[stable/sealed-secrets] Support PSP (helm#15254)

Support PSP with sensible default.

Signed-off-by: Kevin Lefevre <[email protected]>

stable/sealed-secrets/Chart.yaml

@@ -1,6 +1,6 @@
 name: sealed-secrets
 description: A Helm chart for Sealed Secrets
-version: 1.1.0
+version: 1.2.0
 appVersion: 0.7.0
 kubeVersion: ">=1.9.0-0"
 home: https://github.com/bitnami-labs/sealed-secrets

stable/sealed-secrets/README.md

@@ -32,6 +32,7 @@ The command removes all the Kubernetes components associated with the chart and
 | Parameter | Description | Default |
 |----------:|:------------|:--------|
 | **rbac.create** | `true` if rbac resources should be created | `true` |
+| **rbac.pspEnabled** | `true` if psp resources should be created | `false` |
 | **serviceAccount.create** | Whether to create a service account or not | `true` |
 | **serviceAccount.name** | The name of the service account to create or use | `"sealed-secrets-controller"` |
 | **secretName** | The name of the TLS secret containing the key used to encrypt secrets | `"sealed-secrets-key"` |

stable/sealed-secrets/templates/psp-clusterrole.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.rbac.pspEnabled }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "sealed-secrets.fullname" . }}-psp
+  labels:
+    app.kubernetes.io/name: {{ template "sealed-secrets.name" . }}
+    helm.sh/chart: {{ template "sealed-secrets.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+rules:
+- apiGroups: ['extensions']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ template "sealed-secrets.fullname" . }}
+{{- end }}

stable/sealed-secrets/templates/psp-clusterrolebinding.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.rbac.pspEnabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "sealed-secrets.fullname" . }}-psp
+  labels:
+    app.kubernetes.io/name: {{ template "sealed-secrets.name" . }}
+    helm.sh/chart: {{ template "sealed-secrets.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "sealed-secrets.fullname" . }}-psp
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "sealed-secrets.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

stable/sealed-secrets/templates/psp.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.rbac.pspEnabled }}
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "sealed-secrets.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ template "sealed-secrets.name" . }}
+    helm.sh/chart: {{ template "sealed-secrets.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities: []
+  volumes:
+  - 'configMap'
+  - 'emptyDir'
+  - 'projected'
+  - 'secret'
+  - 'downwardAPI'
+  - 'persistentVolumeClaim'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+{{- end }}

stable/sealed-secrets/values.yaml

@@ -17,6 +17,7 @@ serviceAccount:
 rbac:
   # rbac.create: `true` if rbac resources should be created
   create: true
+  pspEnabled: false
 
 # secretName: The name of the TLS secret containing the key used to encrypt secrets
 secretName: "sealed-secrets-key"