[stable/node-problem-detector] support PSP (helm#15253)

Support PSP with permissive default. Signed-off-by: Kevin Lefevre <[email protected]>
ngealy · Jul 18, 2019 · 33a1fa3 · 33a1fa3
1 parent ef07a43
commit 33a1fa3
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 2 deletions.
diff --git a/stable/node-problem-detector/Chart.yaml b/stable/node-problem-detector/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: node-problem-detector
-version: "1.4.3"
+version: "1.5.0"
 appVersion: v0.6.3
 home: https://github.com/kubernetes/node-problem-detector
 description: Installs the node-problem-detector daemonset for monitoring extra attributes on nodes

diff --git a/stable/node-problem-detector/README.md b/stable/node-problem-detector/README.md
@@ -44,8 +44,9 @@ The following table lists the configurable parameters for this chart and their d
 | `image.tag`                           | Image tag                                  | `v0.6.3`                                                     |
 | `nameOverride`                        | Override the name of the chart             | `nil`                                                        |
 | `rbac.create`                         | RBAC                                       | `true`                                                       |
+| `rbac.pspEnabled`                     | PodSecuritypolicy                          | `false`                                                      |
 | `hostNetwork`                         | Run pod on host network                    | `false`                                                      |
-| `priorityClassName`                   | Priority class name                        | `""`                                                      |
+| `priorityClassName`                   | Priority class name                        | `""`                                                         |
 | `resources`                           | Pod resource requests and limits           | `{}`                                                         |
 | `settings.custom_monitor_definitions` | User-specified custom monitor definitions  | `{}`                                                         |
 | `settings.log_monitors`               | System log monitor config files            | `/config/kernel-monitor.json`, `/config/docker-monitor.json` |

diff --git a/stable/node-problem-detector/templates/psp-clusterrole.yaml b/stable/node-problem-detector/templates/psp-clusterrole.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.rbac.pspEnabled }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "node-problem-detector.fullname" . }}-psp
+  labels:
+    app.kubernetes.io/name: {{ include "node-problem-detector.name" . }}
+    helm.sh/chart: {{ include "node-problem-detector.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: ['extensions']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ template "node-problem-detector.fullname" . }}
+{{- end }}
diff --git a/stable/node-problem-detector/templates/psp-clusterrolebinding.yaml b/stable/node-problem-detector/templates/psp-clusterrolebinding.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.rbac.pspEnabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "node-problem-detector.fullname" . }}-psp
+  labels:
+    app.kubernetes.io/name: {{ include "node-problem-detector.name" . }}
+    helm.sh/chart: {{ include "node-problem-detector.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "node-problem-detector.fullname" . }}-psp
+subjects:
+  - kind: ServiceAccount
+  name: {{ template "node-problem-detector.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/stable/node-problem-detector/templates/psp.yaml b/stable/node-problem-detector/templates/psp.yaml
@@ -0,0 +1,35 @@
+{{- if .Values.rbac.pspEnabled }}
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "node-problem-detector.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "node-problem-detector.name" . }}
+    helm.sh/chart: {{ include "node-problem-detector.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  privileged: true
+  allowPrivilegeEscalation: true
+  allowedCapabilities:
+  - '*'
+  volumes:
+  - 'configMap'
+  - 'emptyDir'
+  - 'projected'
+  - 'secret'
+  - 'downwardAPI'
+  - 'persistentVolumeClaim'
+  - 'hostPath'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+{{- end }}
diff --git a/stable/node-problem-detector/values.yaml b/stable/node-problem-detector/values.yaml
@@ -46,6 +46,7 @@ fullnameOverride: ""
 
 rbac:
   create: true
+  pspEnabled: false
 
 # Flag to run Node Problem Detector on the host's network. This is typically
 # not recommended, but may be useful for certain use cases.