Add PodSecurityPolicy for falcosidekick

Fixes falcosecurity#110 Signed-off-by: Christian Zunker <[email protected]>
Kaizhe · Oct 5, 2020 · 9bfb8be · 9bfb8be
1 parent acd12fd
commit 9bfb8be
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 1 deletion.
diff --git a/falcosidekick/CHANGELOG.md b/falcosidekick/CHANGELOG.md
@@ -5,6 +5,12 @@ numbering uses [semantic versioning](http://semver.org).
 
 Before release 0.1.20, the helm chart can be found in `falcosidekick` [repository](https://github.com/falcosecurity/falcosidekick/tree/master/deploy/helm/falcosidekick). 
 
+## 0.1.26
+
+### Minor Changes
+
+* Allow the creation of a PodSecurityPolicy, disabled by default
+
 ## 0.1.25
 
 ### Minor Changes

diff --git a/falcosidekick/Chart.yaml b/falcosidekick/Chart.yaml
@@ -3,7 +3,7 @@ appVersion: 2.14.0
 description: A simple daemon to help you with falco's outputs
 icon: https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png
 name: falcosidekick
-version: 0.1.25
+version: 0.1.26
 keywords:
   - monitoring
   - security

diff --git a/falcosidekick/README.md b/falcosidekick/README.md
@@ -151,6 +151,7 @@ The following table lists the configurable parameters of the Falcosidekick chart
 | `azure.eventhub.name`            | Name of the Hub, if not empty, EventHub is *enabled*                                                                                                                      |                                                                                                   |
 | `azure.eventhub.namespace`       | Name of the space the Hub is in                                                                                                                                           |                                                                                                   |
 | `azure.eventhub.minimumpriority` | minimum priority of event for using use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""`                                   | `debug`                                                                                           |
+| `podSecurityPolicy.create`       | create a PodSecurityPolicy                                                                                                                                                | `false`                                                                                           |
 
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

diff --git a/falcosidekick/templates/podsecuritypolicy.yaml b/falcosidekick/templates/podsecuritypolicy.yaml
@@ -0,0 +1,35 @@
+{{- if .Values.podSecurityPolicy.create}}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "falcosidekick.fullname" . }}
+  labels:
+    app: {{ template "falcosidekick.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  hostNetwork: false
+  readOnlyRootFilesystem: true
+  requiredDropCapabilities:
+  - ALL
+  fsGroup:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  runAsUser:
+    rule: MustRunAsNonRoot
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  volumes:
+  - configMap
+  - secret
+{{- end }}