fix(kspm-collector): Add missing clusterrole for KSPM PSP (#1109)

Signed-off-by: Daniele De Lorenzi <[email protected]>
sysdiglabs · May 18, 2023 · ac63313 · ac63313
1 parent 959627c
commit ac63313
Show file tree

Hide file tree

Showing 3 changed files with 82 additions and 1 deletion.
diff --git a/charts/kspm-collector/Chart.yaml b/charts/kspm-collector/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: kspm-collector
 description: Sysdig KSPM collector
 
-version: 0.1.44
+version: 0.1.45
 appVersion: 1.22.0
 keywords:
   - monitoring

diff --git a/charts/kspm-collector/templates/clusterrole.yaml b/charts/kspm-collector/templates/clusterrole.yaml
@@ -54,4 +54,14 @@ rules:
       - 'get'
       - 'list'
       - 'watch'
+{{- if and .Values.psp.create (include "kspmCollector.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }}
+  - apiGroups:
+      - "policy"
+    resources:
+      - "podsecuritypolicies"
+    resourceNames:
+      - "{{ template "kspmCollector.fullname" .}}"
+    verbs:
+      - "use"
+{{- end }}
 {{- end }}
diff --git a/charts/kspm-collector/tests/clusterrole_test.yaml b/charts/kspm-collector/tests/clusterrole_test.yaml
@@ -0,0 +1,71 @@
+suite: KSPM Collector Cluster Role Tests
+templates:
+  - templates/clusterrole.yaml
+tests:
+  - it: Test PSP information included in k8s <1.25
+    capabilities:
+      majorVersion: 1
+      minorVersion: 24
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups:
+              - "policy"
+            resources:
+              - "podsecuritypolicies"
+            resourceNames:
+              - release-name-kspm-collector
+            verbs:
+              - "use"
+
+  - it: Test PSP information not included in k8s >=1.25
+    capabilities:
+      majorVersion: 1
+      minorVersion: 25
+    asserts:
+      - notContains:
+          path: rules
+          content:
+            apiGroups:
+              - "policy"
+            resources:
+              - "podsecuritypolicies"
+            resourceNames:
+              - release-name-kspm-collector
+            verbs:
+              - "use"
+
+  - it: Test PSP information included in k8s <1.25 with '+' character in minor version
+    capabilities:
+      majorVersion: 1
+      minorVersion: "24+"
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups:
+              - "policy"
+            resources:
+              - "podsecuritypolicies"
+            resourceNames:
+              - release-name-kspm-collector
+            verbs:
+              - "use"
+
+  - it: Test PSP information not included in k8s >=1.25 with '+' character in minor version
+    capabilities:
+      majorVersion: 1
+      minorVersion: "25+"
+    asserts:
+      - notContains:
+          path: rules
+          content:
+            apiGroups:
+              - "policy"
+            resources:
+              - "podsecuritypolicies"
+            resourceNames:
+              - release-name-kspm-collector
+            verbs:
+              - "use"