Add Kubernetes RBAC and PodSecurityPolicy (#946)

* Add Kubernetes RBAC and PodSecurityPolicy * Rename pspEnabled to podSecurityEnabled and improve text description * Adjust the logic to use the serviceAccount.name when defined * Fix linting * Narrow down clusterrole/clusterrolebinding to role/rolebinding * Fix linting * Improve documentation Co-authored-by: Tom Kerkhove <kerkhove.tom@gmail.com>
tomkerkhove · Apr 8, 2020 · 44cedb3 · 44cedb3
1 parent 48b7571
commit 44cedb3
Show file tree

Hide file tree

Showing 8 changed files with 132 additions and 1 deletion.
diff --git a/charts/promitor-agent-scraper/README.md b/charts/promitor-agent-scraper/README.md
@@ -76,6 +76,11 @@ their default values.
 | `metricDefaults.aggregation.interval`  | Default interval which defines over what period measurements of a metric should be aggregated | `00:05:00`            |
 | `metricDefaults.scraping.schedule`  | Cron expression that controls the fequency in which all the configured metrics will be scraped from Azure Monitor | `*/5 * * * *`            |
 | `metrics`  | List of metrics to scrape configured following the [metric declaration docs](https://promitor.io/configuration/metrics/) |        |
+| `rbac.create` | If true, create & use RBAC resources | `true` |
+| `rbac.podSecurityPolicyEnabled` | Create pod security policy resources | `false` |
+| `rbac.serviceAccount.create` | Create service account resource | `true` |
+| `rbac.serviceAccount.name` | Service account name to use if create is false. If create is true, a name is generated using the fullname template | `default` |
+| `rbac.serviceAccount.annotations` | Service account annotations| `{}` |
 | `resources`  | Pod resource requests & limits |    `{}`    |
 | `secrets.createSecret`  | Indication if you want to bring your own secret level of logging | `true`            |
 | `secrets.appIdSecret`  | Name of the secret for Azure AD identity id | `azure-app-id`            |

diff --git a/charts/promitor-agent-scraper/templates/_helpers.tpl b/charts/promitor-agent-scraper/templates/_helpers.tpl
@@ -40,4 +40,15 @@ Create secret name based on whether or not user defined it.
 {{- else -}}
 {{- printf "%s" .Values.secrets.secretName -}}
 {{- end -}}
-{{- end -}}
+{{- end -}}
+
+{{/*
+Create service account name based on whether or not user defined it.
+*/}}
+{{- define "promitor-agent-scraper.serviceaccountname" -}}
+{{- if .Values.rbac.serviceAccount.create -}}
+{{ template "promitor-agent-scraper.fullname" . }}
+{{- else -}}
+{{- printf "%s" .Values.rbac.serviceAccount.name -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/promitor-agent-scraper/templates/deployment.yaml b/charts/promitor-agent-scraper/templates/deployment.yaml
@@ -31,6 +31,9 @@ spec:
         checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
         {{- end }}
     spec:
+      {{- if .Values.rbac.create }}
+      serviceAccountName: {{ template "promitor-agent-scraper.serviceaccountname" . }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"

diff --git a/charts/promitor-agent-scraper/templates/podsecuritypolicy.yaml b/charts/promitor-agent-scraper/templates/podsecuritypolicy.yaml
@@ -0,0 +1,39 @@
+{{- if and .Values.rbac.create .Values.rbac.podSecurityPolicyEnabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "promitor-agent-scraper.fullname" . }}
+  labels:
+    app: {{ template "promitor-agent-scraper.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  # Prevents running in privileged mode
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  volumes:
+    - configMap
+    - secret
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}
diff --git a/charts/promitor-agent-scraper/templates/role.yaml b/charts/promitor-agent-scraper/templates/role.yaml
@@ -0,0 +1,20 @@
+{{- if and .Values.rbac.create .Values.rbac.podSecurityPolicyEnabled }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  labels:
+    app: {{ template "promitor-agent-scraper.name" . }}
+    chart: {{ template "promitor-agent-scraper.chart" . }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+  name: {{ template "promitor-agent-scraper.fullname" . }}
+rules:
+  - apiGroups:
+    - policy
+    resources:
+    - podsecuritypolicies
+    resourceNames:
+    - {{ template "promitor-agent-scraper.fullname" . }}
+    verbs:
+    - use
+{{- end -}}
diff --git a/charts/promitor-agent-scraper/templates/rolebinding.yaml b/charts/promitor-agent-scraper/templates/rolebinding.yaml
@@ -0,0 +1,18 @@
+{{- if and .Values.rbac.create .Values.rbac.podSecurityPolicyEnabled }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  labels:
+    app: {{ template "promitor-agent-scraper.name" . }}
+    chart: {{ template "promitor-agent-scraper.chart" . }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+  name: {{ template "promitor-agent-scraper.fullname" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "promitor-agent-scraper.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "promitor-agent-scraper.serviceaccountname" . }}
+{{- end -}}
diff --git a/charts/promitor-agent-scraper/templates/serviceaccount.yaml b/charts/promitor-agent-scraper/templates/serviceaccount.yaml
@@ -0,0 +1,14 @@
+{{- if and .Values.rbac.create .Values.rbac.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "promitor-agent-scraper.serviceaccountname" . }}
+  labels:
+    app: {{ template "promitor-agent-scraper.name" . }}
+    chart: {{ template "promitor-agent-scraper.chart" . }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+  {{- if .Values.rbac.serviceAccount.annotations }}
+  annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }}
+  {{- end }}
+{{- end -}}
diff --git a/charts/promitor-agent-scraper/values.yaml b/charts/promitor-agent-scraper/values.yaml
@@ -76,3 +76,24 @@ resources: {}
   # requests:
   #  cpu: 100m
   #  memory: 128Mi
+
+## Role-based access control
+## https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+rbac:
+  ## If true, create & use RBAC resources
+  create: true
+
+  ## If true, create & use Pod Security Policy resources
+  ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+  podSecurityPolicyEnabled: false
+
+  ## Service Account for pods
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+  serviceAccount:
+    ## Specifies whether a service account should be created
+    create: true
+
+    ## The name of the service account to use if create is false
+    ## If create is true, a name is generated using the fullname template
+    name: default
+    annotations: {}