feat(kspm-collector): Added PSP policies for KSPM Collector (#1088)

Signed-off-by: Daniele De Lorenzi <[email protected]>
sysdiglabs · May 12, 2023 · fe03214 · fe03214
1 parent 08af09e
commit fe03214
Show file tree

Hide file tree

Showing 6 changed files with 99 additions and 1 deletion.
diff --git a/charts/kspm-collector/Chart.yaml b/charts/kspm-collector/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: kspm-collector
 description: Sysdig KSPM collector
 
-version: 0.1.43
+version: 0.1.44
 appVersion: 1.22.0
 keywords:
   - monitoring

diff --git a/charts/kspm-collector/README.md b/charts/kspm-collector/README.md
@@ -62,6 +62,7 @@ The following table lists the configurable parameters of the Sysdig KSPM Collect
 | `affinity`                                | Node affinities. Overrides `arch` and `os` values                                       | `{}`                                                        |
 | `labels`                                  | KSPM collector specific labels (as a multi-line templated string map or as YAML)        | `{}`                                                        |
 | `port`                                    | KSPM collector port for health checks                                                   | `8080`                                                      |
+| `psp.create`                              | Create Pod Security Policy to allow the KSPM Collector running in clusters with PSP enabled                                                   | `true`                                                      |
 | `readinessProbe.enabled`                  | KSPM collector readinessProbe enablement                                                | `true`                                                      |
 | `livenessProbe.enabled`                   | KSPM collector livenessProbe enablement                                                 | `true`                                                      |
 | `scc.create`                              | Create OpenShift's Security Context Constraint                                          | `true`                                                      |

diff --git a/charts/kspm-collector/templates/_helpers.tpl b/charts/kspm-collector/templates/_helpers.tpl
@@ -175,3 +175,16 @@ KSPM Collector nodeSelector
 {{- end }}
 {{- end }}
 {{- end -}}
+
+{{/* Returns string 'true' if the cluster's kubeVersion is less than the parameter provided, or nothing otherwise
+     Use like: {{ include "kspmCollector.kubeVersionLessThan" (dict "root" . "major" <kube_major_to_compare> "minor" <kube_minor_to_compare>) }}
+
+     Note: The use of `"root" .` in the parameter dict is necessary as the .Capabilities fields are not provided in
+           helper functions when "helm template" is used.
+*/}}
+{{- define "kspmCollector.kubeVersionLessThan" }}
+{{- if (and (le (.root.Capabilities.KubeVersion.Major | int) .major)
+            (lt (.root.Capabilities.KubeVersion.Minor | trimSuffix "+" | int) .minor)) }}
+true
+{{- end }}
+{{- end }}
diff --git a/charts/kspm-collector/templates/psp.yaml b/charts/kspm-collector/templates/psp.yaml
@@ -0,0 +1,26 @@
+{{- if and .Values.psp.create (include "kspmCollector.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "kspmCollector.fullname" . }}
+  namespace: {{ include "kspmCollector.namespace" . }}
+spec:
+  allowedCapabilities: []
+  fsGroup:
+    rule: RunAsAny
+  hostIPC: false
+  hostNetwork: false
+  hostPID: false
+  privileged: false
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - emptyDir
+  - secret
+  - configMap
+  - downwardAPI
+{{- end }}
diff --git a/charts/kspm-collector/tests/psp_test.yaml b/charts/kspm-collector/tests/psp_test.yaml
@@ -0,0 +1,54 @@
+suite: PSP create test
+templates:
+  - templates/psp.yaml
+tests:
+  - it: Ensure PSP is created on k8s <1.25
+    capabilities:
+      majorVersion: 1
+      minorVersion: 24
+    set:
+      psp:
+        create: true
+    asserts:
+      - containsDocument:
+          apiVersion: policy/v1beta1
+          kind: PodSecurityPolicy
+
+  - it: Ensure PSP is not created on k8s >=1.25
+    capabilities:
+      majorVersion: 1
+      minorVersion: 25
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: Ensure PSP is created on k8s <1.25 with '+' character in minor version
+    capabilities:
+      majorVersion: 1
+      minorVersion: "24+"
+    set:
+      psp:
+        create: true
+    asserts:
+      - containsDocument:
+          apiVersion: policy/v1beta1
+          kind: PodSecurityPolicy
+
+  - it: Ensure PSP is not created on k8s >=1.25 with '+' character in minor version
+    capabilities:
+      majorVersion: 1
+      minorVersion: "25+"
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: Ensure PSP is not created when disabled
+    capabilities:
+      majorVersion: 1
+      minorVersion: 24
+    set:
+      psp:
+        create: false
+    asserts:
+      - hasDocuments:
+          count: 0
diff --git a/charts/kspm-collector/values.yaml b/charts/kspm-collector/values.yaml
@@ -58,6 +58,10 @@ scc:
   # true here enables creation of Security Context Constraints in Openshift
   create: true
 
+psp:
+  # true here enables creation of Pod Security Policy to allow the agent run with the required permissions
+  create: true
+
 serviceAccount:
   # true here enables creation of service account
   create: true