From da0f3987a7b16bc013e2e513e08939208163e31a Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 12 Oct 2023 08:44:12 -0700 Subject: [PATCH] Add psp.enabled field to disable PSP objects Signed-off-by: Tamal Saha --- .../v1alpha1/kubedb_catalog_types.go | 1 + .../v1alpha1/kubedb_ops_manager_types.go | 1 + .../v1alpha1/kubedb_provisioner_types.go | 3 ++- apis/installer/v1alpha1/types.go | 3 +++ .../v1alpha1/zz_generated.deepcopy.go | 18 ++++++++++++++++++ charts/kubedb-catalog/README.md | 1 + .../elasticsearch/elasticsearch-psp.yaml | 2 +- .../templates/kafka/kafka-psp.yaml | 2 +- .../templates/mariadb/mariadb-psp.yaml | 2 +- .../templates/memcached/memcached-psp.yaml | 2 +- .../templates/mongodb/mongodb-psp.yaml | 2 +- .../templates/mysql/mysql-psp.yaml | 2 +- .../perconaxtradb/perconaxtradb-psp.yaml | 2 +- .../templates/postgres/postgres-psp.yaml | 2 +- .../templates/proxysql/proxysql-psp.yaml | 2 +- .../templates/redis/redis-psp.yaml | 2 +- .../values.openapiv3_schema.yaml | 3 +++ charts/kubedb-catalog/values.yaml | 1 + charts/kubedb-ops-manager/README.md | 1 + .../templates/operator-psp.yaml | 2 +- .../values.openapiv3_schema.yaml | 8 ++++++++ charts/kubedb-ops-manager/values.yaml | 2 ++ charts/kubedb-provisioner/README.md | 1 + .../templates/operator-psp.yaml | 2 +- .../values.openapiv3_schema.yaml | 8 ++++++++ charts/kubedb-provisioner/values.yaml | 2 ++ charts/kubedb/values.openapiv3_schema.yaml | 19 +++++++++++++++++++ hack/fmt/templates/psp.yaml | 2 +- 28 files changed, 84 insertions(+), 14 deletions(-) diff --git a/apis/installer/v1alpha1/kubedb_catalog_types.go b/apis/installer/v1alpha1/kubedb_catalog_types.go index 722510f0a..7706301c0 100644 --- a/apis/installer/v1alpha1/kubedb_catalog_types.go +++ b/apis/installer/v1alpha1/kubedb_catalog_types.go @@ -84,6 +84,7 @@ type Catalog struct { } type PSP struct { + Enabled bool `json:"enabled"` //+optional Elasticsearch PSPElasticsearch `json:"elasticsearch"` //+optional diff --git a/apis/installer/v1alpha1/kubedb_ops_manager_types.go b/apis/installer/v1alpha1/kubedb_ops_manager_types.go index 4906ca458..f0ed12bb8 100644 --- a/apis/installer/v1alpha1/kubedb_ops_manager_types.go +++ b/apis/installer/v1alpha1/kubedb_ops_manager_types.go @@ -81,6 +81,7 @@ type KubedbOpsManagerSpec struct { LicenseSecretName string `json:"licenseSecretName"` // +optional RecommendationEngine RecommendationEngineConfig `json:"recommendationEngine"` + Psp PSPSpec `json:"psp"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/apis/installer/v1alpha1/kubedb_provisioner_types.go b/apis/installer/v1alpha1/kubedb_provisioner_types.go index ceb1b83d7..68f83a245 100644 --- a/apis/installer/v1alpha1/kubedb_provisioner_types.go +++ b/apis/installer/v1alpha1/kubedb_provisioner_types.go @@ -82,7 +82,8 @@ type KubedbProvisionerSpec struct { // +optional License string `json:"license"` // +optional - LicenseSecretName string `json:"licenseSecretName"` + LicenseSecretName string `json:"licenseSecretName"` + Psp PSPSpec `json:"psp"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/apis/installer/v1alpha1/types.go b/apis/installer/v1alpha1/types.go index 9d79a700d..4535fd591 100644 --- a/apis/installer/v1alpha1/types.go +++ b/apis/installer/v1alpha1/types.go @@ -96,3 +96,6 @@ type EASMonitoring struct { Agent MonitoringAgent `json:"agent"` ServiceMonitor ServiceMonitorLabels `json:"serviceMonitor"` } +type PSPSpec struct { + Enabled bool `json:"enabled"` +} diff --git a/apis/installer/v1alpha1/zz_generated.deepcopy.go b/apis/installer/v1alpha1/zz_generated.deepcopy.go index