Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Support PodSecurityPolicy (#177)

Browse source 
* Add PSP for server

* Add PSP for Injector

* Allow annotations to be templated

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
This commit is contained in:
Yong Wen Chua 2020-06-26 14:42:52 +08:00 committed by GitHub
parent ebed731222
commit adf5bf65a9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 834 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
templates/_helpers.tpl
View file

@ -348,6 +348,21 @@ Sets extra vault server Service annotations
{{- end }}
{{- end -}}
{{/*
Sets PodSecurityPolicy annotations
*/}}
{{- define "vault.psp.annotations" -}}
{{- if .Values.global.psp.annotations }}
annotations:
{{- $tp := typeOf .Values.global.psp.annotations }}
{{- if eq $tp "string" }}
{{- tpl .Values.global.psp.annotations . | nindent 4 }}
{{- else }}
{{- toYaml .Values.global.psp.annotations | nindent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Set's the container resources if the user has set any.
*/}}

17
templates/injector-psp-role.yaml Normal file
View file

@ -0,0 +1,17 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "vault.fullname" . }}-agent-injector
{{- end }}

18
templates/injector-psp-rolebinding.yaml Normal file
View file

@ -0,0 +1,18 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
kind: Role
name: {{ template "vault.fullname" . }}-agent-injector-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
{{- end }}

43
templates/injector-psp.yaml Normal file
View file

@ -0,0 +1,43 @@
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.psp.annotations" . }}
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: MustRunAsNonRoot
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}

18
templates/server-psp-role.yaml Normal file
View file

@ -0,0 +1,18 @@
{{ template "vault.mode" . }}
{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "vault.fullname" . }}
{{- end }}

19
templates/server-psp-rolebinding.yaml Normal file
View file

@ -0,0 +1,19 @@
{{ template "vault.mode" . }}
{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
kind: Role
name: {{ template "vault.fullname" . }}-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}
{{- end }}

47
templates/server-psp.yaml Normal file
View file

@ -0,0 +1,47 @@
{{ template "vault.mode" . }}
{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "vault.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- template "vault.psp.annotations" . }}
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
{{- if eq (.Values.server.dataStorage.enabled | toString) "true" }}
- persistentVolumeClaim
{{- end }}
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: MustRunAsNonRoot
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}

35
test/unit/injector-psp-role.bats Normal file
View file

@ -0,0 +1,35 @@
#!/usr/bin/env bats
load _helpers
@test "injector/PodSecurityPolicy-Role: PodSecurityPolicy-Role not enabled by default" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/injector-psp-role.yaml \
. || echo "---" ) | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "injector/PodSecurityPolicy-Role: enable with injector.enabled and global.psp.enable" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-psp-role.yaml \
--set 'injector.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "injector/PodSecurityPolicy-Role: disable with global.enabled" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/injector-psp-role.yaml \
--set 'global.enabled=false' \
--set 'injector.enabled=true' \
--set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

35
test/unit/injector-psp-rolebinding.bats Normal file
View file

@ -0,0 +1,35 @@
#!/usr/bin/env bats
load _helpers
@test "injector/PodSecurityPolicy-RoleBinding: PodSecurityPolicy-RoleBinding not enabled by default" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/injector-psp-rolebinding.yaml \
. || echo "---" ) | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "injector/PodSecurityPolicy-RoleBinding: enable with injector.enabled and global.psp.enable" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-psp-rolebinding.yaml \
--set 'injector.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "injector/PodSecurityPolicy-RoleBinding: disable with global.enabled" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/injector-psp-rolebinding.yaml \
--set 'global.enabled=false' \
--set 'injector.enabled=true' \
--set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

