gypsydiver/cluster autoscaler trim down psp (helm#15903)

* Trim down PodSecurityPolicy Signed-off-by: Fernando Mendoza <fermendozarcs@gmail.com> * keep extensions as psp apiGroup Signed-off-by: Fernando Mendoza <fermendozarcs@gmail.com> * bump chart version Signed-off-by: Fernando Mendoza <fermendozarcs@gmail.com> * keep extensions as psp apiGroup Signed-off-by: Fernando Mendoza <fermendozarcs@gmail.com> * add helm labels Signed-off-by: Fernando Mendoza <fermendozarcs@gmail.com> * add readme note Signed-off-by: Fernando Mendoza <fermendozarcs@gmail.com>
kengou · Sep 18, 2019 · e2ba8b3 · e2ba8b3
1 parent f40b51f
commit e2ba8b3
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 17 deletions.
diff --git a/stable/cluster-autoscaler/Chart.yaml b/stable/cluster-autoscaler/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 description: Scales worker nodes within autoscaling groups.
 icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png
 name: cluster-autoscaler
-version: 2.0.0
+version: 3.0.0
 appVersion: 1.13.1
 home: https://github.com/kubernetes/autoscaler
 sources:

diff --git a/stable/cluster-autoscaler/README.md b/stable/cluster-autoscaler/README.md
@@ -295,3 +295,7 @@ Containers:
       --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster/<ClusterName>
       --v=4
 ```
+
+#### PodSecurityPolicy
+
+Though enough for the majority of installations, the default PodSecurityPolicy _could_ be too restrictive depending on the specifics of your release. Please make sure to check that the template fits with any customizations made or disable it by setting `rbac.pspEnabled` to `false`.
diff --git a/stable/cluster-autoscaler/templates/clusterrole.yaml b/stable/cluster-autoscaler/templates/clusterrole.yaml
@@ -112,7 +112,7 @@ rules:
     resources:
     - podsecuritypolicies
     resourceNames:
-    - privileged-{{ template "cluster-autoscaler.fullname" . }}
+    - {{ template "cluster-autoscaler.fullname" . }}
     verbs:
     - use
 {{- end -}}

diff --git a/stable/cluster-autoscaler/templates/podsecuritypolicy.yaml b/stable/cluster-autoscaler/templates/podsecuritypolicy.yaml
@@ -2,25 +2,43 @@
 apiVersion: extensions/v1beta1
 kind: PodSecurityPolicy
 metadata:
-  name: privileged-{{ template "cluster-autoscaler.fullname" . }}
+  name: {{ template "cluster-autoscaler.fullname" . }}
+  labels:
+{{ include "cluster-autoscaler.labels" . | indent 4 }}
 spec:
-  allowedCapabilities:
-  - '*'
-  fsGroup:
-    rule: RunAsAny
-  privileged: true
+  # Prevents running in privileged mode
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  requiredDropCapabilities:
+    - ALL
+  volumes:
+    - 'configMap'
+    - 'secret'
+    - 'hostPath'
+  allowedHostPaths:
+    - pathPrefix: {{ .Values.sslCertHostPath }}
+{{- if eq .Values.cloudProvider "gce" }}
+    - pathPrefix: {{ .Values.cloudConfigPath }}
+{{- end }}
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
   runAsUser:
     rule: RunAsAny
   seLinux:
     rule: RunAsAny
   supplementalGroups:
-    rule: RunAsAny
-  volumes:
-  - '*'
-  hostPID: true
-  hostIPC: true
-  hostNetwork: true
-  hostPorts:
-  - min: 1
-    max: 65536
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
 {{- end }}