From 87b054f98d1de8dc6ba4b2c7ddb602f93090029f Mon Sep 17 00:00:00 2001 From: Dmitry Dunaev Date: Thu, 18 Nov 2021 12:34:55 +0300 Subject: [PATCH] [WIFI-5420] Add: support for unsafe sysctls with psp --- helm/templates/deployment.yaml | 3 +++ helm/templates/psp.yaml | 28 ++++++++++++++++++++++++++++ helm/values.yaml | 21 ++++++++++++++------- 3 files changed, 45 insertions(+), 7 deletions(-) create mode 100644 helm/templates/psp.yaml diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml index 8b054de2..490f9e9f 100644 --- a/helm/templates/deployment.yaml +++ b/helm/templates/deployment.yaml @@ -24,6 +24,9 @@ spec: metadata: annotations: checksum/config: {{ include "owgw.config" . | sha256sum }} + {{- if .Values.podSecurityPolicy.enabled }} + kubernetes.io/psp: {{ include "owgw.fullname" . }}-{{ .Release.Namespace }}-unsafe-sysctl + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/helm/templates/psp.yaml b/helm/templates/psp.yaml new file mode 100644 index 00000000..1f518235 --- /dev/null +++ b/helm/templates/psp.yaml @@ -0,0 +1,28 @@ +{{- if .Values.podSecurityPolicy.enabled }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "owgw.fullname" . }}-{{ .Release.Namespace }}-unsafe-sysctl + labels: + app.kubernetes.io/name: {{ include "owgw.name" . }} + helm.sh/chart: {{ include "owgw.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + allowedUnsafeSysctls: + {{- range $unsafeSysctl := .Values.securityContext.sysctls }} + - {{ $unsafeSysctl.name }} + {{- end }} + privileged: false + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - '*' +{{- end }} diff --git a/helm/values.yaml b/helm/values.yaml index 365b6b37..38e1e529 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -112,13 +112,17 @@ resources: {} securityContext: fsGroup: 101 - sysctls: - - name: net.ipv4.tcp_keepalive_intvl - value: "5" - - name: net.ipv4.tcp_keepalive_probes - value: "2" - - name: net.ipv4.tcp_keepalive_time - value: "45" + # Usage of unsafe sysctls requires multiple things: + # - allow these unsafe sysctls on kubelet level (by adding --allowed-unsafe-sysctls flag) + # - enabling addition of PodSecurityContext setting podSecurityPolicy.enabled to "true" below + # - uncommenting parameters below + #sysctls: + #- name: net.ipv4.tcp_keepalive_intvl + # value: "5" + #- name: net.ipv4.tcp_keepalive_probes + # value: "2" + #- name: net.ipv4.tcp_keepalive_time + # value: "45" nodeSelector: {} @@ -128,6 +132,9 @@ affinity: {} podAnnotations: {} +podSecurityPolicy: + enabled: false + persistence: enabled: true # storageClassName: "-"