Goldpinger. Add podSecurityPolicy (helm#13286)

Signed-off-by: vkropotko <vkropotko@riskfocus.com>

stable/goldpinger/Chart.yaml

@@ -1,5 +1,5 @@
 name: goldpinger
-version: 1.1.1
+version: 1.1.2
 appVersion: 1.5.0
 description: Goldpinger makes calls between its instances for visibility and alerting.
 home: https://github.com/bloomberg/goldpinger

stable/goldpinger/README.md

@@ -63,7 +63,10 @@ The following table lists the configurable parameters of the Goldpinger chart an
 | `nodeSelector`                       | Node labels for pod assignment              | `{}`                                                       |
 | `tolerations`                        | List of node taints to tolerate             | `[]`                                                       |
 | `affinity`                           | Map of node/pod affinities                  | `{}`                                                       |
-| `resources`                          | CPU/Memory resource requests/limits         | `{}`
+| `resources`                          | CPU/Memory resource requests/limits         | `{}`                                                       |
+| `podSecurityPolicy.enabled`          | Enable podSecuritypolicy                    | `false`                                                    |
+| `podSecurityPolicy.policyName`       | PodSecurityPolicy Name                      | `unrestricted-psp`                                         |
+
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 
 ```console
@@ -82,4 +85,4 @@ $ helm install --name my-release -f values.yaml stable/goldpinger
 
 ## Ingress
 
-This chart provides support for Ingress resource. If you have an available Ingress Controller such as Nginx or Traefik you maybe want to set `ingress.enabled` to true and choose an `ingress.hostname` for the URL. Then, you should be able to access the installation using that address.
+This chart provides support for Ingress resource. If you have an available Ingress Controller such as Nginx or Traefik you maybe want to set `ingress.enabled` to true and choose an `ingress.hostname` for the URL. Then, you should be able to access the installation using that address.

stable/goldpinger/templates/podsecuritypolicy.yaml

@@ -0,0 +1,35 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "goldpinger.fullname" . }}-pod-security-policy
+  labels:
+    app.kubernetes.io/name: {{ include "goldpinger.name" . }}
+    helm.sh/chart: {{ include "goldpinger.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: ["extensions"]
+  resources: ["podsecuritypolicies"]
+  resourceNames: [{{ .Values.podSecurityPolicy.policyName | quote }}]
+  verbs: ["use"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "goldpinger.fullname" . }}-pod-security-polic
+  labels:
+    app.kubernetes.io/name: {{ include "goldpinger.name" . }}
+    helm.sh/chart: {{ include "goldpinger.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  kind: Role
+  name: {{ template "goldpinger.fullname" . }}-pod-security-policy
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: {{ template "goldpinger.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

stable/goldpinger/values.yaml

@@ -67,3 +67,10 @@ tolerations: []
 ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
 ##
 affinity: {}
+
+## Enable this if pod security policy enabled in your cluster
+## It will bind ServiceAccount with unrestricted podSecurityPolicy
+## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+podSecurityPolicy:
+  enabled: false
+  policyName: unrestricted-psp