[WIFI-5420] Add: support for unsafe sysctls with psp

2025-10-29 09:52:27 +00:00 · 2021-11-18 12:34:55 +03:00
parent c13a6c1852
commit 87b054f98d
3 changed files with 45 additions and 7 deletions
--- a/helm/templates/deployment.yaml
+++ b/helm/templates/deployment.yaml
@@ -24,6 +24,9 @@ spec:
    metadata:
      annotations:
        checksum/config: {{ include "owgw.config" . | sha256sum }}
+        {{- if .Values.podSecurityPolicy.enabled }}
+        kubernetes.io/psp: {{ include "owgw.fullname" . }}-{{ .Release.Namespace }}-unsafe-sysctl
+        {{- end }}
        {{- with .Values.podAnnotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
--- a/helm/templates/psp.yaml
+++ b/helm/templates/psp.yaml
@@ -0,0 +1,28 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ include "owgw.fullname" . }}-{{ .Release.Namespace }}-unsafe-sysctl
+  labels:
+    app.kubernetes.io/name: {{ include "owgw.name" . }}
+    helm.sh/chart: {{ include "owgw.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  allowedUnsafeSysctls:
+  {{- range $unsafeSysctl := .Values.securityContext.sysctls }}
+  - {{ $unsafeSysctl.name }}
+  {{- end }}
+  privileged: false
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  fsGroup:
+    rule: RunAsAny
+  volumes:
+  - '*'
+{{- end }}
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -112,13 +112,17 @@ resources: {}

 securityContext:
  fsGroup: 101
-  sysctls:
-  - name: net.ipv4.tcp_keepalive_intvl
-    value: "5"
-  - name: net.ipv4.tcp_keepalive_probes
-    value: "2"
-  - name: net.ipv4.tcp_keepalive_time
-    value: "45"
+  # Usage of unsafe sysctls requires multiple things:
+  # - allow these unsafe sysctls on kubelet level (by adding --allowed-unsafe-sysctls flag)
+  # - enabling addition of PodSecurityContext setting podSecurityPolicy.enabled to "true" below
+  # - uncommenting parameters below
+  #sysctls:
+  #- name: net.ipv4.tcp_keepalive_intvl
+  #  value: "5"
+  #- name: net.ipv4.tcp_keepalive_probes
+  #  value: "2"
+  #- name: net.ipv4.tcp_keepalive_time
+  #  value: "45"

 nodeSelector: {}

@@ -128,6 +132,9 @@ affinity: {}

 podAnnotations: {}

+podSecurityPolicy:
+  enabled: false
+
 persistence:
  enabled: true
  # storageClassName: "-"