Adapt logging to PSP restricted clusters

Add PSP and related role/rolebinding/SA resources to logging chart. The PSP contains restricted rules + hostPath volume. Also, remove unnecessary privileged escalation from log-aggregator.

Adapt logging to PSP restricted clusters
c5aa5fd2 · gitlawr · Craig Jellick · 518132af · 518132af · 518132af
Commit c5aa5fd2 authored Sep 09, 2019 by gitlawr Committed by Craig Jellick Sep 16, 2019
10 changed files
--- a/charts/rancher-logging/0.1.2/charts/fluentd/templates/clusterrole.yaml
+++ b/charts/rancher-logging/0.1.2/charts/fluentd/templates/clusterrole.yaml
-{{- if .Values.rbac.create -}}
-kind: ClusterRole
-apiVersion: {{ template "rbac_api_version" . }}
-metadata:
-  name: {{ template "fluentd.fullname" . }}
-  labels:
-    app: {{ template "fluentd.name" . }}
-    chart: {{ template "fluentd.version" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-rules:
- apiGroups:
-  - ""
-  resources:
-  - "namespaces"
-  - "pods"
-  verbs:
-  - "get"
-  - "watch"
-  - "list"
-{{- end -}}
\ No newline at end of file
--- a/charts/rancher-logging/0.1.2/charts/fluentd/templates/clusterrolebinding.yaml
+++ b/charts/rancher-logging/0.1.2/charts/fluentd/templates/clusterrolebinding.yaml
-{{- if .Values.rbac.create -}}
-kind: ClusterRoleBinding
-apiVersion: {{ template "rbac_api_version" . }}
-metadata:
-  name: {{ template "fluentd.fullname" . }}
-  labels:
-    app: {{ template "fluentd.name" . }}
-    chart: {{ template "fluentd.version" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-subjects:
- kind: ServiceAccount
-  name: {{ template "fluentd.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
-roleRef:
-  kind: ClusterRole
-  name: {{ template "fluentd.fullname" . }}
-  apiGroup: rbac.authorization.k8s.io
-{{- end -}}
--- a/charts/rancher-logging/0.1.2/charts/fluentd/templates/rbac.yaml
+++ b/charts/rancher-logging/0.1.2/charts/fluentd/templates/rbac.yaml
+{{- if .Values.rbac.create -}}
+kind: ClusterRole
+apiVersion: {{ template "rbac_api_version" . }}
+metadata:
+  name: {{ template "fluentd.fullname" . }}
+  labels:
+    app: {{ template "fluentd.name" . }}
+    chart: {{ template "fluentd.version" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - "namespaces"
+  - "pods"
+  verbs:
+  - "get"
+  - "watch"
+  - "list"
+---
+kind: ClusterRoleBinding
+apiVersion: {{ template "rbac_api_version" . }}
+metadata:
+  name: {{ template "fluentd.fullname" . }}
+  labels:
+    app: {{ template "fluentd.name" . }}
+    chart: {{ template "fluentd.version" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "fluentd.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ template "fluentd.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- if .Values.global.podSecurityPolicy.enabled }}
+---
+kind: Role
+apiVersion: {{ template "rbac_api_version" . }}
+metadata:
+  name: {{ template "fluentd.fullname" . }}-psp-role
+  labels:
+    app: {{ template "fluentd.name" . }}
+    chart: {{ template "fluentd.version" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+- apiGroups:
+  - "policy"
+  resources:
+  - "podsecuritypolicies"
+  resourceNames:
+  - {{ .Release.Name }}-psp
+  verbs:
+  - "use"
+---
+kind: RoleBinding
+apiVersion: {{ template "rbac_api_version" . }}
+metadata:
+  name: {{ template "fluentd.fullname" . }}-psp-rolebinding
+  labels:
+    app: {{ template "fluentd.name" . }}
+    chart: {{ template "fluentd.version" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "fluentd.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ template "fluentd.fullname" . }}-psp-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end -}}
+{{- end -}}
--- a/charts/rancher-logging/0.1.2/charts/log-aggregator/charts/log-aggregator-linux/templates/daemonset.yaml
+++ b/charts/rancher-logging/0.1.2/charts/log-aggregator/charts/log-aggregator-linux/templates/daemonset.yaml
@@ -26,12 +26,11 @@ spec:
        chart: {{ template "log-aggregator.version" . }}
        release: {{ .Release.Name }}
    spec:
+      serviceAccountName: {{ template "log-aggregator.fullname" . }}
      containers:
      - name: log-aggregator
        image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
        imagePullPolicy: "{{ .Values.image.pullPolicy }}"
-        securityContext:
-          privileged: true
        volumeMounts:
        - name: flexvolume-driver
          mountPath: /flexmnt

