From c68b80ef24dac9b81a6ddb2ec89fe971ad0d1c92 Mon Sep 17 00:00:00 2001
From: Karl-Philipp Richter <krichter@posteo.de>
Date: Sun, 15 Mar 2020 14:01:44 +0100
Subject: [PATCH] Allow projected volumes in elasticsearch, logstash and
 metricbeat

Allow specification of PodSecurityPolicy in metricbeat/values.yml

Signed-off-by: Karl-Philipp Richter <krichter@posteo.de>
---
 elasticsearch/values.yaml                   |  1 +
 logstash/values.yaml                        |  1 +
 metricbeat/templates/podsecuritypolicy.yaml | 14 ++++++++++++++
 metricbeat/values.yaml                      | 19 +++++++++++++++++++
 4 files changed, 35 insertions(+)
 create mode 100644 metricbeat/templates/podsecuritypolicy.yaml

diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml
index 0029b9928..a67d00d68 100755
--- a/elasticsearch/values.yaml
+++ b/elasticsearch/values.yaml
@@ -114,6 +114,7 @@ podSecurityPolicy:
       - secret
       - configMap
       - persistentVolumeClaim
+      - projected
 
 persistence:
   enabled: true
diff --git a/logstash/values.yaml b/logstash/values.yaml
index 4c8c475d6..246712745 100755
--- a/logstash/values.yaml
+++ b/logstash/values.yaml
@@ -89,6 +89,7 @@ podSecurityPolicy:
       - secret
       - configMap
       - persistentVolumeClaim
+      - projected
 
 persistence:
   enabled: false
diff --git a/metricbeat/templates/podsecuritypolicy.yaml b/metricbeat/templates/podsecuritypolicy.yaml
new file mode 100644
index 000000000..b749d6dd4
--- /dev/null
+++ b/metricbeat/templates/podsecuritypolicy.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.podSecurityPolicy.create -}}
+{{- $fullName := include "metricbeat.fullname" . -}}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ default $fullName .Values.podSecurityPolicy.name | quote }}
+  labels:
+    app: "{{ template "metricbeat.fullname" . }}"
+    chart: "{{ .Chart.Name }}"
+    heritage: {{ .Release.Service | quote }}
+    release: {{ .Release.Name | quote }}
+spec:
+{{ toYaml .Values.podSecurityPolicy.spec | indent 2 }}
+{{- end -}}
diff --git a/metricbeat/values.yaml b/metricbeat/values.yaml
index d89a947d9..6d7fb0b97 100755
--- a/metricbeat/values.yaml
+++ b/metricbeat/values.yaml
@@ -218,6 +218,25 @@ clusterRoleRules:
   - nodes/stats
   verbs: ["get"]
 
+podSecurityPolicy:
+  create: false
+  name: ""
+  spec:
+    privileged: true
+    fsGroup:
+      rule: RunAsAny
+    runAsUser:
+      rule: RunAsAny
+    seLinux:
+      rule: RunAsAny
+    supplementalGroups:
+      rule: RunAsAny
+    volumes:
+      - secret
+      - configMap
+      - persistentVolumeClaim
+      - projected
+
 podAnnotations: {}
   # iam.amazonaws.com/role: es-cluster