Support PodSecurityPolicy (hashicorp#177)

* Add PSP for server * Add PSP for Injector * Allow annotations to be templated Co-authored-by: Theron Voran <[email protected]>
gillcaleb · Jun 26, 2020 · adf5bf6 · adf5bf6
1 parent ebed731
commit adf5bf6
Show file tree

Hide file tree

Showing 14 changed files with 834 additions and 0 deletions.
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -348,6 +348,21 @@ Sets extra vault server Service annotations
   {{- end }}
 {{- end -}}
 
+{{/*
+Sets PodSecurityPolicy annotations
+*/}}
+{{- define "vault.psp.annotations" -}}
+  {{- if .Values.global.psp.annotations }}
+  annotations:
+    {{- $tp := typeOf .Values.global.psp.annotations }}
+    {{- if eq $tp "string" }}
+      {{- tpl .Values.global.psp.annotations . | nindent 4 }}
+    {{- else }}
+      {{- toYaml .Values.global.psp.annotations | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
 {{/*
 Set's the container resources if the user has set any.
 */}}

diff --git a/templates/injector-psp-role.yaml b/templates/injector-psp-role.yaml
@@ -0,0 +1,17 @@
+{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "vault.fullname" . }}-agent-injector-psp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+    - {{ template "vault.fullname" . }}-agent-injector
+{{- end }}
diff --git a/templates/injector-psp-rolebinding.yaml b/templates/injector-psp-rolebinding.yaml
@@ -0,0 +1,18 @@
+{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "vault.fullname" . }}-agent-injector-psp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  kind: Role
+  name: {{ template "vault.fullname" . }}-agent-injector-psp
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "vault.fullname" . }}-agent-injector
+{{- end }}
diff --git a/templates/injector-psp.yaml b/templates/injector-psp.yaml
@@ -0,0 +1,43 @@
+{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "vault.fullname" . }}-agent-injector
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- template "vault.psp.annotations" . }}
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  volumes:
+    - configMap
+    - emptyDir
+    - projected
+    - secret
+    - downwardAPI
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    # Require the container to run without root privileges.
+    rule: MustRunAsNonRoot
+  seLinux:
+    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    rule: RunAsAny
+  supplementalGroups:
+    rule: MustRunAs
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: MustRunAs
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}
diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml
@@ -0,0 +1,18 @@
+{{ template "vault.mode" . }}
+{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "vault.fullname" . }}-psp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+    - {{ template "vault.fullname" . }}
+{{- end }}
diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml
@@ -0,0 +1,19 @@
+{{ template "vault.mode" . }}
+{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "vault.fullname" . }}-psp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  kind: Role
+  name: {{ template "vault.fullname" . }}-psp
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "vault.fullname" . }}
+{{- end }}
diff --git a/templates/server-psp.yaml b/templates/server-psp.yaml
@@ -0,0 +1,47 @@
+{{ template "vault.mode" . }}
+{{- if and (ne .mode "") (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.psp.enable | toString) "true") ) }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "vault.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- template "vault.psp.annotations" . }}
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  volumes:
+    - configMap
+    - emptyDir
+    - projected
+    - secret
+    - downwardAPI
+    {{- if eq (.Values.server.dataStorage.enabled | toString) "true" }}
+    - persistentVolumeClaim
+    {{- end }}
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    # Require the container to run without root privileges.
+    rule: MustRunAsNonRoot
+  seLinux:
+    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    rule: RunAsAny
+  supplementalGroups:
+    rule: MustRunAs
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: MustRunAs
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}
diff --git a/test/unit/injector-psp-role.bats b/test/unit/injector-psp-role.bats
@@ -0,0 +1,35 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "injector/PodSecurityPolicy-Role: PodSecurityPolicy-Role not enabled by default" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/injector-psp-role.yaml  \
+      . || echo "---" ) | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "injector/PodSecurityPolicy-Role: enable with injector.enabled and global.psp.enable" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-psp-role.yaml  \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "injector/PodSecurityPolicy-Role: disable with global.enabled" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/injector-psp-role.yaml  \
+      --set 'global.enabled=false' \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
diff --git a/test/unit/injector-psp-rolebinding.bats b/test/unit/injector-psp-rolebinding.bats
@@ -0,0 +1,35 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "injector/PodSecurityPolicy-RoleBinding: PodSecurityPolicy-RoleBinding not enabled by default" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/injector-psp-rolebinding.yaml  \
+      . || echo "---" ) | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "injector/PodSecurityPolicy-RoleBinding: enable with injector.enabled and global.psp.enable" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-psp-rolebinding.yaml  \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "injector/PodSecurityPolicy-RoleBinding: disable with global.enabled" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/injector-psp-rolebinding.yaml  \
+      --set 'global.enabled=false' \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
diff --git a/test/unit/injector-psp.bats b/test/unit/injector-psp.bats
@@ -0,0 +1,70 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "injector/PodSecurityPolicy: PodSecurityPolicy not enabled by default" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/injector-psp.yaml  \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "injector/PodSecurityPolicy: enable with injector.enabled and global.psp.enable" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-psp.yaml  \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "injector/PodSecurityPolicy: disable with global.enabled" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/injector-psp.yaml  \
+      --set 'global.enabled=false' \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "injector/PodSecurityPolicy: annotations are templated correctly by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-psp.yaml  \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      . | tee /dev/stderr |
+      yq '.metadata.annotations | length == 4' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "injector/PodSecurityPolicy: annotations are added - string" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-psp.yaml  \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      --set 'global.psp.annotations=vault-is: amazing' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
+  [ "${actual}" = "amazing" ]
+}
+
+@test "injector/PodSecurityPolicy: annotations are added - object" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/injector-psp.yaml  \
+      --set 'injector.enabled=true' \
+      --set 'global.psp.enable=true' \
+      --set 'global.psp.annotations.vault-is=amazing' \
+      . | tee /dev/stderr |
+      yq -r '.metadata.annotations["vault-is"]' | tee /dev/stderr)
+  [ "${actual}" = "amazing" ]
+}