Skip to content
This repository has been archived by the owner on Jul 11, 2023. It is now read-only.

Commit

Permalink
revert(psp): Remove PSP code for 1.0.0 (#4163)
Browse files Browse the repository at this point in the history
Signed-off-by: Kalya Subramanian <[email protected]>
  • Loading branch information
ksubrmnn authored Sep 27, 2021
1 parent fa976a6 commit b7eb06f
Show file tree
Hide file tree
Showing 9 changed files with 2 additions and 315 deletions.
1 change: 0 additions & 1 deletion charts/osm/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,6 @@ The following table lists the configurable parameters of the osm chart and their
| OpenServiceMesh.prometheus.resources | object | `{"limits":{"cpu":"1","memory":"2G"},"requests":{"cpu":"0.5","memory":"512M"}}` | Prometheus's container resource parameters |
| OpenServiceMesh.prometheus.retention | object | `{"time":"15d"}` | Prometheus data rentention configuration |
| OpenServiceMesh.prometheus.retention.time | string | `"15d"` | Prometheus data retention time |
| OpenServiceMesh.pspEnabled | bool | `false` | Run OSM with PodSecurityPolicy configured |
| OpenServiceMesh.sidecarImage | string | `"envoyproxy/envoy-alpine@sha256:6502a637c6c5fba4d03d0672d878d12da4bcc7a0d0fb3f1d506982dde0039abd"` | Envoy sidecar image for Linux workloads (v1.19.1) |
| OpenServiceMesh.sidecarWindowsImage | string | `"envoyproxy/envoy-windows@sha256:c904fda95891ebbccb9b1f24c1a9482c8d01cbca215dd081fc8c8db36db85f85"` | Envoy sidecar image for Windows workloads (v1.19.1) |
| OpenServiceMesh.tracing.address | string | `""` | Address of the tracing collector service (must contain the namespace). When left empty, this is computed in helper template to "jaeger.<osm-namespace>.svc.cluster.local". Please override for BYO-tracing as documented in tracing.md |
Expand Down
61 changes: 0 additions & 61 deletions charts/osm/templates/cleanup-hook.yaml
Original file line number Diff line number Diff line change
@@ -1,57 +1,3 @@
{{- if and (not (.Capabilities.APIVersions.Has "security.openshift.io/v1")) .Values.OpenServiceMesh.pspEnabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ .Release.Name }}-cleanup-psp
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
helm.sh/hook-weight: "-1"
helm.sh/hook: post-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -72,13 +18,6 @@ rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
verbs: ["get", "list", "create", "update", "patch", "delete"]

{{- if .Values.OpenServiceMesh.pspEnabled }}
- apiGroups: ["extensions"]
resourceNames: ["{{ .Release.Name }}-cleanup-psp"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
Expand Down
58 changes: 0 additions & 58 deletions charts/osm/templates/grafana-rbac.yaml
Original file line number Diff line number Diff line change
@@ -1,55 +1,4 @@
{{- if .Values.OpenServiceMesh.deployGrafana}}
{{- if and (not (.Capabilities.APIVersions.Has "security.openshift.io/v1")) .Values.OpenServiceMesh.pspEnabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ .Release.Name }}-grafana-psp
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
Expand All @@ -68,13 +17,6 @@ metadata:
{{- include "osm.labels" . | nindent 4 }}
app: osm-grafana
name: {{.Release.Name}}-grafana
rules:
{{- if .Values.OpenServiceMesh.pspEnabled }}
- apiGroups: ["extensions"]
resourceNames: ["{{ .Release.Name }}-grafana-psp"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
{{- end }}

---

Expand Down
58 changes: 0 additions & 58 deletions charts/osm/templates/jaeger-rbac.yaml
Original file line number Diff line number Diff line change
@@ -1,55 +1,4 @@
{{- if .Values.OpenServiceMesh.deployJaeger }}
{{- if and (not (.Capabilities.APIVersions.Has "security.openshift.io/v1")) .Values.OpenServiceMesh.pspEnabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ .Release.Name }}-jaeger-psp
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
Expand All @@ -68,13 +17,6 @@ metadata:
{{- include "osm.labels" . | nindent 4 }}
app: jaeger
name: {{.Release.Name}}-jaeger
rules:
{{- if .Values.OpenServiceMesh.pspEnabled }}
- apiGroups: ["extensions"]
resourceNames: ["{{ .Release.Name }}-jaeger-psp"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
{{- end }}

---

Expand Down
2 changes: 1 addition & 1 deletion charts/osm/templates/osm-bootstrap-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ spec:
prometheus.io/port: '9091'
spec:
serviceAccountName: {{ .Release.Name }}
{{- if and (not (.Capabilities.APIVersions.Has "security.openshift.io/v1")) .Values.OpenServiceMesh.pspEnabled }}
{{- if not (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
{{- include "restricted.securityContext" . | nindent 6 }}
{{- end }}
nodeSelector:
Expand Down
2 changes: 1 addition & 1 deletion charts/osm/templates/osm-injector-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ spec:
prometheus.io/port: '9091'
spec:
serviceAccountName: {{ .Release.Name }}
{{- if and (not (.Capabilities.APIVersions.Has "security.openshift.io/v1")) .Values.OpenServiceMesh.pspEnabled }}
{{- if not (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
{{- include "restricted.securityContext" . | nindent 6 }}
{{- end }}
nodeSelector:
Expand Down
75 changes: 0 additions & 75 deletions charts/osm/templates/osm-rbac.yaml
Original file line number Diff line number Diff line change
@@ -1,72 +1,3 @@
{{- if and (not (.Capabilities.APIVersions.Has "security.openshift.io/v1")) .Values.OpenServiceMesh.pspEnabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: osm-psp
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
{{- if .Values.OpenServiceMesh.enableFluentbit }}
- 'hostPath'
{{- end }}
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
{{- if not .Values.OpenServiceMesh.enableFluentbit }}
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
{{- end }}
{{- if .Values.OpenServiceMesh.enableFluentbit }}
# Allow root privileges to allow fluentbit access to logs.
rule: 'RunAsAny'
{{- end }}
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- if .Values.OpenServiceMesh.enableFluentbit }}
allowedHostPaths:
- pathPrefix: "/var/log/containers"
readOnly: true
- pathPrefix: "/var/log/pods"
readOnly: true
- pathPrefix: "/var/lib/docker/containers"
readOnly: true
{{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand Down Expand Up @@ -145,12 +76,6 @@ rules:
verbs: ["use"]
{{- end }}

{{- if .Values.OpenServiceMesh.pspEnabled }}
- apiGroups: ["extensions"]
resourceNames: ["osm-psp"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
{{- end }}
---
apiVersion: v1
kind: ServiceAccount
Expand Down
57 changes: 0 additions & 57 deletions charts/osm/templates/prometheus-rbac.yaml
Original file line number Diff line number Diff line change
@@ -1,55 +1,4 @@
{{- if .Values.OpenServiceMesh.deployPrometheus }}
{{- if and (not (.Capabilities.APIVersions.Has "security.openshift.io/v1")) .Values.OpenServiceMesh.pspEnabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ .Release.Name }}-prometheus-psp
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand All @@ -65,12 +14,6 @@ rules:
verbs: ["list", "get", "watch"]
- nonResourceURLs: ["/metrics"]
verbs: ["get"]
{{- if .Values.OpenServiceMesh.pspEnabled }}
- apiGroups: ["extensions"]
resourceNames: ["{{ .Release.Name }}-prometheus-psp"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
Expand Down
Loading

0 comments on commit b7eb06f

Please sign in to comment.