f76b08266..a68508985 100644 --- a/apis/installer/v1alpha1/zz_generated.deepcopy.go +++ b/apis/installer/v1alpha1/zz_generated.deepcopy.go @@ -766,6 +766,7 @@ func (in *KubedbOpsManagerSpec) DeepCopyInto(out *KubedbOpsManagerSpec) { out.Apiserver = in.Apiserver in.Monitoring.DeepCopyInto(&out.Monitoring) out.RecommendationEngine = in.RecommendationEngine + out.Psp = in.Psp return } @@ -925,6 +926,7 @@ func (in *KubedbProvisionerSpec) DeepCopyInto(out *KubedbProvisionerSpec) { *out = make([]string, len(*in)) copy(*out, *in) } + out.Psp = in.Psp return } @@ -1607,6 +1609,22 @@ func (in *PSPRedis) DeepCopy() *PSPRedis { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PSPSpec) DeepCopyInto(out *PSPSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PSPSpec. +func (in *PSPSpec) DeepCopy() *PSPSpec { + if in == nil { + return nil + } + out := new(PSPSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PrometheusSpec) DeepCopyInto(out *PrometheusSpec) { *out = *in diff --git a/charts/kubedb-catalog/README.md b/charts/kubedb-catalog/README.md index a0ccd0262..f33a65064 100644 --- a/charts/kubedb-catalog/README.md +++ b/charts/kubedb-catalog/README.md @@ -64,6 +64,7 @@ The following table lists the configurable parameters of the `kubedb-catalog` ch | catalog.proxysql | If true, deploys ProxySQL version catalog | true | | catalog.redis | If true, deploys Redis version catalog | true | | catalog.kafka | | true | +| psp.enabled | | true | | psp.elasticsearch.allowPrivilegeEscalation | | true | | psp.elasticsearch.privileged | | true | | psp.mariadb.allowPrivilegeEscalation | | false | diff --git a/charts/kubedb-catalog/templates/elasticsearch/elasticsearch-psp.yaml b/charts/kubedb-catalog/templates/elasticsearch/elasticsearch-psp.yaml index d79840c48..262f02f31 100644 --- a/charts/kubedb-catalog/templates/elasticsearch/elasticsearch-psp.yaml +++ b/charts/kubedb-catalog/templates/elasticsearch/elasticsearch-psp.yaml @@ -1,4 +1,4 @@ -{{ if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.elasticsearch }} +{{ if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.elasticsearch }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/kubedb-catalog/templates/kafka/kafka-psp.yaml b/charts/kubedb-catalog/templates/kafka/kafka-psp.yaml index c96d95a15..397fa4090 100644 --- a/charts/kubedb-catalog/templates/kafka/kafka-psp.yaml +++ b/charts/kubedb-catalog/templates/kafka/kafka-psp.yaml @@ -1,4 +1,4 @@ -{{ if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.kafka }} +{{ if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.kafka }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/kubedb-catalog/templates/mariadb/mariadb-psp.yaml b/charts/kubedb-catalog/templates/mariadb/mariadb-psp.yaml index b70c8c1ef..c7428a386 100644 --- a/charts/kubedb-catalog/templates/mariadb/mariadb-psp.yaml +++ b/charts/kubedb-catalog/templates/mariadb/mariadb-psp.yaml @@ -1,4 +1,4 @@ -{{ if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.mariadb }} +{{ if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.mariadb }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/kubedb-catalog/templates/memcached/memcached-psp.yaml b/charts/kubedb-catalog/templates/memcached/memcached-psp.yaml index d4642fa5e..aa1505ce5 100644 --- a/charts/kubedb-catalog/templates/memcached/memcached-psp.yaml +++ b/charts/kubedb-catalog/templates/memcached/memcached-psp.yaml @@ -1,4 +1,4 @@ -{{ if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.memcached }} +{{ if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.memcached }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/kubedb-catalog/templates/mongodb/mongodb-psp.yaml b/charts/kubedb-catalog/templates/mongodb/mongodb-psp.yaml index d94a18f83..4df532a21 100644 --- a/charts/kubedb-catalog/templates/mongodb/mongodb-psp.yaml +++ b/charts/kubedb-catalog/templates/mongodb/mongodb-psp.yaml @@ -1,4 +1,4 @@ -{{ if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.mongodb }} +{{ if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.mongodb }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/kubedb-catalog/templates/mysql/mysql-psp.yaml b/charts/kubedb-catalog/templates/mysql/mysql-psp.yaml index 7322305fb..24ac62056 100644 --- a/charts/kubedb-catalog/templates/mysql/mysql-psp.yaml +++ b/charts/kubedb-catalog/templates/mysql/mysql-psp.yaml @@ -1,4 +1,4 @@ -{{ if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.mysql }} +{{ if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.mysql }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/kubedb-catalog/templates/perconaxtradb/perconaxtradb-psp.yaml b/charts/kubedb-catalog/templates/perconaxtradb/perconaxtradb-psp.yaml index 7742b7ea7..615af9793 100644 --- a/charts/kubedb-catalog/templates/perconaxtradb/perconaxtradb-psp.yaml +++ b/charts/kubedb-catalog/templates/perconaxtradb/perconaxtradb-psp.yaml @@ -1,4 +1,4 @@ -{{ if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.perconaxtradb }} +{{ if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.perconaxtradb }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/kubedb-catalog/templates/postgres/postgres-psp.yaml b/charts/kubedb-catalog/templates/postgres/postgres-psp.yaml index afa986392..42840051e 100644 --- a/charts/kubedb-catalog/templates/postgres/postgres-psp.yaml +++ b/charts/kubedb-catalog/templates/postgres/postgres-psp.yaml @@ -1,4 +1,4 @@ -{{ if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.postgres }} +{{ if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.postgres }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/kubedb-catalog/templates/proxysql/proxysql-psp.yaml b/charts/kubedb-catalog/templates/proxysql/proxysql-psp.yaml index 57e5dbd22..dd38c9a39 100644 --- a/charts/kubedb-catalog/templates/proxysql/proxysql-psp.yaml +++ b/charts/kubedb-catalog/templates/proxysql/proxysql-psp.yaml @@ -1,4 +1,4 @@ -{{ if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.proxysql }} +{{ if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.proxysql }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/kubedb-catalog/templates/redis/redis-psp.yaml b/charts/kubedb-catalog/templates/redis/redis-psp.yaml index b25ea7c2f..0ed083cab 100644 --- a/charts/kubedb-catalog/templates/redis/redis-psp.yaml +++ b/charts/kubedb-catalog/templates/redis/redis-psp.yaml @@ -1,4 +1,4 @@ -{{ if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.redis }} +{{ if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.catalog.redis }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/kubedb-catalog/values.openapiv3_schema.yaml b/charts/kubedb-catalog/values.openapiv3_schema.yaml index 91d9abecc..0f80d5eee 100644 --- a/charts/kubedb-catalog/values.openapiv3_schema.yaml +++ b/charts/kubedb-catalog/values.openapiv3_schema.yaml @@ -52,6 +52,8 @@ properties: - allowPrivilegeEscalation - privileged type: object + enabled: + type: boolean kafka: properties: allowPrivilegeEscalation: @@ -143,6 +145,7 @@ properties: - privileged type: object required: + - enabled - kafka type: object registryFQDN: diff --git a/charts/kubedb-catalog/values.yaml b/charts/kubedb-catalog/values.yaml index 85c26374e..423b23d11 100644 --- a/charts/kubedb-catalog/values.yaml +++ b/charts/kubedb-catalog/values.yaml @@ -45,6 +45,7 @@ catalog: kafka: true psp: + enabled: true elasticsearch: allowPrivilegeEscalation: true privileged: true diff --git a/charts/kubedb-ops-manager/README.md b/charts/kubedb-ops-manager/README.md index 79c776161..192fbcb4b 100644 --- a/charts/kubedb-ops-manager/README.md +++ b/charts/kubedb-ops-manager/README.md @@ -82,6 +82,7 @@ The following table lists the configurable parameters of the `kubedb-ops-manager | recommendationEngine.genRotateTLSRecommendationBeforeExpiryYear | Rotate TLS recommendation will be generated before given year of expiration. It also depends on gen-rotate-tls-recommendation-before-expiry-month and gen-rotate-tls-recommendation-before-expiry-year. Default values are 0(zero) for gen-rotate-tls-recommendation-before-expiry-year, 1(one) for gen-rotate-tls-recommendation-before-expiry-month, 0(zero) for gen-rotate-tls-recommendation-before-expiry-day flags. | 0 | | recommendationEngine.genRotateTLSRecommendationBeforeExpiryMonth | Rotate TLS recommendation will be generated before given month of expiration. It also depends on gen-rotate-tls-recommendation-before-expiry-year and gen-rotate-tls-recommendation-before-expiry-day flag. By default it is set as 1(one). | 1 | | recommendationEngine.genRotateTLSRecommendationBeforeExpiryDay | Rotate TLS recommendation will be generated before given day of expiration. It also depends on gen-rotate-tls-recommendation-before-expiry-year and gen-rotate-tls-recommendation-before-expiry-month flag. By default it is set as 0(zero). | 0 | +| psp.enabled | | true | Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example: diff --git a/charts/kubedb-ops-manager/templates/operator-psp.yaml b/charts/kubedb-ops-manager/templates/operator-psp.yaml index 180868fe4..73434325d 100644 --- a/charts/kubedb-ops-manager/templates/operator-psp.yaml +++ b/charts/kubedb-ops-manager/templates/operator-psp.yaml @@ -1,4 +1,4 @@ -{{ if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} +{{ if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/kubedb-ops-manager/values.openapiv3_schema.yaml b/charts/kubedb-ops-manager/values.openapiv3_schema.yaml index e011d6ccc..6e29c77c6 100644 --- a/charts/kubedb-ops-manager/values.openapiv3_schema.yaml +++ b/charts/kubedb-ops-manager/values.openapiv3_schema.yaml @@ -1169,6 +1169,13 @@ properties: type: string type: object type: object + psp: + properties: + enabled: + type: boolean + required: + - enabled + type: object recommendationEngine: properties: genRotateTLSRecommendationBeforeExpiryDay: @@ -1246,6 +1253,7 @@ required: - insecureRegistries - monitoring - operator +- psp - registryFQDN - replicaCount - serviceAccount diff --git a/charts/kubedb-ops-manager/values.yaml b/charts/kubedb-ops-manager/values.yaml index fd66079e5..631249495 100644 --- a/charts/kubedb-ops-manager/values.yaml +++ b/charts/kubedb-ops-manager/values.yaml @@ -125,3 +125,5 @@ recommendationEngine: # It also depends on gen-rotate-tls-recommendation-before-expiry-year and gen-rotate-tls-recommendation-before-expiry-month flag. # By default it is set as 0(zero). genRotateTLSRecommendationBeforeExpiryDay: 0 +psp: + enabled: true diff --git a/charts/kubedb-provisioner/README.md b/charts/kubedb-provisioner/README.md index 7c1be504b..51b7a7b50 100644 --- a/charts/kubedb-provisioner/README.md +++ b/charts/kubedb-provisioner/README.md @@ -80,6 +80,7 @@ The following table lists the configurable parameters of the `kubedb-provisioner | monitoring.agent | Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin") | "" | | monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/operator`. | {} | | additionalPodSecurityPolicies | Additional psp names passed to operator
