Add PSP toggle for k8s 1.25 (#123)

giantswarm · Nov 9, 2023 · 2cda75e · 2cda75e
1 parent 3e1a2d1
commit 2cda75e
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 26 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Add a switch for PSP CR installation.
+
 ## [3.2.1] - 2023-10-04
 
 ## [3.2.0] - 2023-02-28

diff --git a/helm/docs-indexer-app/templates/psp.yaml b/helm/docs-indexer-app/templates/psp.yaml
@@ -0,0 +1,26 @@
+{{- if not .Values.podSecurityStandards.enforced }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ .Values.name }}
+spec:
+  allowPrivilegeEscalation: false
+  runAsUser:
+    rule: MustRunAsNonRoot
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: MustRunAs
+    ranges:
+    - max: 65535
+      min: 1
+  fsGroup:
+    rule: MustRunAs
+    ranges:
+    - max: 65535
+      min: 1
+  volumes:
+  - secret
+  - configMap
+  - emptyDir
+{{- end }}
diff --git a/...s-indexer-app/templates/rbac-and-psp.yaml → helm/docs-indexer-app/templates/rbac.yaml b/...s-indexer-app/templates/rbac-and-psp.yaml → helm/docs-indexer-app/templates/rbac.yaml
@@ -1,29 +1,3 @@
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ .Values.name }}
-spec:
-  allowPrivilegeEscalation: false
-  runAsUser:
-    rule: MustRunAsNonRoot
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: MustRunAs
-    ranges:
-    - max: 65535
-      min: 1
-  fsGroup:
-    rule: MustRunAs
-    ranges:
-    - max: 65535
-      min: 1
-  volumes:
-  - secret
-  - configMap
-  - emptyDir
----
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -36,6 +10,7 @@ metadata:
   name: {{ .Values.name }}
   namespace: {{ .Release.Namespace }}
 rules:
+{{- if not .Values.podSecurityStandards.enforced }}
 - apiGroups:
   - extensions
   resourceNames:
@@ -44,6 +19,7 @@ rules:
   - podsecuritypolicies
   verbs:
   - use
+{{- end }}
 - apiGroups:
   - ""
   resources:
@@ -66,3 +42,4 @@ subjects:
 - kind: ServiceAccount
   name: {{ .Values.name }}
   namespace: {{ .Release.Namespace }}
+
diff --git a/helm/docs-indexer-app/values.yaml b/helm/docs-indexer-app/values.yaml
@@ -5,3 +5,6 @@ image:
   tag: "[[.Version]]"
   sha: "[[.SHA]]"
 elasticsearchEndpoint: "http://sitesearch-app:9200/"
+
+podSecurityStandards:
+  enforced: false