Add podsecuritypolicy

Add the podsecuritypolicy chart and incorporate a default
podsecuritypolicy.

Change-Id: Iace1e00cc69d58c167a004392756db6b73d4cf31
changes/86/629686/4
Matt McEuen 4 years ago
parent 7db4b789f2
commit 93d86e095b
  1. 13
      global/software/charts/ucp/podsecuritypolicy/chart-group.yaml
  2. 73
      global/software/charts/ucp/podsecuritypolicy/podsecuritypolicy.yaml
  3. 5
      global/software/config/versions.yaml
  4. 1
      global/software/manifests/bootstrap.yaml
  5. 1
      global/software/manifests/full-site.yaml

@ -0,0 +1,13 @@
---
schema: armada/ChartGroup/v1
metadata:
schema: metadata/Document/v1
name: podsecuritypolicy
layeringDefinition:
abstract: false
layer: global
storagePolicy: cleartext
data:
description: Cluster Pod Security Policy definitions
chart_group:
- podsecuritypolicy

@ -0,0 +1,73 @@
---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: podsecuritypolicy
labels:
name: podsecuritypolicy-global
layeringDefinition:
abstract: false
layer: global
storagePolicy: cleartext
substitutions:
# Chart source
- src:
schema: pegleg/SoftwareVersions/v1
name: software-versions
path: .charts.osh_infra.podsecuritypolicy
dest:
path: .source
data:
chart_name: podsecuritypolicy
release: podsecuritypolicy
namespace: ucp
wait:
resources: []
install:
no_hooks: true
upgrade:
no_hooks: true
values:
conf:
# This defines creation of ClusterRoleBindings that configure
# default PodSecurityPolicies for the subjects below.
# `nil` avoids creation of a default binding for the subject.
#
defaults:
serviceaccounts: psp-default
authenticated: psp-default
unauthenticated: nil
data:
# Each of these corresponds to the `spec` of a PodSecurityPolicy object.
# Note that this default PodSecurityPolicy is incredibly permissive. It is
# intended to be tuned over time as a default, and to be overridden by
# operators as appropriate.
#
# A ClusterRole will be created for the PSP, with the same `metadata.name`.
#
# Note: you can define as many PSPs here as you need.
#
psp-default: # This will be the `metadata.name` of the PodSecurityPolicy
privileged: true
allowPrivilegeEscalation: true
hostNetwork: true
hostPID: true
hostIPC: true
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
allowedCapabilities:
- '*'
hostPorts:
- min: 1
max: 65536
dependencies:
- osh-infra-helm-toolkit
...

@ -210,6 +210,11 @@ data:
reference: ff51fd77e1a9231ca2e463c6e763cc14f3336bcc
subpath: nagios
type: git
podsecuritypolicy:
location: https://git.openstack.org/openstack/openstack-helm-infra
reference: eda4b31502115d9966bf3464a7a9d9a0f0310826
subpath: podsecuritypolicy
type: git
prometheus:
location: https://git.openstack.org/openstack/openstack-helm-infra
reference: ff51fd77e1a9231ca2e463c6e763cc14f3336bcc

@ -10,6 +10,7 @@ metadata:
data:
release_prefix: airship
chart_groups:
- podsecuritypolicy
- kubernetes-proxy
- kubernetes-container-networking
- kubernetes-dns

@ -12,6 +12,7 @@ metadata:
data:
release_prefix: airship
chart_groups:
- podsecuritypolicy
- kubernetes-proxy
- kubernetes-container-networking
- kubernetes-dns

Loading…
Cancel
Save