From fe0321465d12656a392c1e250e6c441af0a4c1d1 Mon Sep 17 00:00:00 2001 From: Daniele De Lorenzi Date: Fri, 12 May 2023 10:05:20 +0200 Subject: [PATCH] feat(kspm-collector): Added PSP policies for KSPM Collector (#1088) Signed-off-by: Daniele De Lorenzi --- charts/kspm-collector/Chart.yaml | 2 +- charts/kspm-collector/README.md | 1 + charts/kspm-collector/templates/_helpers.tpl | 13 +++++ charts/kspm-collector/templates/psp.yaml | 26 ++++++++++ charts/kspm-collector/tests/psp_test.yaml | 54 ++++++++++++++++++++ charts/kspm-collector/values.yaml | 4 ++ 6 files changed, 99 insertions(+), 1 deletion(-) create mode 100644 charts/kspm-collector/templates/psp.yaml create mode 100644 charts/kspm-collector/tests/psp_test.yaml diff --git a/charts/kspm-collector/Chart.yaml b/charts/kspm-collector/Chart.yaml index b93b5a486..6b07c5eda 100644 --- a/charts/kspm-collector/Chart.yaml +++ b/charts/kspm-collector/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kspm-collector description: Sysdig KSPM collector -version: 0.1.43 +version: 0.1.44 appVersion: 1.22.0 keywords: - monitoring diff --git a/charts/kspm-collector/README.md b/charts/kspm-collector/README.md index f46de8369..472c080ca 100644 --- a/charts/kspm-collector/README.md +++ b/charts/kspm-collector/README.md @@ -62,6 +62,7 @@ The following table lists the configurable parameters of the Sysdig KSPM Collect | `affinity` | Node affinities. Overrides `arch` and `os` values | `{}` | | `labels` | KSPM collector specific labels (as a multi-line templated string map or as YAML) | `{}` | | `port` | KSPM collector port for health checks | `8080` | +| `psp.create` | Create Pod Security Policy to allow the KSPM Collector running in clusters with PSP enabled | `true` | | `readinessProbe.enabled` | KSPM collector readinessProbe enablement | `true` | | `livenessProbe.enabled` | KSPM collector livenessProbe enablement | `true` | | `scc.create` | Create OpenShift's Security Context Constraint | `true` | diff --git a/charts/kspm-collector/templates/_helpers.tpl b/charts/kspm-collector/templates/_helpers.tpl index 28333098a..14f5e4552 100644 --- a/charts/kspm-collector/templates/_helpers.tpl +++ b/charts/kspm-collector/templates/_helpers.tpl @@ -175,3 +175,16 @@ KSPM Collector nodeSelector {{- end }} {{- end }} {{- end -}} + +{{/* Returns string 'true' if the cluster's kubeVersion is less than the parameter provided, or nothing otherwise + Use like: {{ include "kspmCollector.kubeVersionLessThan" (dict "root" . "major" "minor" ) }} + + Note: The use of `"root" .` in the parameter dict is necessary as the .Capabilities fields are not provided in + helper functions when "helm template" is used. +*/}} +{{- define "kspmCollector.kubeVersionLessThan" }} +{{- if (and (le (.root.Capabilities.KubeVersion.Major | int) .major) + (lt (.root.Capabilities.KubeVersion.Minor | trimSuffix "+" | int) .minor)) }} +true +{{- end }} +{{- end }} diff --git a/charts/kspm-collector/templates/psp.yaml b/charts/kspm-collector/templates/psp.yaml new file mode 100644 index 000000000..7d2569156 --- /dev/null +++ b/charts/kspm-collector/templates/psp.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.psp.create (include "kspmCollector.kubeVersionLessThan" (dict "root" . "major" 1 "minor" 25)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "kspmCollector.fullname" . }} + namespace: {{ include "kspmCollector.namespace" . }} +spec: + allowedCapabilities: [] + fsGroup: + rule: RunAsAny + hostIPC: false + hostNetwork: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - emptyDir + - secret + - configMap + - downwardAPI +{{- end }} diff --git a/charts/kspm-collector/tests/psp_test.yaml b/charts/kspm-collector/tests/psp_test.yaml new file mode 100644 index 000000000..38edc94ff --- /dev/null +++ b/charts/kspm-collector/tests/psp_test.yaml @@ -0,0 +1,54 @@ +suite: PSP create test +templates: + - templates/psp.yaml +tests: + - it: Ensure PSP is created on k8s <1.25 + capabilities: + majorVersion: 1 + minorVersion: 24 + set: + psp: + create: true + asserts: + - containsDocument: + apiVersion: policy/v1beta1 + kind: PodSecurityPolicy + + - it: Ensure PSP is not created on k8s >=1.25 + capabilities: + majorVersion: 1 + minorVersion: 25 + asserts: + - hasDocuments: + count: 0 + + - it: Ensure PSP is created on k8s <1.25 with '+' character in minor version + capabilities: + majorVersion: 1 + minorVersion: "24+" + set: + psp: + create: true + asserts: + - containsDocument: + apiVersion: policy/v1beta1 + kind: PodSecurityPolicy + + - it: Ensure PSP is not created on k8s >=1.25 with '+' character in minor version + capabilities: + majorVersion: 1 + minorVersion: "25+" + asserts: + - hasDocuments: + count: 0 + + - it: Ensure PSP is not created when disabled + capabilities: + majorVersion: 1 + minorVersion: 24 + set: + psp: + create: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/kspm-collector/values.yaml b/charts/kspm-collector/values.yaml index 09605ad5d..5be10f090 100644 --- a/charts/kspm-collector/values.yaml +++ b/charts/kspm-collector/values.yaml @@ -58,6 +58,10 @@ scc: # true here enables creation of Security Context Constraints in Openshift create: true +psp: + # true here enables creation of Pod Security Policy to allow the agent run with the required permissions + create: true + serviceAccount: # true here enables creation of service account create: true