70
test/unit/injector-psp.bats Normal file
View file

@ -0,0 +1,70 @@
#!/usr/bin/env bats
load _helpers
@test "injector/PodSecurityPolicy: PodSecurityPolicy not enabled by default" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/injector-psp.yaml \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "injector/PodSecurityPolicy: enable with injector.enabled and global.psp.enable" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-psp.yaml \
--set 'injector.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "injector/PodSecurityPolicy: disable with global.enabled" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/injector-psp.yaml \
--set 'global.enabled=false' \
--set 'injector.enabled=true' \
--set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "injector/PodSecurityPolicy: annotations are templated correctly by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-psp.yaml \
--set 'injector.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq '.metadata.annotations | length == 4' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "injector/PodSecurityPolicy: annotations are added - string" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-psp.yaml \
--set 'injector.enabled=true' \
--set 'global.psp.enable=true' \
--set 'global.psp.annotations=vault-is: amazing' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ]
}
@test "injector/PodSecurityPolicy: annotations are added - object" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-psp.yaml \
--set 'injector.enabled=true' \
--set 'global.psp.enable=true' \
--set 'global.psp.annotations.vault-is=amazing' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ]
}

111
test/unit/server-psp-role.bats Normal file
View file

@ -0,0 +1,111 @@
#!/usr/bin/env bats
load _helpers
@test "server/PSP-Role: PSP-Role not enabled by default" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-psp-role.yaml \
--set 'server.dev.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp-role.yaml \
--set 'server.ha.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp-role.yaml \
--set 'server.standalone.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/PSP-Role: PSP-Role can be enabled" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-psp-role.yaml \
--set 'server.dev.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
--show-only templates/server-psp-role.yaml \
--set 'server.ha.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
--show-only templates/server-psp-role.yaml \
--set 'server.standalone.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/PSP-Role: disable with global.enabled false" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-psp-role.yaml \
--set 'server.dev.enabled=true' \
--set 'global.enabled=false' \
--set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp-role.yaml \
--set 'server.ha.enabled=true' \
--set 'global.enabled=false' \
--set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp-role.yaml \
--set 'server.standalone.enabled=true' \
--set 'global.enabled=false' \
--set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/PSP-Role: disable with global.psp.enable false" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-psp-role.yaml \
--set 'server.dev.enabled=true' \
--set 'global.psp.enable=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp-role.yaml \
--set 'server.ha.enabled=true' \
--set 'global.psp.enable=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp-role.yaml \
--set 'server.standalone.enabled=true' \
--set 'global.psp.enable=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

111
test/unit/server-psp-rolebinding.bats Normal file
View file

@ -0,0 +1,111 @@
#!/usr/bin/env bats
load _helpers
@test "server/PSP-RoleBinding: PSP-RoleBinding not enabled by default" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-psp-rolebinding.yaml \
--set 'server.dev.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp-rolebinding.yaml \
--set 'server.ha.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp-rolebinding.yaml \
--set 'server.standalone.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/PSP-RoleBinding: PSP-RoleBinding can be enabled" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-psp-rolebinding.yaml \
--set 'server.dev.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
--show-only templates/server-psp-rolebinding.yaml \
--set 'server.ha.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
--show-only templates/server-psp-rolebinding.yaml \
--set 'server.standalone.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/PSP-RoleBinding: disable with global.enabled false" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-psp-rolebinding.yaml \
--set 'server.dev.enabled=true' \
--set 'global.enabled=false' \
--set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp-rolebinding.yaml \
--set 'server.ha.enabled=true' \
--set 'global.enabled=false' \
--set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp-rolebinding.yaml \
--set 'server.standalone.enabled=true' \
--set 'global.enabled=false' \
--set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/PSP-RoleBinding: disable with global.psp.enable false" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-psp-rolebinding.yaml \
--set 'server.dev.enabled=true' \
--set 'global.psp.enable=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp-rolebinding.yaml \
--set 'server.ha.enabled=true' \
--set 'global.psp.enable=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp-rolebinding.yaml \
--set 'server.standalone.enabled=true' \
--set 'global.psp.enable=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

