Add podsecuritypolicy

Add the podsecuritypolicy chart and incorporate a default
podsecuritypolicy.

Change-Id: Iace1e00cc69d58c167a004392756db6b73d4cf31

global/software/charts/ucp/podsecuritypolicy/chart-group.yaml

@@ -0,0 +1,13 @@
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: podsecuritypolicy
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+data:
+  description: Cluster Pod Security Policy definitions
+  chart_group:
+    - podsecuritypolicy

global/software/charts/ucp/podsecuritypolicy/podsecuritypolicy.yaml

@@ -0,0 +1,73 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: podsecuritypolicy
+  labels:
+    name: podsecuritypolicy-global
+  layeringDefinition:
+    abstract: false
+    layer: global
+  storagePolicy: cleartext
+  substitutions:
+    # Chart source
+    - src:
+        schema: pegleg/SoftwareVersions/v1
+        name: software-versions
+        path: .charts.osh_infra.podsecuritypolicy
+      dest:
+        path: .source
+data:
+  chart_name: podsecuritypolicy
+  release: podsecuritypolicy
+  namespace: ucp
+  wait:
+    resources: []
+  install:
+    no_hooks: true
+  upgrade:
+    no_hooks: true
+  values:
+    conf:
+      # This defines creation of ClusterRoleBindings that configure
+      # default PodSecurityPolicies for the subjects below.
+      # `nil` avoids creation of a default binding for the subject.
+      #
+      defaults:
+        serviceaccounts: psp-default
+        authenticated: psp-default
+        unauthenticated: nil
+    data:
+      # Each of these corresponds to the `spec` of a PodSecurityPolicy object.
+      # Note that this default PodSecurityPolicy is incredibly permissive.  It is
+      # intended to be tuned over time as a default, and to be overridden by
+      # operators as appropriate.
+      #
+      # A ClusterRole will be created for the PSP, with the same `metadata.name`.
+      #
+      # Note: you can define as many PSPs here as you need.
+      #
+      psp-default:  # This will be the `metadata.name` of the PodSecurityPolicy
+        privileged: true
+        allowPrivilegeEscalation: true
+        hostNetwork: true
+        hostPID: true
+        hostIPC: true
+        seLinux:
+          rule: RunAsAny
+        supplementalGroups:
+          rule: RunAsAny
+        runAsUser:
+          rule: RunAsAny
+        fsGroup:
+          rule: RunAsAny
+        volumes:
+        - '*'
+        allowedCapabilities:
+        - '*'
+        hostPorts:
+        - min: 1
+          max: 65536
+  dependencies:
+    - osh-infra-helm-toolkit
+...

global/software/config/versions.yaml

@@ -210,6 +210,11 @@ data:
         reference: ff51fd77e1a9231ca2e463c6e763cc14f3336bcc
         subpath: nagios
         type: git
+      podsecuritypolicy:
+        location: https://git.openstack.org/openstack/openstack-helm-infra
+        reference: eda4b31502115d9966bf3464a7a9d9a0f0310826
+        subpath: podsecuritypolicy
+        type: git
       prometheus:
         location: https://git.openstack.org/openstack/openstack-helm-infra
         reference: ff51fd77e1a9231ca2e463c6e763cc14f3336bcc

global/software/manifests/bootstrap.yaml

@@ -10,6 +10,7 @@ metadata:
 data:
   release_prefix: airship
   chart_groups:
+    - podsecuritypolicy
     - kubernetes-proxy
     - kubernetes-container-networking
     - kubernetes-dns

global/software/manifests/full-site.yaml

@@ -12,6 +12,7 @@ metadata:
 data:
   release_prefix: airship
   chart_groups:
+    - podsecuritypolicy
     - kubernetes-proxy
     - kubernetes-container-networking
     - kubernetes-dns