Merge pull request #1216 from jiaqiluo/harden-rancher-alerting-drivers-dev-v2.6

assets/logos/alerting-drivers.svg

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 25.2.3, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 640.5 641" style="enable-background:new 0 0 640.5 641;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:none;stroke:#78C9CF;stroke-width:40;stroke-miterlimit:10;}
+	.st1{fill:#3D98D3;}
+</style>
+<g>
+	<g>
+		<path class="st0" d="M513.173584,101.3905563c51.5313721,51.5318222,79.9105835,120.046257,79.9105835,192.9231262"/>
+		<path class="st0" d="M47.4158592,294.3136902c0-72.8773193,28.3800621-141.3921814,79.9123383-192.9231262"/>
+		<path class="st0" d="M465.2653503,149.2987823c38.734314,38.734787,60.0665588,90.2352905,60.0665588,145.0149078"/>
+		<path class="st0" d="M115.1680832,294.3136902c0-54.7796173,21.3322372-106.2801208,60.0674667-145.0149078"/>
+	</g>
+	<g>
+		<path class="st1" d="M320.2499695,206.9838867c48.1536865,0,87.3296509,39.1759949,87.3296509,87.3296509v143.0625v4.2018433
+			H232.9203339v-4.2018433v-143.0625C232.9203339,246.1598816,272.096283,206.9838867,320.2499695,206.9838867
+			 M320.2499695,156.9838867c-75.8449554,0-137.3296356,61.4844971-137.3296356,137.3296509v143.0625l-36.1345215,54.2018433
+			h346.9282837l-36.1343994-54.2018433v-143.0625C457.5796814,218.4683838,396.0951233,156.9838867,320.2499695,156.9838867
+			L320.2499695,156.9838867z"/>
+	</g>
+	<g>
+		<circle class="st1" cx="320.25" cy="491.5768127" r="48.0326271"/>
+	</g>
+	<g>
+		<path class="st1" d="M290.8265686,165.5845795v-23.4781189c0-16.2501144,13.1733093-29.4234314,29.4234314-29.4234314
+			s29.4234314,13.173317,29.4234314,29.4234314v24.2468567L290.8265686,165.5845795z"/>
+	</g>
+</g>
+</svg>

charts/rancher-alerting-drivers/rancher-alerting-drivers/100.0.0/Chart.yaml

@@ -6,12 +6,14 @@ annotations:
 apiVersion: v2
 appVersion: 1.16.0
 dependencies:
-- name: prom2teams
+- condition: prom2teams.enabled
+  name: prom2teams
   repository: file://./charts/prom2teams
 - condition: sachet.enabled
   name: sachet
   repository: file://./charts/sachet
 description: The manager for third-party webhook receivers used in Prometheus Alertmanager
+icon: https://charts.rancher.io/assets/logos/alerting-drivers.svg
 keywords:
 - monitoring
 - alertmanger

charts/rancher-alerting-drivers/rancher-alerting-drivers/100.0.0/charts/prom2teams/templates/psp.yaml

@@ -26,3 +26,4 @@ spec:
   readOnlyRootFilesystem: false
   volumes:
     - 'configMap'
+    - 'secret'

charts/rancher-alerting-drivers/rancher-alerting-drivers/100.0.0/charts/sachet/templates/psp.yaml

@@ -26,3 +26,4 @@ spec:
   readOnlyRootFilesystem: false
   volumes:
     - 'configMap'
+    - 'secret'

charts/rancher-alerting-drivers/rancher-alerting-drivers/100.0.0/templates/_helpers.tpl

@@ -1,3 +1,29 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Windows cluster will add default taint for linux nodes,
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+beta.kubernetes.io/os: linux
+{{- else -}}
+kubernetes.io/os: linux
+{{- end -}}
+{{- end -}}
+
 {{/*
 Expand the name of the chart.
 */}}

charts/rancher-alerting-drivers/rancher-alerting-drivers/100.0.0/templates/hardened.yaml

@@ -0,0 +1,116 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "drivers.fullname" . }}-patch-sa
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "drivers.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  backoffLimit: 1
+  template:
+    spec:
+      serviceAccountName: {{ include "drivers.fullname" . }}-patch-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      restartPolicy: Never
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+      containers:
+        - name: {{ include "drivers.fullname" . }}-patch-sa
+          image: "{{ include "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
+          imagePullPolicy: IfNotPresent
+          command: ["kubectl", "-n", {{ .Release.Namespace | quote }}, "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "drivers.fullname" . }}-patch-sa
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "drivers.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "drivers.fullname" . }}-patch-sa
+  labels: {{ include "drivers.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+rules:
+  - apiGroups: [""]
+    resources: ["serviceaccounts"]
+    verbs: ["get", "patch"]
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs:     ["use"]
+    resourceNames:
+      - {{ include "drivers.fullname" . }}-patch-sa
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "drivers.fullname" . }}-patch-sa
+  labels: {{ include "drivers.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "drivers.fullname" . }}-patch-sa
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "drivers.fullname" . }}-patch-sa
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ include "drivers.fullname" . }}-patch-sa
+  labels: {{ include "drivers.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  privileged: false
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  volumes:
+    - 'secret'
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "drivers.fullname" . }}-default-allow-all
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  ingress:
+    - {}
+  egress:
+    - {}
+  policyTypes:
+    - Ingress
+    - Egress

