Helm: make PSP configurable (#7190)

* Helm: make PSP configurable Signed-off-by: QuantumEnigmaa <thibaud@giantswarm.io> * fix changelog Signed-off-by: QuantumEnigmaa <thibaud@giantswarm.io> * fix psp rendering Signed-off-by: QuantumEnigmaa <thibaud@giantswarm.io> * Update operations/helm/charts/mimir-distributed/CHANGELOG.md --------- Signed-off-by: QuantumEnigmaa <thibaud@giantswarm.io> Co-authored-by: Dimitar Dimitrov <dimitar.dimitrov@grafana.com>
grafana · Feb 8, 2024 · a7406fa · a7406fa
1 parent fe7579e
commit a7406fa
Show file tree

Hide file tree

Showing 20 changed files with 116 additions and 84 deletions.
diff --git a/operations/helm/charts/mimir-distributed/CHANGELOG.md b/operations/helm/charts/mimir-distributed/CHANGELOG.md
@@ -47,6 +47,7 @@ Entries should include a reference to the Pull Request that introduced the chang
 * [ENHANCEMENT] Add the possibility to create a dedicated serviceAccount for the `ruler` component by setting `ruler.serivceAcount.create` to true in the values. #7132
 * [ENHANCEMENT] nginx, Gateway: set `proxy_http_version: 1.1` to proxy to HTTP 1.1. #5040
 * [BUGFIX] Metamonitoring: update dashboards to drop unsupported `step` parameter in targets. #7157
+* [ENHANCEMENT] Make the PSP template configurable via `rbac.podSecurityPolicy`. #7190
 
 ## 5.2.1
 

diff --git a/operations/helm/charts/mimir-distributed/templates/podsecuritypolicy.yaml b/operations/helm/charts/mimir-distributed/templates/podsecuritypolicy.yaml
@@ -6,33 +6,40 @@ metadata:
   labels:
     {{- include "mimir.labels" (dict "ctx" .) | nindent 4 }}
   annotations:
-    "seccomp.security.alpha.kubernetes.io/allowedProfileNames": runtime/default
+    "seccomp.security.alpha.kubernetes.io/allowedProfileNames": {{ .Values.rbac.podSecurityPolicy.seccompProfile }}
 spec:
-  privileged: false
-  allowPrivilegeEscalation: false
+  privileged: {{ .Values.rbac.podSecurityPolicy.privileged }}
+  allowPrivilegeEscalation: {{ .Values.rbac.podSecurityPolicy.allowPrivilegeEscalation }}
   volumes:
     - 'configMap'
     - 'emptyDir'
     - 'persistentVolumeClaim'
     - 'secret'
-  hostNetwork: false
-  hostIPC: false
-  hostPID: false
+    {{- range $volumes := .Values.rbac.podSecurityPolicy.additionalVolumes }}
+    - '{{ $volumes }}'
+    {{- end }}
+  hostNetwork: {{ .Values.rbac.podSecurityPolicy.hostNetwork }}
+  hostIPC: {{ .Values.rbac.podSecurityPolicy.hostIPC }}
+  hostPID: {{ .Values.rbac.podSecurityPolicy.hostPID }}
   runAsUser:
-    rule: 'MustRunAsNonRoot'
+    rule: {{ .Values.rbac.podSecurityPolicy.runAsUser.rule }}
   seLinux:
-    rule: 'RunAsAny'
+    rule: {{ .Values.rbac.podSecurityPolicy.seLinux.rule }}
   supplementalGroups:
-    rule: 'MustRunAs'
+    rule: {{ .Values.rbac.podSecurityPolicy.supplementalGroups.rule }}
     ranges:
-    - min: 1
-      max: 65535
+    {{- range $range := .Values.rbac.podSecurityPolicy.supplementalGroups.ranges }}
+    - min: {{ $range.min }}
+      max: {{ $range.max }}
+    {{- end }}
   fsGroup:
-    rule: 'MustRunAs'
+    rule: {{ .Values.rbac.podSecurityPolicy.fsGroup.rule }}
     ranges:
-    - min: 1
-      max: 65535
-  readOnlyRootFilesystem: true
+    {{- range $range := .Values.rbac.podSecurityPolicy.fsGroup.ranges }}
+    - min: {{ $range.min }}
+      max: {{ $range.max }}
+    {{- end }}
+  readOnlyRootFilesystem: {{ .Values.rbac.podSecurityPolicy.readOnlyRootFilesystem }}
   requiredDropCapabilities:
     - ALL
 {{- end }}
diff --git a/operations/helm/charts/mimir-distributed/values.yaml b/operations/helm/charts/mimir-distributed/values.yaml
@@ -459,9 +459,33 @@ runtimeConfig: {}
 
