Add Pod Security Policies feature (#109)

* Add Pod Security Policies feature * Update changelog * update helm chart * Update changelog url
puppetlabs · May 24, 2022 · 5d29d66 · 5d29d66
1 parent 2a2ec27
commit 5d29d66
Show file tree

Hide file tree

Showing 15 changed files with 200 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,10 @@ numbering uses [semantic versioning](http://semver.org).
 
 NOTE: The change log until version `v0.2.4` is auto-generated.
 
+## [v5.18.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v5.18.0) (2022-05-20)
+
+- feat: add pod security policies
+
 ## [v5.17.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v5.17.0) (2022-04-13)
 
 - fix: delete parameter '--strip-components 1' of Puppetserver certificate (unzip)

diff --git a/Chart.yaml b/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: puppetserver
-version: 5.17.0
+version: 5.18.0
 appVersion: 7.4.2
 description: Puppet automates the delivery and operation of software.
 keywords: ["puppet", "puppetserver", "automation", "iac", "infrastructure", "cm", "ci", "cd"]

diff --git a/README.md b/README.md
@@ -206,6 +206,10 @@ The following table lists the configurable parameters of the Puppetserver chart
 | `puppetserver.preGeneratedCertsJob.enabled` | puppetserver pre-generated certs |`false`|
 | `puppetserver.preGeneratedCertsJob.jobDeadline` | puppetserver pre-generated certs job deadline in seconds |`60`|
 | `puppetserver.puppeturl`| puppetserver control repo url |``|
+| `puppetserver.serviceAccount.enabled`| Enable service account (Note: Service Account will only be automatically created if `puppetserver.serviceAccount.create` is not set.  |`false`|
+| `puppetserver.serviceAccount.create`| puppetserver additional masters svc labels |`false`|
+| `puppetserver.rbac.create`| Enable PodSecurityPolicy's RBAC rules |`false`|
+| `puppetserver.psp.create`| Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later |`false`|
 | `r10k.name` | r10k component label | `r10k`|
 | `r10k.image` | r10k img | `puppet/r10k`|
 | `r10k.tag` | r10k img tag | `3.5.1`|
@@ -247,6 +251,10 @@ The following table lists the configurable parameters of the Puppetserver chart
 | `puppetdb.customPersistentVolumeClaim.storage.enable`| If true, use custom PVC for storage |``|
 | `puppetdb.customPersistentVolumeClaim.storage.config`| Configuration for custom PVC for storage |``|
 | `puppetdb.extraContainers`| Extra containers to inject into the puppetdb pod |``|
+| `puppetdb.serviceAccount.enabled`| Enable service account (Note: Service Account will only be automatically created if `puppetdb.serviceAccount.create` is not set.  |`false`|
+| `puppetdb.serviceAccount.create`| puppetdb additional masters svc labels |`false`|
+| `puppetdb.rbac.create`| Enable PodSecurityPolicy's RBAC rules |`false`|
+| `puppetdb.psp.create`| Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later |`false`|
 | `puppetboard.enabled` | puppetboard availability | `false`|
 | `puppetboard.name` | puppetboard component label | `puppetboard`|
 | `puppetboard.image` | puppetboard img | `xtigyro/puppetboard`|
@@ -353,3 +361,4 @@ kill %[job_numbers_above]
 * [Manasseh MMadu](https://github.com/mensaah), Contributor
 * [Aidan](https://github.com/artificial-aidan), Contributor
 * [Aurélien Le Clainche](https://www.linkedin.com/in/aurelien-le-clainche/), Contributor
+* [David Phayanouvong](https://github.com/davidphayanouvong), Contributor
diff --git a/templates/puppetdb-deployment.yaml b/templates/puppetdb-deployment.yaml
@@ -21,6 +21,9 @@ spec:
       {{- end }}
     spec:
       hostname: puppetdb
+      {{- if .Values.puppetdb.serviceAccount.enabled }}
+      serviceAccountName: {{ .Values.puppetdb.serviceAccount.accountName }}
+      {{- end }}
       containers:
         {{- with .Values.puppetdb.extraContainers }}
           {{- toYaml . | nindent 8 }}