285
test/unit/server-psp.bats Normal file
View file

@ -0,0 +1,285 @@
#!/usr/bin/env bats
load _helpers
@test "server/PodSecurityPolicy: PodSecurityPolicy not enabled by default" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-psp.yaml \
--set 'server.dev.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp.yaml \
--set 'server.ha.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp.yaml \
--set 'server.standalone.enabled=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/PodSecurityPolicy: PodSecurityPolicy can be enabled" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.dev.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.ha.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.standalone.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/PodSecurityPolicy: PodSecurityPolicy annotations are templated correctly" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.dev.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq '.metadata.annotations | length == 4' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.ha.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq '.metadata.annotations | length == 4' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.standalone.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq '.metadata.annotations | length == 4' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/PodSecurityPolicy: annotations are added - string" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.dev.enabled=true' \
--set 'global.psp.enable=true' \
--set 'global.psp.annotations=vault-is: amazing' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ]
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.ha.enabled=true' \
--set 'global.psp.enable=true' \
--set 'global.psp.annotations=vault-is: amazing' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ]
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.standalone.enabled=true' \
--set 'global.psp.enable=true' \
--set 'global.psp.annotations=vault-is: amazing' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ]
}
@test "server/PodSecurityPolicy: annotations are added - object" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.dev.enabled=true' \
--set 'global.psp.enable=true' \
--set 'global.psp.annotations.vault-is=amazing' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ]
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.ha.enabled=true' \
--set 'global.psp.enable=true' \
--set 'global.psp.annotations.vault-is=amazing' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ]
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.standalone.enabled=true' \
--set 'global.psp.enable=true' \
--set 'global.psp.annotations.vault-is=amazing' \
. | tee /dev/stderr |
yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
[ "${actual}" = "amazing" ]
}
@test "server/PodSecurityPolicy: disable with global.enabled false" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-psp.yaml \
--set 'server.dev.enabled=true' \
--set 'global.enabled=false' \
--set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp.yaml \
--set 'server.ha.enabled=true' \
--set 'global.enabled=false' \
--set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp.yaml \
--set 'server.standalone.enabled=true' \
--set 'global.enabled=false' \
--set 'global.psp.enable=true' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/PodSecurityPolicy: disable with global.psp.enable false" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/server-psp.yaml \
--set 'server.dev.enabled=true' \
--set 'global.psp.enable=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp.yaml \
--set 'server.ha.enabled=true' \
--set 'global.psp.enable=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$( (helm template \
--show-only templates/server-psp.yaml \
--set 'server.standalone.enabled=true' \
--set 'global.psp.enable=false' \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/PodSecurityPolicy: PodSecurityPolicy allows PVC by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.dev.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.ha.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.standalone.enabled=true' \
--set 'global.psp.enable=true' \
. | tee /dev/stderr |
yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/PodSecurityPolicy: PodSecurityPolicy allows PVC with dataStorage" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.dev.enabled=true' \
--set 'global.psp.enable=true' \
--set 'server.dataStorage.enabled=true' \
. | tee /dev/stderr |
yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.ha.enabled=true' \
--set 'global.psp.enable=true' \
--set 'server.dataStorage.enabled=true' \
. | tee /dev/stderr |
yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.standalone.enabled=true' \
--set 'global.psp.enable=true' \
--set 'server.dataStorage.enabled=true' \
. | tee /dev/stderr |
yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/PodSecurityPolicy: PodSecurityPolicy does not allow PVC without dataStorage" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.dev.enabled=true' \
--set 'global.psp.enable=true' \
--set 'server.dataStorage.enabled=false' \
. | tee /dev/stderr |
yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.ha.enabled=true' \
--set 'global.psp.enable=true' \
--set 'server.dataStorage.enabled=false' \
. | tee /dev/stderr |
yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(helm template \
--show-only templates/server-psp.yaml \
--set 'server.standalone.enabled=true' \
--set 'global.psp.enable=true' \
--set 'server.dataStorage.enabled=false' \
. | tee /dev/stderr |
yq '.spec.volumes | contains(["persistentVolumeClaim"])' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

10
values.yaml
View file

@ -12,6 +12,16 @@ global:
tlsDisable: true
# Beta Feature: If deploying to OpenShift
openshift: false
# Create PodSecurityPolicy for pods
psp:
enable: false
# Annotation for PodSecurityPolicy.
# This is a multi-line templated string map, and can also be set as YAML.
annotations: |
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
injector:
# True if you want to enable vault agent injection.