falco - add psp configuration capabilities (helm#14813)

Signed-off-by: Maxime VISONNEAU <[email protected]>
davidkarlsen · Jul 3, 2019 · d214d20 · d214d20
1 parent 2d27eca
commit d214d20
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 1 deletion.
diff --git a/stable/falco/Chart.yaml b/stable/falco/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: falco
-version: 0.7.10
+version: 0.8.0
 appVersion: 0.15.3
 description: Falco
 keywords:

diff --git a/stable/falco/README.md b/stable/falco/README.md
@@ -62,6 +62,7 @@ The following table lists the configurable parameters of the Falco chart and the
 | `fakeEventGenerator.enabled`                    | Run falco-event-generator for sample events                                                       | `false`                                                                                |
 | `fakeEventGenerator.replicas`                   | How many replicas of falco-event-generator to run                                                 | `1`                                                                                    |
 | `daemonset.updateStrategy.type`                 | The updateStrategy for updating the daemonset                                                     | `RollingUpdate`                                                                        |
+| `podSecurityPolicy.create`                      | If true, create & use podSecurityPolicy                                                           | `false`                                                                                |
 | `proxy.httpProxy`                               | Set the Proxy server if is behind a firewall                                                      | ``                                                                                     |
 | `proxy.httpsProxy`                              | Set the Proxy server if is behind a firewall                                                      | ``                                                                                     |
 | `proxy.noProxy`                                 | Set the Proxy server if is behind a firewall                                                      | ``                                                                                     |

diff --git a/stable/falco/templates/clusterrole.yaml b/stable/falco/templates/clusterrole.yaml
@@ -29,4 +29,14 @@ rules:
       - /healthz/*
     verbs:
       - get
+{{- if .Values.podSecurityPolicy.create }}
+  - apiGroups:
+      - extensions
+    resources:
+      - podsecuritypolicies
+    resourceNames:
+      - {{ template "falco.fullname" . }}
+    verbs:
+      - use
+{{- end }}
 {{- end }}
diff --git a/stable/falco/templates/podsecuritypolicy.yaml b/stable/falco/templates/podsecuritypolicy.yaml
@@ -0,0 +1,24 @@
+{{- if .Values.podSecurityPolicy.create}}
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "falco.fullname" . }}
+  labels:
+    app: {{ template "falco.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  privileged: true
+  hostNetwork: true
+  allowedCapabilities: ['*']
+  fsGroup:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes: ['*']
+{{- end }}
diff --git a/stable/falco/values.yaml b/stable/falco/values.yaml
@@ -31,6 +31,10 @@ rbac:
   # Create and use rbac resources
   create: true
 
+podSecurityPolicy:
+  # Create a podSecurityPolicy
+  create: false
+
 serviceAccount:
   # Create and use serviceAccount resources
   create: true