diff --git a/global/software/charts/ucp/podsecuritypolicy/chart-group.yaml b/global/software/charts/ucp/podsecuritypolicy/chart-group.yaml new file mode 100644 index 000000000..d06749c2e --- /dev/null +++ b/global/software/charts/ucp/podsecuritypolicy/chart-group.yaml @@ -0,0 +1,13 @@ +--- +schema: armada/ChartGroup/v1 +metadata: + schema: metadata/Document/v1 + name: podsecuritypolicy + layeringDefinition: + abstract: false + layer: global + storagePolicy: cleartext +data: + description: Cluster Pod Security Policy definitions + chart_group: + - podsecuritypolicy diff --git a/global/software/charts/ucp/podsecuritypolicy/podsecuritypolicy.yaml b/global/software/charts/ucp/podsecuritypolicy/podsecuritypolicy.yaml new file mode 100644 index 000000000..4b26388a3 --- /dev/null +++ b/global/software/charts/ucp/podsecuritypolicy/podsecuritypolicy.yaml @@ -0,0 +1,73 @@ +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: podsecuritypolicy + labels: + name: podsecuritypolicy-global + layeringDefinition: + abstract: false + layer: global + storagePolicy: cleartext + substitutions: + # Chart source + - src: + schema: pegleg/SoftwareVersions/v1 + name: software-versions + path: .charts.osh_infra.podsecuritypolicy + dest: + path: .source +data: + chart_name: podsecuritypolicy + release: podsecuritypolicy + namespace: ucp + wait: + resources: [] + install: + no_hooks: true + upgrade: + no_hooks: true + values: + conf: + # This defines creation of ClusterRoleBindings that configure + # default PodSecurityPolicies for the subjects below. + # `nil` avoids creation of a default binding for the subject. + # + defaults: + serviceaccounts: psp-default + authenticated: psp-default + unauthenticated: nil + data: + # Each of these corresponds to the `spec` of a PodSecurityPolicy object. + # Note that this default PodSecurityPolicy is incredibly permissive. It is + # intended to be tuned over time as a default, and to be overridden by + # operators as appropriate. + # + # A ClusterRole will be created for the PSP, with the same `metadata.name`. + # + # Note: you can define as many PSPs here as you need. + # + psp-default: # This will be the `metadata.name` of the PodSecurityPolicy + privileged: true + allowPrivilegeEscalation: true + hostNetwork: true + hostPID: true + hostIPC: true + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - '*' + allowedCapabilities: + - '*' + hostPorts: + - min: 1 + max: 65536 + dependencies: + - osh-infra-helm-toolkit +... diff --git a/global/software/config/versions.yaml b/global/software/config/versions.yaml index 557c2d78f..38cd748a2 100644 --- a/global/software/config/versions.yaml +++ b/global/software/config/versions.yaml @@ -210,6 +210,11 @@ data: reference: ff51fd77e1a9231ca2e463c6e763cc14f3336bcc subpath: nagios type: git + podsecuritypolicy: + location: https://git.openstack.org/openstack/openstack-helm-infra + reference: eda4b31502115d9966bf3464a7a9d9a0f0310826 + subpath: podsecuritypolicy + type: git prometheus: location: https://git.openstack.org/openstack/openstack-helm-infra reference: ff51fd77e1a9231ca2e463c6e763cc14f3336bcc diff --git a/global/software/manifests/bootstrap.yaml b/global/software/manifests/bootstrap.yaml index aca7cc38d..5b0ee3259 100644 --- a/global/software/manifests/bootstrap.yaml +++ b/global/software/manifests/bootstrap.yaml @@ -10,6 +10,7 @@ metadata: data: release_prefix: airship chart_groups: + - podsecuritypolicy - kubernetes-proxy - kubernetes-container-networking - kubernetes-dns diff --git a/global/software/manifests/full-site.yaml b/global/software/manifests/full-site.yaml index df9a8a5ca..13574b599 100644 --- a/global/software/manifests/full-site.yaml +++ b/global/software/manifests/full-site.yaml @@ -12,6 +12,7 @@ metadata: data: release_prefix: airship chart_groups: + - podsecuritypolicy - kubernetes-proxy - kubernetes-container-networking - kubernetes-dns