 # RBAC configuration
 rbac:
-  create: true
   # -- If true, PodSecurityPolicy will be rendered by the chart on Kuberentes 1.24.
   # By default the PodSecurityPolicy is not rendered on version 1.24.
+  create: true
+  # -- PSP configuration
+  podSecurityPolicy:
+    seccompProfile: runtime/default
+    privileged: false
+    allowPrivilegeEscalation: false
+    hostNetwork: false
+    hostIPC: false
+    hostPID: false
+    readOnlyRootFilesystem: true
+    runAsUser:
+      rule: 'MustRunAsNonRoot'
+    seLinux:
+      rule: 'RunAsAny'
+    supplementalGroups:
+      rule: 'MustRunAs'
+      ranges:
+      - min: 1
+        max: 65535
+    fsGroup:
+      rule: 'MustRunAs'
+      ranges:
+      - min: 1
+        max: 65535
+    additionalVolumes: []
   forcePSPOnKubernetes124: false
   # -- For GKE/EKS/AKS use 'type: psp'. For OpenShift use 'type: scc'
   type: psp

diff --git a/...ests/enterprise-https-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml b/...ests/enterprise-https-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
@@ -22,16 +22,16 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'MustRunAsNonRoot'
+    rule: MustRunAsNonRoot
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535
   fsGroup:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535

diff --git a/...ts/gateway-enterprise-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml b/...ts/gateway-enterprise-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
@@ -22,16 +22,16 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'MustRunAsNonRoot'
+    rule: MustRunAsNonRoot
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535
   fsGroup:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535

diff --git a/...m/tests/gateway-nginx-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml b/...m/tests/gateway-nginx-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
@@ -22,16 +22,16 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'MustRunAsNonRoot'
+    rule: MustRunAsNonRoot
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535
   fsGroup:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535

diff --git a/...ests/graphite-enabled-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml b/...ests/graphite-enabled-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
@@ -22,16 +22,16 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'MustRunAsNonRoot'
+    rule: MustRunAsNonRoot
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535
   fsGroup:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535

diff --git a/...ions/helm/tests/large-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml b/...ions/helm/tests/large-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
@@ -22,16 +22,16 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'MustRunAsNonRoot'
+    rule: MustRunAsNonRoot
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535
   fsGroup:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535

diff --git a/.../tests/metamonitoring-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml b/.../tests/metamonitoring-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
@@ -22,16 +22,16 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'MustRunAsNonRoot'
+    rule: MustRunAsNonRoot
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535
   fsGroup:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535

diff --git a/.../tests/scheduler-name-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml b/.../tests/scheduler-name-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
@@ -22,16 +22,16 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'MustRunAsNonRoot'
+    rule: MustRunAsNonRoot
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535
   fsGroup:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535

diff --git a/...ions/helm/tests/small-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml b/...ions/helm/tests/small-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
@@ -22,16 +22,16 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'MustRunAsNonRoot'
+    rule: MustRunAsNonRoot
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535
   fsGroup:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535

diff --git a/...-enterprise-configmap-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml b/...-enterprise-configmap-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
@@ -22,16 +22,16 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'MustRunAsNonRoot'
+    rule: MustRunAsNonRoot
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535
   fsGroup:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535

diff --git a/...terprise-legacy-label-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml b/...terprise-legacy-label-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
@@ -22,16 +22,16 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'MustRunAsNonRoot'
+    rule: MustRunAsNonRoot
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535
   fsGroup:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535

diff --git a/...tests/test-enterprise-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml b/...tests/test-enterprise-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
@@ -22,16 +22,16 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'MustRunAsNonRoot'
+    rule: MustRunAsNonRoot
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535
   fsGroup:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535

diff --git a/...lm/tests/test-ingress-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml b/...lm/tests/test-ingress-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
@@ -22,16 +22,16 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'MustRunAsNonRoot'
+    rule: MustRunAsNonRoot
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535
   fsGroup:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535

diff --git a/...oss-logical-multizone-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml b/...oss-logical-multizone-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
@@ -22,16 +22,16 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'MustRunAsNonRoot'
+    rule: MustRunAsNonRoot
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535
   fsGroup:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535

diff --git a/...ts/test-oss-multizone-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml b/...ts/test-oss-multizone-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
@@ -22,16 +22,16 @@ spec:
   hostIPC: false
   hostPID: false
   runAsUser:
-    rule: 'MustRunAsNonRoot'
+    rule: MustRunAsNonRoot
   seLinux:
-    rule: 'RunAsAny'
+    rule: RunAsAny
   supplementalGroups:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535
   fsGroup:
-    rule: 'MustRunAs'
+    rule: MustRunAs
     ranges:
     - min: 1
       max: 65535