diff --git a/CHANGELOG.md b/CHANGELOG.md index 44e064a..67759b8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Possibility to configure used ClusterIssuer name for Ingresses. +### Changed + +- Add condition for PSP installation in helm chart. + ## [1.20.0] - 2023-07-04 ### Changed diff --git a/helm/promxy-app/templates/kyverno-policy-exception.yaml b/helm/promxy-app/templates/kyverno-policy-exception.yaml index 4056836..8728d28 100644 --- a/helm/promxy-app/templates/kyverno-policy-exception.yaml +++ b/helm/promxy-app/templates/kyverno-policy-exception.yaml @@ -19,6 +19,14 @@ spec: ruleNames: - privilege-escalation - autogen-privilege-escalation + - policyName: require-run-as-nonroot + ruleNames: + - run-as-non-root + - autogen-run-as-non-root + - policyName: restrict-seccomp-strict + ruleNames: + - autogen-check-seccomp-strict + - check-seccomp-strict match: any: - resources: diff --git a/helm/promxy-app/templates/psp.yaml b/helm/promxy-app/templates/psp.yaml index c2406be..aad9af1 100644 --- a/helm/promxy-app/templates/psp.yaml +++ b/helm/promxy-app/templates/psp.yaml @@ -1,3 +1,5 @@ +{{- if not .Values.global.podSecurityStandards.enforced }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -31,3 +33,5 @@ spec: hostNetwork: false hostIPC: false hostPID: false +{{- end }} +{{- end }} diff --git a/helm/promxy-app/templates/rbac.yaml b/helm/promxy-app/templates/rbac.yaml index 0492fab..8f5a3ff 100644 --- a/helm/promxy-app/templates/rbac.yaml +++ b/helm/promxy-app/templates/rbac.yaml @@ -30,6 +30,8 @@ roleRef: name: {{ include "resource.default.name" . }} apiGroup: rbac.authorization.k8s.io --- +{{- if not .Values.global.podSecurityStandards.enforced }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -61,3 +63,5 @@ roleRef: kind: ClusterRole name: {{ include "resource.psp.name" . }} apiGroup: rbac.authorization.k8s.io +{{- end }} +{{- end }} diff --git a/helm/promxy-app/values.schema.json b/helm/promxy-app/values.schema.json index 9770a0c..ade5cd0 100644 --- a/helm/promxy-app/values.schema.json +++ b/helm/promxy-app/values.schema.json @@ -2,6 +2,19 @@ "$schema": "http://json-schema.org/schema#", "type": "object", "properties": { + "global": { + "type": "object", + "properties": { + "podSecurityStandards": { + "type": "object", + "properties": { + "enforced": { + "type": "boolean" + } + } + } + } + }, "ingress": { "type": "object", "properties": { diff --git a/helm/promxy-app/values.yaml b/helm/promxy-app/values.yaml index a8761e9..babc454 100644 --- a/helm/promxy-app/values.yaml +++ b/helm/promxy-app/values.yaml @@ -3,6 +3,10 @@ kyvernoPolicyExceptions: enabled: true namespace: giantswarm +global: + podSecurityStandards: + enforced: false + monitoring: prometheus: host: ""