Add validating admission policy to restrict upstream driver access

.github/workflows/helm-chart-ci-ignore.yaml

@@ -30,9 +30,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.5
+          - v1.29.9
 
     steps:
       - run: 'echo "Skipping tests"'
@@ -74,9 +74,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.5
+          - v1.29.9
         example:
           - ${{ fromJson(needs.build-matrix.outputs.examples) }}
 
@@ -92,9 +92,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.5
+          - v1.29.9
         example:
           - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}
 
@@ -110,9 +110,9 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.5
+          - v1.29.9
 
     steps:
       - run: 'echo "Skipping upgrade-test"'

.github/workflows/helm-chart-ci.yaml

@@ -130,9 +130,9 @@ jobs:
         # Kubernetes, but can go back farther as long as we don't need heroics
         # to pull it off (i.e. kubectl version juggling).
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.5
+          - v1.29.9
 
     steps:
       - name: Checkout
@@ -218,9 +218,9 @@ jobs:
       fail-fast: false
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.5
+          - v1.29.9
         example:
           - ${{ fromJson(needs.build-matrix.outputs.examples) }}
 
@@ -269,9 +269,9 @@ jobs:
       fail-fast: false
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.5
+          - v1.29.9
         integrationtest:
           - ${{ fromJson(needs.build-matrix.outputs.integrationtests) }}
 
@@ -314,9 +314,9 @@ jobs:
       fail-fast: false
       matrix:
         k8s:
-          - v1.28.0
-          - v1.27.3
-          - v1.26.6
+          - v1.31.1
+          - v1.30.5
+          - v1.29.9
 
     steps:
       - name: Checkout

charts/spire/charts/spiffe-csi-driver/README.md

@@ -41,6 +41,8 @@ A Helm chart to install the SPIFFE CSI driver.
 | `imagePullSecrets`                            | Image pull secret details for spiffe-csi-driver                                                                | `[]`                                        |
 | `nameOverride`                                | Name override for spiffe-csi-driver                                                                            | `""`                                        |
 | `namespaceOverride`                           | Namespace to install spiffe-csi-driver                                                                         | `""`                                        |
+| `serverNamespaceOverride`                     | Override the namespace that the spire-server is installed into                                                 | `""`                                        |
+| `validatingAdmissionPolicy.enabled`           | When auto, an upstream driver, and k8s >= 1.30.0 then enabled = true, otherwise false                          | `auto`                                      |
 | `fullnameOverride`                            | Full name override for spiffe-csi-driver                                                                       | `""`                                        |
 | `csiDriverLabels`                             | Labels to apply to the CSIDriver                                                                               | `{}`                                        |
 | `initContainers`                              | Init Containers to apply to the CSI Driver DaemonSet                                                           | `[]`                                        |

charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl

@@ -40,6 +40,23 @@ Allow the release namespace to be overridden for multi-namespace deployments in
   {{- end -}}
 {{- end -}}
 
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "spiffe-csi-driver.server-namespace" -}}
+  {{- if .Values.serverNamespaceOverride -}}
+    {{- .Values.serverNamespaceOverride -}}
+  {{- else if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespaceLayout" true .Values.global) }}
+    {{- if ne (len (dig "spire" "namespaces" "server" "name" "" .Values.global)) 0 }}
+      {{- .Values.global.spire.namespaces.server.name }}
+    {{- else }}
+      {{- printf "spire-server" }}
+    {{- end }}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}

charts/spire/charts/spiffe-csi-driver/templates/policy.yaml

@@ -0,0 +1,36 @@
+{{- $upstream := eq .Values.pluginName "upstream.csi.spiffe.io" }}
+{{- $detectedValidation := .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" -}}
+{{- $auto := eq .validatingAdmissionPolicy.enabled "auto" }}
+{{- if or (eq .Values.ValidatingAdmissionPolicy.enabled true) (and $auto $upstream $detectValidation) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: {{ .Values.pluginName | quote }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+  validations:
+  - expression: |
+      object.spec.volumes.all(c, has(c.csi) && has(c.csi.driver) && c.csi.driver == {{ .Values.pluginName | quote }}) != false
+    message: 'you may not use the upstream.csi.spiffe.io csi driver'
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: {{ .Values.pluginName | quote }}
+spec:
+  policyName: {{ .Values.pluginName | quote }}
+  validationActions: ["Deny"]
+  matchResources:
+    namespaceSelector:
+      matchExpressions:
+      - key: "kubernetes.io/metadata.name"
+        operator: NotIn
+        values:
+        - {{ include "spiffe-csi-driver.server-namespace" . | quote }}
+{{- end }}

charts/spire/charts/spiffe-csi-driver/values.yaml

@@ -60,6 +60,13 @@ nameOverride: ""
 ## @param namespaceOverride Namespace to install spiffe-csi-driver
 namespaceOverride: ""
 
+## @param serverNamespaceOverride Override the namespace that the spire-server is installed into
+serverNamespaceOverride: ""
+
+validatingAdmissionPolicy:
+  ## @param validatingAdmissionPolicy.enabled When auto, an upstream driver, and k8s >= 1.30.0 then enabled = true, otherwise false
+  enabled: auto
+
 ## @param fullnameOverride Full name override for spiffe-csi-driver
 fullnameOverride: ""