Support restricted PSA enforcement in basic setup

This enables running Consul in a basic configuration with PSA enforcement
set to restricted on the namespace where Consul is deployed. (This
requires deploying the CNI to a different privileged namespace).

On OpenShift, we have the option to set the security context or not. If
the security context is unset, then it is set automatically by OpenShift
SCCs. However, we prefer to set the security context to avoid useless
warnings on OpenShift and to reduce the config difference between
OpenShift and plain Kube. By default, OpenShift namespaces have the
audit and warn PSA labels set to restricted, so we receive pod security
warnings when deploying Consul to OpenShift even though the pods will be
able to run.

charts/consul/templates/_helpers.tpl

@@ -15,6 +15,19 @@ as well as the global.name setting.
 {{- end -}}
 {{- end -}}
 
+{{- define "consul.restrictedSecurityContext" -}}
+{{- if not .Values.global.enablePodSecurityPolicies -}}
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+{{- end -}}
+{{- end -}}
+
 {{- define "consul.vaultSecretTemplate" -}}
  |
             {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }}
@@ -422,4 +435,4 @@ Usage: {{ template "consul.validateTelemetryCollectorCloud" . }}
 {{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.global.cloud.resourceId.secretKey)) }}
 {{fail "When telemetryCollector has clientId and clientSecret .global.cloud.resourceId.secretKey must be set"}}
 {{- end }}
-{{- end -}}
+{{- end -}}

charts/consul/templates/connect-inject-deployment.yaml

@@ -94,6 +94,14 @@ spec:
             - containerPort: 8080
               name: webhook-server
               protocol: TCP
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: NAMESPACE
               valueFrom:

charts/consul/templates/gateway-cleanup-job.yaml

@@ -40,6 +40,7 @@ spec:
       containers:
         - name: gateway-cleanup
           image: {{ .Values.global.imageK8S }}
+          {{- include "consul.restrictedSecurityContext" . | nindent 10 }}
           command:
             - consul-k8s-control-plane
           args:

charts/consul/templates/gateway-resources-job.yaml

@@ -40,6 +40,7 @@ spec:
       containers:
         - name: gateway-resources
           image: {{ .Values.global.imageK8S }}
+          {{- include "consul.restrictedSecurityContext" . | nindent 10 }}
           command:
             - consul-k8s-control-plane
           args:

charts/consul/templates/gossip-encryption-autogenerate-job.yaml

@@ -48,6 +48,7 @@ spec:
       containers:
         - name: gossip-encryption-autogen
           image: "{{ .Values.global.imageK8S }}"
+          {{- include "consul.restrictedSecurityContext" . | nindent 10 }}
           command:
             - "/bin/sh"
             - "-ec"

charts/consul/templates/server-acl-init-cleanup-job.yaml

@@ -60,6 +60,7 @@ spec:
       containers:
         - name: server-acl-init-cleanup
           image: {{ .Values.global.imageK8S }}
+          {{- include "consul.restrictedSecurityContext" . | nindent 10 }}
           command:
             - consul-k8s-control-plane
           args:

charts/consul/templates/server-acl-init-job.yaml

@@ -129,6 +129,7 @@ spec:
       containers:
       - name: server-acl-init-job
         image: {{ .Values.global.imageK8S }}
+        {{- include "consul.restrictedSecurityContext" . | nindent 8 }}
         env:
         - name: NAMESPACE
           valueFrom:

charts/consul/templates/server-statefulset.yaml

@@ -238,6 +238,7 @@ spec:
         volumeMounts:
           - name: extra-config
             mountPath: /consul/extra-config
+        {{- include "consul.restrictedSecurityContext" . | nindent 8 }}
       containers:
         - name: consul
           image: "{{ default .Values.global.image .Values.server.image }}"
@@ -530,6 +531,8 @@ spec:
           {{- if not .Values.global.openshift.enabled }}
           securityContext:
             {{- toYaml .Values.server.containerSecurityContext.server | nindent 12 }}
+          {{- else }}
+          {{- include "consul.restrictedSecurityContext" . | nindent 10 }}
           {{- end }}
           {{- if .Values.server.extraContainers }}
           {{ toYaml .Values.server.extraContainers | nindent 8 }}

charts/consul/templates/tls-init-cleanup-job.yaml

@@ -48,6 +48,7 @@ spec:
       containers:
         - name: tls-init-cleanup
           image: "{{ .Values.global.image }}"
+          {{- include "consul.restrictedSecurityContext" . | nindent 10 }}
           env:
             - name: NAMESPACE
               valueFrom:

charts/consul/templates/tls-init-job.yaml

@@ -63,6 +63,7 @@ spec:
       containers:
         - name: tls-init
           image: "{{ .Values.global.imageK8S }}"
+          {{- include "consul.restrictedSecurityContext" . | nindent 10 }}
           env:
             - name: NAMESPACE
               valueFrom:

charts/consul/templates/webhook-cert-manager-deployment.yaml

@@ -51,6 +51,7 @@ spec:
             -deployment-namespace={{ .Release.Namespace }}
         image: {{ .Values.global.imageK8S }}
         name: webhook-cert-manager
+        {{- include "consul.restrictedSecurityContext" . | nindent 8 }}
         resources:
           limits:
             cpu: 100m