From aed199798c9d1250733cfb1817baddf0f975c9b7 Mon Sep 17 00:00:00 2001 From: Mauren Berti Date: Mon, 30 Jan 2023 10:43:53 -0500 Subject: [PATCH] [rancher-tracing] Replace global.rbac.pspEnabled flag. * Replace previous global.rbac.pspEnabled flag with global.cattle.psp.enabled. * Add new flag to values.yaml. * Include validation in validate-psp-install.yaml. --- .../1.15/rancher-tracing/charts/templates/deployment.yaml | 2 +- .../1.15/rancher-tracing/charts/templates/psp.yaml | 4 +--- .../charts/templates/validate-psp-install.yaml | 7 +++++++ .../rancher-istio/1.15/rancher-tracing/charts/values.yaml | 2 ++ 4 files changed, 11 insertions(+), 4 deletions(-) create mode 100644 packages/rancher-istio/1.15/rancher-tracing/charts/templates/validate-psp-install.yaml diff --git a/packages/rancher-istio/1.15/rancher-tracing/charts/templates/deployment.yaml b/packages/rancher-istio/1.15/rancher-tracing/charts/templates/deployment.yaml index 59928735f..6ba161216 100644 --- a/packages/rancher-istio/1.15/rancher-tracing/charts/templates/deployment.yaml +++ b/packages/rancher-istio/1.15/rancher-tracing/charts/templates/deployment.yaml @@ -68,7 +68,7 @@ spec: affinity: {{- include "nodeAffinity" . | indent 6 }} {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.global.rbac.pspEnabled }} + {{- if .Values.global.cattle.psp.enabled }} securityContext: runAsNonRoot: true runAsUser: 1000 diff --git a/packages/rancher-istio/1.15/rancher-tracing/charts/templates/psp.yaml b/packages/rancher-istio/1.15/rancher-tracing/charts/templates/psp.yaml index e59ce1d28..1dc5a844d 100644 --- a/packages/rancher-istio/1.15/rancher-tracing/charts/templates/psp.yaml +++ b/packages/rancher-istio/1.15/rancher-tracing/charts/templates/psp.yaml @@ -1,4 +1,4 @@ -{{- if .Values.global.rbac.pspEnabled }} +{{- if .Values.global.cattle.psp.enabled }} apiVersion: v1 kind: ServiceAccount metadata: @@ -9,7 +9,6 @@ metadata: heritage: {{ .Release.Service }} release: {{ .Release.Name }} --- -{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -85,4 +84,3 @@ spec: - secret - persistentVolumeClaim {{- end }} -{{- end }} diff --git a/packages/rancher-istio/1.15/rancher-tracing/charts/templates/validate-psp-install.yaml b/packages/rancher-istio/1.15/rancher-tracing/charts/templates/validate-psp-install.yaml new file mode 100644 index 000000000..a30c59d3b --- /dev/null +++ b/packages/rancher-istio/1.15/rancher-tracing/charts/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/packages/rancher-istio/1.15/rancher-tracing/charts/values.yaml b/packages/rancher-istio/1.15/rancher-tracing/charts/values.yaml index 9b0ec3149..9d2850485 100644 --- a/packages/rancher-istio/1.15/rancher-tracing/charts/values.yaml +++ b/packages/rancher-istio/1.15/rancher-tracing/charts/values.yaml @@ -14,6 +14,8 @@ fullnameOverride: "" global: cattle: systemDefaultRegistry: "" + psp: + enabled: false defaultResources: {} imagePullPolicy: IfNotPresent imagePullSecrets: []