diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml index d8b6c4df..17e9ada6 100644 --- a/charts/core/templates/controller-deployment.yaml +++ b/charts/core/templates/controller-deployment.yaml @@ -1,3 +1,4 @@ +{{- $pre530 := (semverCompare "<5.2.10" .Values.tag) -}} {{- if .Values.controller.enabled -}} {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} apiVersion: apps/v1 @@ -96,8 +97,13 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if $pre530 }} securityContext: privileged: true + {{- else }} + securityContext: + runAsUser: 0 + {{- end }} resources: {{- if .Values.controller.resources }} {{ toYaml .Values.controller.resources | indent 12 }} @@ -153,6 +159,7 @@ spec: name: nv-share readOnly: false {{- end }} + {{- if $pre530 }} {{- if .Values.containerd.enabled }} - mountPath: /var/run/containerd/containerd.sock {{- else if .Values.k3s.enabled }} @@ -172,6 +179,7 @@ spec: - mountPath: /host/cgroup name: cgroup-vol readOnly: true + {{- end }} - mountPath: /etc/config name: config-volume readOnly: true @@ -224,6 +232,7 @@ spec: readOnly: false {{- end }} {{- end }} + {{- if $pre530 }} - name: runtime-sock hostPath: {{- if .Values.containerd.enabled }} @@ -243,6 +252,7 @@ spec: - name: cgroup-vol hostPath: path: /sys/fs/cgroup + {{- end }} - name: config-volume projected: sources: diff --git a/charts/core/templates/enforcer-daemonset.yaml b/charts/core/templates/enforcer-daemonset.yaml index dcac4266..ea433a61 100644 --- a/charts/core/templates/enforcer-daemonset.yaml +++ b/charts/core/templates/enforcer-daemonset.yaml @@ -1,3 +1,4 @@ +{{- $pre530 := (semverCompare "<5.2.10" .Values.tag) -}} {{- if .Values.enforcer.enabled -}} {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} apiVersion: apps/v1 @@ -91,6 +92,7 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: + {{- if $pre530 }} {{- if .Values.containerd.enabled }} - mountPath: /var/run/containerd/containerd.sock {{- else if .Values.k3s.enabled }} @@ -110,6 +112,7 @@ spec: - mountPath: /host/cgroup name: cgroup-vol readOnly: true + {{- end }} - mountPath: /lib/modules name: modules-vol readOnly: true @@ -133,6 +136,7 @@ spec: terminationGracePeriodSeconds: 1200 restartPolicy: Always volumes: + {{- if $pre530 }} - name: runtime-sock hostPath: {{- if .Values.containerd.enabled }} @@ -152,6 +156,7 @@ spec: - name: cgroup-vol hostPath: path: /sys/fs/cgroup + {{- end }} - name: modules-vol hostPath: path: /lib/modules diff --git a/charts/core/templates/psp.yaml b/charts/core/templates/psp.yaml index 9f1f16f3..70a04eff 100644 --- a/charts/core/templates/psp.yaml +++ b/charts/core/templates/psp.yaml @@ -73,14 +73,97 @@ roleRef: subjects: {{- if .Values.leastPrivilege }} - kind: ServiceAccount - name: controller + name: enforcer namespace: {{ .Release.Namespace }} +{{- else }} - kind: ServiceAccount - name: enforcer + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} + +--- + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: neuvector-binding-psp-controller + labels: + chart: {{ template "neuvector.chart" . }} + heritage: Helm + release: {{ .Release.Name }} +spec: + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + allowedCapabilities: null + requiredDropCapabilities: + - ALL + volumes: + - configMap + - downwardAPI + - emptyDir + - persistentVolumeClaim + - azureFile + - projected + - secret + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: neuvector-binding-psp-controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: Helm + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - neuvector-binding-psp-controller + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: neuvector-binding-psp-controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: Helm + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: neuvector-binding-psp-controller +subjects: +{{- if .Values.leastPrivilege }} +- kind: ServiceAccount + name: controller namespace: {{ .Release.Namespace }} {{- else }} - kind: ServiceAccount name: {{ .Values.serviceAccount }} namespace: {{ .Release.Namespace }} {{- end }} + {{- end }} diff --git a/charts/core/templates/rolebinding-least.yaml b/charts/core/templates/rolebinding-least.yaml index 3b0b4060..802600cf 100644 --- a/charts/core/templates/rolebinding-least.yaml +++ b/charts/core/templates/rolebinding-least.yaml @@ -82,7 +82,7 @@ userNames: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: system:openshift:scc:privileged + name: neuvector-binding-privileged namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} @@ -94,10 +94,64 @@ roleRef: name: system:openshift:scc:privileged subjects: - kind: ServiceAccount - name: controller + name: enforcer namespace: {{ .Release.Namespace }} + +--- + +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: [] +kind: SecurityContextConstraints +metadata: + name: neuvector-scc-controller +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- ALL +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +supplementalGroups: + type: RunAsAny +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- azureFile +- projected +- secret + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: neuvector-binding-controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: neuvector-scc-controller +subjects: - kind: ServiceAccount - name: enforcer + name: controller namespace: {{ .Release.Namespace }} {{- end }} {{- end }} diff --git a/test/deployment_test.go b/test/deployment_test.go index 79069d09..7d15fe59 100644 --- a/test/deployment_test.go +++ b/test/deployment_test.go @@ -30,6 +30,63 @@ func TestControllerDeployment(t *testing.T) { } } +func TestControllerDeploymentPre53(t *testing.T) { + helmChartPath := "../charts/core" + + options := &helm.Options{ + SetValues: map[string]string{ + "tag": "5.2.4", + }, + } + + // Test ingress + out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/controller-deployment.yaml"}) + outs := splitYaml(out) + + if len(outs) != 1 { + t.Errorf("Resource count is wrong. count=%v\n", len(outs)) + } + + var dep appsv1.Deployment + helm.UnmarshalK8SYaml(t, outs[0], &dep) + if dep.Spec.Template.Spec.Containers[0].VolumeMounts[0].Name != "runtime-sock" { + t.Errorf("VolumeMounts[0] is wrong, %v\n", dep.Spec.Template.Spec.Containers[0].VolumeMounts[0]) + } + if *dep.Spec.Template.Spec.Containers[0].SecurityContext.Privileged != true { + t.Errorf("Privileged is wrong, %v\n", *dep.Spec.Template.Spec.Containers[0].SecurityContext.Privileged) + } +} + +func TestControllerDeploymentPost53(t *testing.T) { + helmChartPath := "../charts/core" + + options := &helm.Options{ + SetValues: map[string]string{ + "tag": "5.3.0", + }, + } + + // Test ingress + out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/controller-deployment.yaml"}) + outs := splitYaml(out) + + if len(outs) != 1 { + t.Errorf("Resource count is wrong. count=%v\n", len(outs)) + } + + var dep appsv1.Deployment + helm.UnmarshalK8SYaml(t, outs[0], &dep) + if dep.Spec.Template.Spec.Containers[0].VolumeMounts[0].Name != "config-volume" { + t.Errorf("VolumeMounts[0] is wrong, %v\n", dep.Spec.Template.Spec.Containers[0].VolumeMounts[0]) + } + if dep.Spec.Template.Spec.Containers[0].SecurityContext.Privileged != nil { + t.Errorf("SecurityContext.Privileged should be nil\n") + } + if *dep.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser != 0 { + t.Errorf("SecurityContext.RunAsUser should be 0\n") + } +} + func TestControllerDeploymentRegistry(t *testing.T) { helmChartPath := "../charts/core"