(dev-v2.6-archive) Support pushprox in hardened RKE clusters

This commit adds support for deploying rancher-pushprox into hardened clusters.

It introduces securityContexts and rearranges the RBAC in order to support a PodSecurityPolicy for the PushProx clients.

These changes have been verified on a hardened RKE cluster.

(partially cherry picked from commit 7d1332356c)

packages/rancher-pushprox/charts/templates/pushprox-clients-rbac.yaml

@@ -1,13 +1,19 @@
 {{- if .Values.clients }}{{- if .Values.clients.enabled }}
-{{- if and .Values.clients.https.enabled .Values.clients.https.useServiceAccountCredentials }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "pushProxy.client.name" . }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
 rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ template "pushProxy.client.name" . }}
+{{- if and .Values.clients.https.enabled .Values.clients.https.useServiceAccountCredentials }}
 - nonResourceURLs: ["/metrics"]
   verbs: ["get"]
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -29,5 +35,40 @@ metadata:
   name: {{ template "pushProxy.client.name" . }}
   namespace: {{ .Release.Namespace }}
   labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "pushProxy.client.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "pushProxy.client.labels" . | nindent 4 }}
+spec:
+  privileged: false
+  hostNetwork: true
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 0
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 0
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- if and .Values.clients.https.enabled .Values.clients.https.certDir }}
+  volumes:
+    - 'emptyDir'
+    - 'secret'
+    - 'hostPath'
+  allowedHostPaths:
+  - pathPrefix: {{ required "Need access to volume on host with the SSL cert files to use HTTPs" .Values.clients.https.certDir }}
+    readOnly: true
 {{- end }}
 {{- end }}{{- end }}

packages/rancher-pushprox/charts/templates/pushprox-clients.yaml

@@ -12,7 +12,7 @@ spec:
   template:
     metadata:
       labels: {{ include "pushProxy.client.labels" . | nindent 8 }}
-    spec: 
+    spec:
 {{- if .Values.clients.nodeSelector }}
       nodeSelector: {{ toYaml .Values.clients.nodeSelector | nindent 8 }}
 {{- end }}
@@ -21,9 +21,7 @@ spec:
 {{- end }}
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
-      {{- if and .Values.clients.https.enabled .Values.clients.https.useServiceAccountCredentials }}
       serviceAccountName: {{ template "pushProxy.client.name" . }}
-      {{- end }}
       containers:
       - name: pushprox-client
         image: {{ template "system_default_registry" . }}{{ .Values.clients.image.repository }}:{{ .Values.clients.image.tag }}
@@ -61,6 +59,9 @@ spec:
           value: :{{ .Values.clients.port }}
         - name: PROXY_URL
           value: {{ template "pushProxy.proxyUrl" . }}
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 1000
         {{- if and .Values.clients.https.enabled .Values.clients.https.certDir }}
         volumeMounts:
         - name: metrics-cert-dir
@@ -114,9 +115,12 @@ spec:
           value: /etc/ssl/push-proxy/push-proxy-key.pem
         - name: CACERT_FILE_TARGET
           value: /etc/ssl/push-proxy/push-proxy-ca-cert.pem
+        securityContext:
+          runAsNonRoot: false
         volumeMounts:
         - name: metrics-cert-dir-source
           mountPath: /etc/source
+          readOnly: true
         - name: metrics-cert-dir
           mountPath: /etc/ssl/push-proxy
       volumes:

packages/rancher-pushprox/charts/templates/pushprox-proxy.yaml

@@ -13,6 +13,9 @@ spec:
     metadata:
       labels: {{ include "pushProxy.proxy.labels" . | nindent 8 }}
     spec: 
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
 {{- if .Values.proxy.nodeSelector }}
       nodeSelector: {{ toYaml .Values.proxy.nodeSelector | nindent 8 }}
 {{- end }}