From f9e9f0654a5dfd5ced67dd02b6c8c7dcb1a36c22 Mon Sep 17 00:00:00 2001 From: Mateusz Gozdek Date: Sun, 4 Oct 2020 14:03:12 +0200 Subject: [PATCH] charts/descheduler: add PodSecurityPolicy support This commit adds restrictive PodSecurityPolicy, which can be optionally created, so descheduler can be deployed on clusters with PodSecurityPolicy admission controller, but which do not ship default policies. Signed-off-by: Mateusz Gozdek --- charts/descheduler/README.md | 1 + charts/descheduler/templates/clusterrole.yaml | 7 ++++ .../templates/podsecuritypolicy.yaml | 38 +++++++++++++++++++ charts/descheduler/values.yaml | 4 ++ 4 files changed, 50 insertions(+) create mode 100644 charts/descheduler/templates/podsecuritypolicy.yaml diff --git a/charts/descheduler/README.md b/charts/descheduler/README.md index 3d498703a..1275df932 100644 --- a/charts/descheduler/README.md +++ b/charts/descheduler/README.md @@ -55,5 +55,6 @@ The following table lists the configurable parameters of the _descheduler_ chart | `deschedulerPolicy.strategies` | The _descheduler_ strategies to apply | _see values.yaml_ | | `priorityClassName` | The name of the priority class to add to pods | `system-cluster-critical` | | `rbac.create` | If `true`, create & use RBAC resources | `true` | +| `podSecurityPolicy.create` | If `true`, create PodSecurityPolicy | `true` | | `serviceAccount.create` | If `true`, create a service account for the cron job | `true` | | `serviceAccount.name` | The name of the service account to use, if not set and create is true a name is generated using the fullname template | `nil` | diff --git a/charts/descheduler/templates/clusterrole.yaml b/charts/descheduler/templates/clusterrole.yaml index 2a2091736..174d24a79 100644 --- a/charts/descheduler/templates/clusterrole.yaml +++ b/charts/descheduler/templates/clusterrole.yaml @@ -21,4 +21,11 @@ rules: - apiGroups: ["scheduling.k8s.io"] resources: ["priorityclasses"] verbs: ["get", "watch", "list"] +{{- if .Values.podSecurityPolicy.create }} +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "descheduler.fullname" . }} +{{- end }} {{- end -}} diff --git a/charts/descheduler/templates/podsecuritypolicy.yaml b/charts/descheduler/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000..c10383fb8 --- /dev/null +++ b/charts/descheduler/templates/podsecuritypolicy.yaml @@ -0,0 +1,38 @@ +{{- if .Values.podSecurityPolicy.create -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "descheduler.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: true +{{- end -}} diff --git a/charts/descheduler/values.yaml b/charts/descheduler/values.yaml index 61cd1ed1c..28d7c9af0 100644 --- a/charts/descheduler/values.yaml +++ b/charts/descheduler/values.yaml @@ -51,6 +51,10 @@ rbac: # Specifies whether RBAC resources should be created create: true +podSecurityPolicy: + # Specifies whether PodSecurityPolicy should be created. + create: true + serviceAccount: # Specifies whether a ServiceAccount should be created create: true