From f9e9f0654a5dfd5ced67dd02b6c8c7dcb1a36c22 Mon Sep 17 00:00:00 2001 From: Mateusz Gozdek Date: Sun, 4 Oct 2020 14:03:12 +0200 Subject: [PATCH] charts/descheduler: add PodSecurityPolicy support This commit adds restrictive PodSecurityPolicy, which can be optionally created, so descheduler can be deployed on clusters with PodSecurityPolicy admission controller, but which do not ship default policies. Signed-off-by: Mateusz Gozdek --- charts/descheduler/README.md | 1 + charts/descheduler/templates/clusterrole.yaml | 7 ++++ .../templates/podsecuritypolicy.yaml | 38 +++++++++++++++++++ charts/descheduler/values.yaml | 4 ++ 4 files changed, 50 insertions(+) create mode 100644 charts/descheduler/templates/podsecuritypolicy.yaml diff --git a/charts/descheduler/README.md b/charts/descheduler/README.md index 3d498703a6..1275df9325 100644 --- a/charts/descheduler/README.md +++ b/charts/descheduler/README.md @@ -55,5 +55,6 @@ The following table lists the configurable parameters of the _descheduler_ chart | `deschedulerPolicy.strategies` | The _descheduler_ strategies to apply | _see values.yaml_ | | `priorityClassName` | The name of the priority class to add to pods | `system-cluster-critical` | | `rbac.create` | If `true`, create & use RBAC resources | `true` | +| `podSecurityPolicy.create` | If `true`, create PodSecurityPolicy | `true` | | `serviceAccount.create` | If `true`, create a service account for the cron job | `true` | | `serviceAccount.name` | The name of the service account to use, if not set and create is true a name is generated using the fullname template | `nil` | diff --git a/charts/descheduler/templates/clusterrole.yaml b/charts/descheduler/templates/clusterrole.yaml index 2a20917365..174d24a79c 100644 --- a/charts/descheduler/templates/clusterrole.yaml +++ b/charts/descheduler/templates/clusterrole.yaml @@ -21,4 +21,11 @@ rules: - apiGroups: ["scheduling.k8s.io"] resources: ["priorityclasses"] verbs: ["get", "watch", "list"] +{{- if .Values.podSecurityPolicy.create }} +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "descheduler.fullname" . }} +{{- end }} {{- end -}} diff --git a/charts/descheduler/templates/podsecuritypolicy.yaml b/charts/descheduler/templates/podsecuritypolicy.yaml new file mode 100644 index 0000000000..c10383fb8a --- /dev/null +++ b/charts/descheduler/templates/podsecuritypolicy.yaml @@ -0,0 +1,38 @@ +{{- if .Values.podSecurityPolicy.create -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "descheduler.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: true +{{- end -}} diff --git a/charts/descheduler/values.yaml b/charts/descheduler/values.yaml index 61cd1ed1c5..28d7c9af05 100644 --- a/charts/descheduler/values.yaml +++ b/charts/descheduler/values.yaml @@ -51,6 +51,10 @@ rbac: # Specifies whether RBAC resources should be created create: true +podSecurityPolicy: + # Specifies whether PodSecurityPolicy should be created. + create: true + serviceAccount: # Specifies whether a ServiceAccount should be created create: true