Example:
`helm template ./chart/kubedb \`
`--set additionalPodSecurityPolicies[0]=abc \`
`--set additionalPodSecurityPolicies[1]=xyz` | [] | +| psp.enabled | | true | Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example: diff --git a/charts/kubedb-provisioner/templates/operator-psp.yaml b/charts/kubedb-provisioner/templates/operator-psp.yaml index 209ec7d85..c4683ff36 100644 --- a/charts/kubedb-provisioner/templates/operator-psp.yaml +++ b/charts/kubedb-provisioner/templates/operator-psp.yaml @@ -1,4 +1,4 @@ -{{ if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} +{{ if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/kubedb-provisioner/values.openapiv3_schema.yaml b/charts/kubedb-provisioner/values.openapiv3_schema.yaml index cce44331f..5ada9ab78 100644 --- a/charts/kubedb-provisioner/values.openapiv3_schema.yaml +++ b/charts/kubedb-provisioner/values.openapiv3_schema.yaml @@ -1175,6 +1175,13 @@ properties: type: string type: object type: object + psp: + properties: + enabled: + type: boolean + required: + - enabled + type: object registryFQDN: type: string replicaCount: @@ -1236,6 +1243,7 @@ required: - insecureRegistries - monitoring - operator +- psp - registryFQDN - replicaCount - serviceAccount diff --git a/charts/kubedb-provisioner/values.yaml b/charts/kubedb-provisioner/values.yaml index 569140424..b7fbef662 100644 --- a/charts/kubedb-provisioner/values.yaml +++ b/charts/kubedb-provisioner/values.yaml @@ -115,3 +115,5 @@ monitoring: # --set additionalPodSecurityPolicies[0]=abc \ # --set additionalPodSecurityPolicies[1]=xyz additionalPodSecurityPolicies: [] +psp: + enabled: true diff --git a/charts/kubedb/values.openapiv3_schema.yaml b/charts/kubedb/values.openapiv3_schema.yaml index acfd5ad07..d5ad77c47 100644 --- a/charts/kubedb/values.openapiv3_schema.yaml +++ b/charts/kubedb/values.openapiv3_schema.yaml @@ -1397,6 +1397,8 @@ properties: - allowPrivilegeEscalation - privileged type: object + enabled: + type: boolean kafka: properties: allowPrivilegeEscalation: @@ -1488,6 +1490,7 @@ properties: - privileged type: object required: + - enabled - kafka type: object registryFQDN: @@ -3989,6 +3992,13 @@ properties: type: string type: object type: object + psp: + properties: + enabled: + type: boolean + required: + - enabled + type: object recommendationEngine: properties: genRotateTLSRecommendationBeforeExpiryDay: @@ -4068,6 +4078,7 @@ properties: - insecureRegistries - monitoring - operator + - psp - registryFQDN - replicaCount - serviceAccount @@ -5286,6 +5297,13 @@ properties: type: string type: object type: object + psp: + properties: + enabled: + type: boolean + required: + - enabled + type: object registryFQDN: type: string replicaCount: @@ -5349,6 +5367,7 @@ properties: - insecureRegistries - monitoring - operator + - psp - registryFQDN - replicaCount - serviceAccount diff --git a/hack/fmt/templates/psp.yaml b/hack/fmt/templates/psp.yaml index ac62a9094..a4ea371cb 100644 --- a/hack/fmt/templates/psp.yaml +++ b/hack/fmt/templates/psp.yaml @@ -1,4 +1,4 @@ -{{"{{ if and (.Capabilities.APIVersions.Has \"policy/v1beta1/PodSecurityPolicy\") .Values.catalog."}}{{ .key }}{{" }}"}} +{{"{{ if and .Values.psp.enabled (.Capabilities.APIVersions.Has \"policy/v1beta1/PodSecurityPolicy\") .Values.catalog."}}{{ .key }}{{" }}"}} apiVersion: {{ .object.apiVersion }} kind: {{ .object.kind }} metadata: