Set up openstack cluster role for pod security policies

This commit adds a helm chart that deploys a rolebinding to the openstack application to allow deployments to the openstack namespace after PodSecurityPolicy plugin is enabled on the Kubernetes cluster. Change-Id: I57d3a31c9fcc7e03499e605d6d722fdb36004339 Partial-bug: 1878900 Depends-On: https://review.opendev.org/#/c/734408/ Depends-On: https://review.opendev.org/#/c/735998/ Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
3 years ago · 92ed6fecc7
parent 7ff175f60c
commit 92ed6fecc7
6 changed files with 88 additions and 0 deletions
--- a/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/common/constants.py
+++ b/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/common/constants.py
@ -35,3 +35,4 @@ HELM_CHART_PLACEMENT = 'placement'
 HELM_CHART_RABBITMQ = 'rabbitmq'
 HELM_CHART_SWIFT = 'ceph-rgw'
 HELM_CHART_DCDBSYNC = 'dcdbsync'
+HELM_CHART_PSP_ROLEBINDING = 'psp-rolebinding'
--- a/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/psp_rolebinding.py
+++ b/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/psp_rolebinding.py
@ -0,0 +1,43 @@
+#
+# Copyright (c) 2020 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+from k8sapp_openstack.common import constants as app_constants
+
+from sysinv.common import constants
+from sysinv.common import exception
+
+from sysinv.helm import base
+from sysinv.helm import common
+
+
+class PSPRolebindingHelm(base.BaseHelm):
+    """Class to encapsulate helm operations for the psp rolebinding chart"""
+
+    SUPPORTED_NAMESPACES = \
+        base.BaseHelm.SUPPORTED_NAMESPACES + [common.HELM_NS_OPENSTACK]
+    SUPPORTED_APP_NAMESPACES = {
+        constants.HELM_APP_OPENSTACK:
+            base.BaseHelm.SUPPORTED_NAMESPACES + [common.HELM_NS_OPENSTACK]
+    }
+
+    CHART = app_constants.HELM_CHART_PSP_ROLEBINDING
+    SERVICE_NAME = 'psp-rolebinding'
+
+    def get_namespaces(self):
+        return self.SUPPORTED_NAMESPACES
+
+    def get_overrides(self, namespace=None):
+        overrides = {
+            common.HELM_NS_OPENSTACK: {}
+        }
+
+        if namespace in self.SUPPORTED_NAMESPACES:
+            return overrides[namespace]
+        elif namespace:
+            raise exception.InvalidHelmNamespace(chart=self.CHART,
+                                                 namespace=namespace)
+        else:
+            return overrides
--- a/python-k8sapp-openstack/k8sapp_openstack/setup.cfg
+++ b/python-k8sapp-openstack/k8sapp_openstack/setup.cfg
@ -61,6 +61,7 @@ systemconfig.helm_plugins.stx_openstack =
    026_nginx-ports-control = k8sapp_openstack.helm.nginx_ports_control:NginxPortsControlHelm
    027_fm-rest-api = k8sapp_openstack.helm.fm_rest_api:FmRestApiHelm
    028_dcdbsync = k8sapp_openstack.helm.dcdbsync:DcdbsyncHelm
+    029_psp-rolebinding = k8sapp_openstack.helm.psp_rolebinding:PSPRolebindingHelm

 systemconfig.armada.manifest_ops =
    stx-openstack = k8sapp_openstack.armada.manifest_openstack:OpenstackArmadaManifestOperator
--- a/stx-openstack-helm/centos/build_srpm.data
+++ b/stx-openstack-helm/centos/build_srpm.data
@ -1,6 +1,7 @@
 SRC_DIR="stx-openstack-helm"
 COPY_LIST_TO_TAR="\
    $STX_BASE/helm-charts/fm-rest-api/fm-rest-api/helm-charts \
+    $STX_BASE/helm-charts/psp-rolebinding/psp-rolebinding/helm-charts \
 "

 # Bump the version by the previous version value prior to decoupling as this
--- a/stx-openstack-helm/centos/stx-openstack-helm.spec
+++ b/stx-openstack-helm/centos/stx-openstack-helm.spec
@ -47,6 +47,7 @@ make keystone-api-proxy
 make fm-rest-api
 make nginx-ports-control
 make dcdbsync
+make psp-rolebinding
 cd -

 # terminate helm server (the last backgrounded task)
--- a/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml
@ -1,5 +1,35 @@
 ---
 schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-psp-rolebinding
+data:
+  chart_name: psp-rolebinding
+  dependencies: []
+  namespace: openstack
+  release: openstack-psp-rolebinding
+  source:
+    location: http://172.17.0.1/helm_charts/starlingx/psp-rolebinding-0.1.0.tgz
+    subpath: psp-rolebinding
+    type: tar
+    reference: master
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+      - labels:
+          release_group: osh-openstack-psp-rolebinding
+        type: job
+  wait:
+    labels:
+      release_group: osh-openstack-psp-rolebinding
+    resources: []
+    timeout: 1800
+  values:
+    rolebindingNamespace: openstack
+    serviceAccount: openstack
+---
+schema: armada/Chart/v1
 metadata:
  schema: metadata/Document/v1
  name: helm-toolkit
@ -3767,6 +3797,16 @@ data:
  chart_group:
    - openstack-dcdbsync
 ---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-psp-rolebinding
+data:
+  description: "Deploy psp rolebinding"
+  sequenced: true
+  chart_group:
+    - openstack-psp-rolebinding
+---
 schema: armada/Manifest/v1
 metadata:
  schema: metadata/Document/v1
@ -3774,6 +3814,7 @@ metadata:
 data:
  release_prefix: osh
  chart_groups:
+    - openstack-psp-rolebinding
    - openstack-ingress
    - openstack-mariadb
    - openstack-memcached