charts/rancher-alerting-drivers/rancher-alerting-drivers/100.0.0/values.yaml

@@ -6,6 +6,9 @@ global:
   cattle:
     # the registry where all images will be pulled from
     systemDefaultRegistry: ""
+  kubectl:
+    repository: rancher/shell
+    tag: v0.1.6
   # set this value if you want the sub-charts to be installed into
   # a namespace rather than where this chart is installed
   namespaceOverride: ""

charts/rancher-prom2teams/rancher-prom2teams/100.0.0+up0.2.0/templates/psp.yaml

@@ -26,3 +26,4 @@ spec:
   readOnlyRootFilesystem: false
   volumes:
     - 'configMap'
+    - 'secret'

charts/rancher-sachet/rancher-sachet/100.0.0/templates/psp.yaml

@@ -26,3 +26,4 @@ spec:
   readOnlyRootFilesystem: false
   volumes:
     - 'configMap'
+    - 'secret'

packages/rancher-alerting-drivers/charts/Chart.yaml

@@ -6,12 +6,14 @@ annotations:
 apiVersion: v2
 appVersion: 1.16.0
 dependencies:
-- name: prom2teams
+- condition: prom2teams.enabled
+  name: prom2teams
   repository: file://./charts/prom2teams
 - condition: sachet.enabled
   name: sachet
   repository: file://./charts/sachet
 description: The manager for third-party webhook receivers used in Prometheus Alertmanager
+icon: https://charts.rancher.io/assets/logos/alerting-drivers.svg
 keywords:
 - monitoring
 - alertmanger

packages/rancher-alerting-drivers/charts/templates/_helpers.tpl

@@ -1,3 +1,29 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Windows cluster will add default taint for linux nodes,
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+beta.kubernetes.io/os: linux
+{{- else -}}
+kubernetes.io/os: linux
+{{- end -}}
+{{- end -}}
+
 {{/*
 Expand the name of the chart.
 */}}

packages/rancher-alerting-drivers/charts/templates/hardened.yaml

@@ -0,0 +1,116 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "drivers.fullname" . }}-patch-sa
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "drivers.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  backoffLimit: 1
+  template:
+    spec:
+      serviceAccountName: {{ include "drivers.fullname" . }}-patch-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      restartPolicy: Never
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+      containers:
+        - name: {{ include "drivers.fullname" . }}-patch-sa
+          image: "{{ include "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
+          imagePullPolicy: IfNotPresent
+          command: ["kubectl", "-n", {{ .Release.Namespace | quote }}, "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "drivers.fullname" . }}-patch-sa
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "drivers.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "drivers.fullname" . }}-patch-sa
+  labels: {{ include "drivers.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+rules:
+  - apiGroups: [""]
+    resources: ["serviceaccounts"]
+    verbs: ["get", "patch"]
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs:     ["use"]
+    resourceNames:
+      - {{ include "drivers.fullname" . }}-patch-sa
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "drivers.fullname" . }}-patch-sa
+  labels: {{ include "drivers.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "drivers.fullname" . }}-patch-sa
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "drivers.fullname" . }}-patch-sa
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ include "drivers.fullname" . }}-patch-sa
+  labels: {{ include "drivers.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  privileged: false
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  volumes:
+    - 'secret'
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "drivers.fullname" . }}-default-allow-all
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  ingress:
+    - {}
+  egress:
+    - {}
+  policyTypes:
+    - Ingress
+    - Egress

packages/rancher-alerting-drivers/charts/values.yaml

@@ -6,6 +6,9 @@ global:
   cattle:
     # the registry where all images will be pulled from
     systemDefaultRegistry: ""
+  kubectl:
+    repository: rancher/shell
+    tag: v0.1.6
   # set this value if you want the sub-charts to be installed into
   # a namespace rather than where this chart is installed
   namespaceOverride: ""

packages/rancher-prom2teams/generated-changes/overlay/templates/psp.yaml

@@ -26,3 +26,4 @@ spec:
   readOnlyRootFilesystem: false
   volumes:
     - 'configMap'
+    - 'secret'

packages/rancher-sachet/charts/templates/psp.yaml

@@ -26,3 +26,4 @@ spec:
   readOnlyRootFilesystem: false
   volumes:
     - 'configMap'
+    - 'secret'