100644 index 0000000..4171219 --- /dev/null +++ b/test/unit/server-psp-rolebinding.bats @@ -0,0 +1,111 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/PSP-RoleBinding: PSP-RoleBinding not enabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'server.dev.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'server.standalone.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/PSP-RoleBinding: PSP-RoleBinding can be enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'server.dev.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/PSP-RoleBinding: disable with global.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'server.dev.enabled=true' \ + --set 'global.enabled=false' \ + --set 'global.psp.enable=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.enabled=false' \ + --set 'global.psp.enable=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.enabled=false' \ + --set 'global.psp.enable=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/PSP-RoleBinding: disable with global.psp.enable false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'server.dev.enabled=true' \ + --set 'global.psp.enable=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.psp.enable=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.psp.enable=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/test/unit/server-psp.bats b/test/unit/server-psp.bats new file mode 100644 index 0000000..400e76d --- /dev/null +++ b/test/unit/server-psp.bats @@ -0,0 +1,285 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/PodSecurityPolicy: PodSecurityPolicy not enabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.dev.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.ha.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.standalone.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/PodSecurityPolicy: PodSecurityPolicy can be enabled" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.dev.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/PodSecurityPolicy: PodSecurityPolicy annotations are templated correctly" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.dev.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq '.metadata.annotations | length == 4' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq '.metadata.annotations | length == 4' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq '.metadata.annotations | length == 4' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/PodSecurityPolicy: annotations are added - string" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.dev.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'global.psp.annotations=vault-is: amazing' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + [ "${actual}" = "amazing" ] + + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'global.psp.annotations=vault-is: amazing' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + [ "${actual}" = "amazing" ] + + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'global.psp.annotations=vault-is: amazing' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + [ "${actual}" = "amazing" ] +} + +@test "server/PodSecurityPolicy: annotations are added - object" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.dev.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'global.psp.annotations.vault-is=amazing' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + [ "${actual}" = "amazing" ] + + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'global.psp.annotations.vault-is=amazing' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + [ "${actual}" = "amazing" ] + + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'global.psp.annotations.vault-is=amazing' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr) + [ "${actual}" = "amazing" ] +} + +@test "server/PodSecurityPolicy: disable with global.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.dev.enabled=true' \ + --set 'global.enabled=false' \ + --set 'global.psp.enable=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.enabled=false' \ + --set 'global.psp.enable=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.enabled=false' \ + --set 'global.psp.enable=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/PodSecurityPolicy: disable with global.psp.enable false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.dev.enabled=true' \ + --set 'global.psp.enable=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.psp.enable=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$( (helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.psp.enable=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/PodSecurityPolicy: PodSecurityPolicy allows PVC by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.dev.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.psp.enable=true' \ + . | tee /dev/stderr | + yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/PodSecurityPolicy: PodSecurityPolicy allows PVC with dataStorage" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.dev.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'server.dataStorage.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'server.dataStorage.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'server.dataStorage.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/PodSecurityPolicy: PodSecurityPolicy does not allow PVC without dataStorage" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.dev.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'server.dataStorage.enabled=false' \ + . | tee /dev/stderr | + yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'server.dataStorage.enabled=false' \ + . | tee /dev/stderr | + yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr) + [ "${actual}" = "false" ] + + local actual=$(helm template \ + --show-only templates/server-psp.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'server.dataStorage.enabled=false' \ + . | tee /dev/stderr | + yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr) + [ "${actual}" = "false" ] +} diff --git a/values.yaml b/values.yaml index 65ced07..40f6a9c 100644 --- a/values.yaml +++ b/values.yaml @@ -12,6 +12,16 @@ global: tlsDisable: true # Beta Feature: If deploying to OpenShift openshift: false + # Create PodSecurityPolicy for pods + psp: + enable: false + # Annotation for PodSecurityPolicy. + # This is a multi-line templated string map, and can also be set as YAML. + annotations: | + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default + apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default injector: # True if you want to enable vault agent injection.