--- a/charts/rancher-logging/0.1.2/charts/log-aggregator/charts/log-aggregator-windows/templates/daemonset.yaml
+++ b/charts/rancher-logging/0.1.2/charts/log-aggregator/charts/log-aggregator-windows/templates/daemonset.yaml
@@ -27,12 +27,11 @@ spec:
        chart: {{ template "log-aggregator.version" . }}
        release: {{ .Release.Name }}
    spec:
+      serviceAccountName: {{ template "log-aggregator.fullname" . }}
      containers:
      - name: log-aggregator
        image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
        imagePullPolicy: "{{ .Values.image.pullPolicy }}"
-        securityContext:
-          privileged: true
        volumeMounts:
        - name: flexvolume-driver
          mountPath: /flexmnt

--- a/charts/rancher-logging/0.1.2/charts/log-aggregator/templates/rbac.yaml
+++ b/charts/rancher-logging/0.1.2/charts/log-aggregator/templates/rbac.yaml
+{{- if .Values.global.podSecurityPolicy.enabled -}}
+kind: Role
+apiVersion: {{ template "rbac_api_version" . }}
+metadata:
+  name: {{ template "log-aggregator.fullname" . }}-psp-role
+  labels:
+    app: {{ template "log-aggregator.name" . }}
+    chart: {{ template "log-aggregator.version" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+- apiGroups:
+  - "policy"
+  resources:
+  - "podsecuritypolicies"
+  resourceNames:
+  - {{ .Release.Name }}-psp
+  verbs:
+  - "use"
+---
+kind: RoleBinding
+apiVersion: {{ template "rbac_api_version" . }}
+metadata:
+  name: {{ template "log-aggregator.fullname" . }}-psp-rolebinding
+  labels:
+    app: {{ template "log-aggregator.name" . }}
+    chart: {{ template "log-aggregator.version" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "log-aggregator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ template "log-aggregator.fullname" . }}-psp-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end -}}
\ No newline at end of file
--- a/charts/rancher-logging/0.1.2/charts/log-aggregator/templates/service-account.yaml
+++ b/charts/rancher-logging/0.1.2/charts/log-aggregator/templates/service-account.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "log-aggregator.fullname" . }}
+  labels:
+    app: {{ template "log-aggregator.name" . }}
+    chart: {{ template "log-aggregator.version" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
--- a/charts/rancher-logging/0.1.2/templates/_helpers.tpl
+++ b/charts/rancher-logging/0.1.2/templates/_helpers.tpl
 {{/* vim: set filetype=mustache: */}}
+{{- define "logging.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- define "logging.version" -}}
+{{- $name := include "logging.name" . -}}
+{{- $version := .Chart.Version | replace "+" "_" -}}
+{{- printf "%s-%s" $name $version -}}
+{{- end -}}
 {{- define "deployment_api_version" -}}
 {{- if .Capabilities.APIVersions.Has "apps/v1" -}}
 {{- "apps/v1" -}}

--- a/charts/rancher-logging/0.1.2/templates/psp.yaml
+++ b/charts/rancher-logging/0.1.2/templates/psp.yaml
+{{- if .Values.global.podSecurityPolicy.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ .Release.Name }}-psp
+  labels:
+    app: {{ template "logging.name" . }}
+    chart: {{ template "logging.version" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  allowPrivilegeEscalation: false
+  fsGroup:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  requiredDropCapabilities:
+  - ALL
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  volumes:
+  - configMap
+  - emptyDir
+  - projected
+  - secret
+  - downwardAPI
+  - persistentVolumeClaim
+  - hostPath
+  allowedHostPaths:
+    - pathPrefix: /
+{{- end }}
\ No newline at end of file
--- a/charts/rancher-logging/0.1.2/values.yaml
+++ b/charts/rancher-logging/0.1.2/values.yaml
@@ -6,3 +6,5 @@ log-aggregator:
  enabled: false
 global:
  systemDefaultRegistry: ""
+  podSecurityPolicy:
+    enabled: true