tomkerkhove · tomkerkhove · Apr 8, 2020 · Apr 6, 2020 · Apr 6, 2020 · Apr 8, 2020
@@ -76,6 +76,11 @@ their default values.
 | `metricDefaults.aggregation.interval`  | Default interval which defines over what period measurements of a metric should be aggregated | `00:05:00`            |
 | `metricDefaults.scraping.schedule`  | Cron expression that controls the fequency in which all the configured metrics will be scraped from Azure Monitor | `*/5 * * * *`            |
 | `metrics`  | List of metrics to scrape configured following the [metric declaration docs](https://promitor.io/configuration/metrics/) |        |
+| `rbac.create` | If true, create & use RBAC resources | `true` |
+| `rbac.podSecurityPolicyEnabled` | Create pod security policy resources | `false` |
+| `rbac.serviceAccount.create` | Create service account resource | `true` |
+| `rbac.serviceAccount.name` | Service account name to use. If not set and create is true, a name is generated using the fullname template | `` |
+| `rbac.serviceAccount.annotations` | Service account annotations| `{}` |
 | `resources`  | Pod resource requests & limits |    `{}`    |
 | `secrets.createSecret`  | Indication if you want to bring your own secret level of logging | `true`            |
 | `secrets.appIdSecret`  | Name of the secret for Azure AD identity id | `azure-app-id`            |
@@ -86,6 +91,7 @@ their default values.
 | `service.labelType`  | Label to assign to your service | `infrastructure`            |
 | `service.selectorType`  | Selector type to use for the service | `runtime`            |
 
+
 Specify each parameter using the `--set key=value[,key=value]` argument to
 `helm install`. For example:
 

@@ -40,4 +40,4 @@ Create secret name based on whether or not user defined it.
 {{- else -}}
 {{- printf "%s" .Values.secrets.secretName -}}
 {{- end -}}
-{{- end -}}
+{{- end -}}
diff --git a/charts/promitor-agent-scraper/templates/clusterrole.yaml b/charts/promitor-agent-scraper/templates/clusterrole.yaml
@@ -0,0 +1,20 @@
+{{- if and .Values.rbac.create .Values.rbac.podSecurityPolicyEnabled }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    app: {{ template "promitor-agent-scraper.name" . }}
+    chart: {{ template "promitor-agent-scraper.chart" . }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+  name: {{ template "promitor-agent-scraper.fullname" . }}
+rules:
+  - apiGroups:
+    - policy
+    resources:
+    - podsecuritypolicies
+    resourceNames:
+    - {{ template "promitor-agent-scraper.fullname" . }}
+    verbs:
+    - use
+{{- end -}}
diff --git a/charts/promitor-agent-scraper/templates/clusterrolebinding.yaml b/charts/promitor-agent-scraper/templates/clusterrolebinding.yaml
@@ -0,0 +1,23 @@
+{{- if and .Values.rbac.create .Values.rbac.podSecurityPolicyEnabled }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: {{ template "promitor-agent-scraper.name" . }}
+    chart: {{ template "promitor-agent-scraper.chart" . }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+  name: {{ template "promitor-agent-scraper.fullname" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "promitor-agent-scraper.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    {{- if .Values.rbac.serviceAccount.create }}
+    name: {{ template "promitor-agent-scraper.fullname" . }}
+    {{- else }}
+    name: {{ .Values.rbac.serviceAccount.name | quote }}
+    {{- end }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}
@@ -31,6 +31,13 @@ spec:
         checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
         {{- end }}
     spec:
+      {{- if .Values.rbac.create }}
+      {{- if .Values.rbac.serviceAccount.create }}
+      serviceAccountName: {{ template "promitor-agent-scraper.fullname" . }}
+      {{- else }}
+      serviceAccountName: {{ .Values.rbac.serviceAccount.name | quote }}
+      {{- end }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"

@@ -0,0 +1,39 @@
+{{- if and .Values.rbac.create .Values.rbac.podSecurityPolicyEnabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "promitor-agent-scraper.fullname" . }}
+  labels:
+    app: {{ template "promitor-agent-scraper.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  # Prevents running in privileged mode
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  volumes:
+    - configMap
+    - secret
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}
@@ -0,0 +1,14 @@
+{{- if and .Values.rbac.create .Values.rbac.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "promitor-agent-scraper.fullname" . }}
+  labels:
+    app: {{ template "promitor-agent-scraper.name" . }}
+    chart: {{ template "promitor-agent-scraper.chart" . }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+  {{- if .Values.rbac.serviceAccount.annotations }}
+  annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }}
+  {{- end }}
+{{- end -}}
@@ -76,3 +76,24 @@ resources: {}
   # requests:
   #  cpu: 100m
   #  memory: 128Mi
+
+## Role-based access control
+## https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+rbac:
+  ## If true, create & use RBAC resources
+  create: true
+
+  ## If true, create & use Pod Security Policy resources
+  ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+  podSecurityPolicyEnabled: false
+
+  ## Service Account for pods
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+  serviceAccount:
+    ## Specifies whether a service account should be created
+    create: true
+
+    ## The name of the service account to use.
+    ## If not set and create is true, a name is generated using the fullname template
+    name:
+    annotations: {}