diff --git a/templates/puppetdb-podsecuritypolicy.yaml b/templates/puppetdb-podsecuritypolicy.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.puppetdb.psp.create }}
+apiVersion: {{ include "podsecuritypolicy.apiVersion" . }}
+kind: PodSecurityPolicy
+metadata:
+  name: {{ default "puppetdb" .Values.puppetdb.serviceAccount.accountName }}-psp
+  namespace: {{ .Release.Namespace }}
+spec:
+  privileged: true
+  volumes:
+    - 'configMap'
+    - 'secret'
+    - 'persistentVolumeClaim'
+    - 'emptyDir'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}
diff --git a/templates/puppetdb-role.yaml b/templates/puppetdb-role.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.puppetdb.rbac.create }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ default "puppetdb" .Values.puppetdb.serviceAccount.accountName }}-role
+  namespace: {{ .Release.Namespace }}
+rules:
+  {{- if .Values.puppetdb.psp.create }}
+  - apiGroups: ["extensions"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames:
+      - {{ default "puppetdb" .Values.puppetdb.serviceAccount.accountName }}-psp
+  {{- end }}
+{{- end }}
diff --git a/templates/puppetdb-rolebinding.yaml b/templates/puppetdb-rolebinding.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.puppetdb.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ default "puppetdb" .Values.puppetdb.serviceAccount.accountName }}-rb
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ default "puppetdb" .Values.puppetdb.serviceAccount.accountName }}-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ default "puppetdb" .Values.puppetdb.serviceAccount.accountName }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/templates/puppetdb-serviceaccount.yaml b/templates/puppetdb-serviceaccount.yaml
@@ -0,0 +1,7 @@
+{{- if and (.Values.puppetdb.serviceAccount.enabled) (.Values.puppetdb.serviceAccount.create) }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.puppetdb.serviceAccount.accountName | default "puppetdb" }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/templates/puppetserver-deployment-masters.yaml b/templates/puppetserver-deployment-masters.yaml
@@ -27,6 +27,9 @@ spec:
         {{- end }}
     spec:
       hostname: {{ template "puppetserver.puppetserver-masters.serviceName" . }}
+      {{- if .Values.puppetserver.serviceAccount.enabled }}
+      serviceAccountName: {{ .Values.puppetserver.serviceAccount.accountName }}
+      {{- end }}
       initContainers:
         - name: perms-and-dirs
           image: "{{.Values.puppetserver.image}}:{{.Values.puppetserver.tag}}"

diff --git a/templates/puppetserver-podsecuritypolicy.yaml b/templates/puppetserver-podsecuritypolicy.yaml
@@ -0,0 +1,36 @@
+{{- if .Values.puppetserver.psp.create }}
+apiVersion: {{ include "podsecuritypolicy.apiVersion" . }}
+kind: PodSecurityPolicy
+metadata:
+  name: {{ default "puppetserver" .Values.puppetserver.serviceAccount.accountName }}-psp
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "-10"
+spec:
+  privileged: true
+  volumes:
+    - 'configMap'
+    - 'secret'
+    - 'persistentVolumeClaim'
+    - 'emptyDir'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }} 
diff --git a/templates/puppetserver-role.yaml b/templates/puppetserver-role.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.puppetserver.rbac.create }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ default "puppetserver" .Values.puppetserver.serviceAccount.accountName }}-role
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "-10"
+rules:
+  {{- if .Values.puppetserver.psp.create }}
+  - apiGroups: ["extensions"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames:
+      - {{ default "puppetserver" .Values.puppetserver.serviceAccount.accountName }}-psp
+  {{- end }}
+{{- end }}
diff --git a/templates/puppetserver-rolebinding.yaml b/templates/puppetserver-rolebinding.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.puppetserver.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ default "puppetserver" .Values.puppetserver.serviceAccount.accountName }}-rb
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "-10"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ default "puppetserver" .Values.puppetserver.serviceAccount.accountName }}-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ default "puppetserver" .Values.puppetserver.serviceAccount.accountName }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/templates/puppetserver-serviceaccount.yaml b/templates/puppetserver-serviceaccount.yaml
@@ -0,0 +1,11 @@
+{{- if and (.Values.puppetserver.serviceAccount.enabled) (.Values.puppetserver.serviceAccount.create) }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.puppetserver.serviceAccount.accountName | default "puppet" }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "-10"
+{{- end }}
diff --git a/templates/puppetserver-statefulset-compilers.yaml b/templates/puppetserver-statefulset-compilers.yaml
@@ -31,6 +31,9 @@ spec:
         {{- toYaml .Values.podAnnotations | nindent 8 }}
         {{- end }}
     spec:
+      {{- if .Values.puppetserver.serviceAccount.enabled }}
+      serviceAccountName: {{ .Values.puppetserver.serviceAccount.accountName }}
+      {{- end }}
       initContainers:
         - name: perms-and-dirs
           image: "{{.Values.puppetserver.image}}:{{.Values.puppetserver.tag}}"

diff --git a/values.yaml b/values.yaml
@@ -283,6 +283,18 @@ puppetserver:
     enabled: false
     jobDeadline: 300
 
+  ## Optional configure serviceAccount & rbac
+  serviceAccount:
+    enabled: false
+    create: false
+
+  rbac:
+    create: false
+
+  psp:
+    create: false
+
+
   ## The pattern of managing Hieradata in a separate repository is
   ## both common and acceptable. Doing so provides the ability to decouple
   ## the management of configuration data from that of the Puppet code base.
@@ -427,6 +439,17 @@ puppetdb:
       enable: false
       config: {}
 
+  ## Optional configure serviceAccount & rbac
+  serviceAccount:
+    enabled: false
+    create: false
+
+  rbac:
+    create: false
+
+  psp:
+    create: false
+
 ## PostgreSQL Sub-Chart Configuration
 ## Please check: https://github.com/bitnami/charts/tree/master/bitnami/postgresql
 ##