From 25f7b3314cad641c6096f8705082f498dd663982 Mon Sep 17 00:00:00 2001 From: Etienne Date: Fri, 10 Apr 2020 15:37:47 +0200 Subject: [PATCH] [stable/elastalert] Add ServiceAccount and PodSecurityPolicy to Elastalert (#21850) * Add ServiceAccount and PodSecurityPolicy to Elastalert Signed-off-by: Etienne Tremel * Use podSecurityPolicy.create Signed-off-by: Etienne Tremel --- stable/elastalert/Chart.yaml | 2 +- stable/elastalert/README.md | 70 ++++++++++--------- stable/elastalert/templates/_helpers.tpl | 11 +++ stable/elastalert/templates/deployment.yaml | 3 +- .../templates/podsecuritypolicy.yaml | 39 +++++++++++ stable/elastalert/templates/role.yaml | 20 ++++++ stable/elastalert/templates/rolebinding.yaml | 18 +++++ .../elastalert/templates/serviceaccount.yaml | 15 ++++ stable/elastalert/values.yaml | 14 ++++ 9 files changed, 157 insertions(+), 35 deletions(-) create mode 100644 stable/elastalert/templates/podsecuritypolicy.yaml create mode 100644 stable/elastalert/templates/role.yaml create mode 100644 stable/elastalert/templates/rolebinding.yaml create mode 100644 stable/elastalert/templates/serviceaccount.yaml diff --git a/stable/elastalert/Chart.yaml b/stable/elastalert/Chart.yaml index de889e671049..873a5059f998 100644 --- a/stable/elastalert/Chart.yaml +++ b/stable/elastalert/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch. name: elastalert -version: 1.2.4 +version: 1.3.0 appVersion: 0.2.1 home: https://github.com/Yelp/elastalert icon: https://static-www.elastic.co/assets/blteb1c97719574938d/logo-elastic-elasticsearch-lt.svg diff --git a/stable/elastalert/README.md b/stable/elastalert/README.md index cc0f9cdf38ed..bd21bcee9974 100644 --- a/stable/elastalert/README.md +++ b/stable/elastalert/README.md @@ -49,36 +49,40 @@ The command removes all the Kubernetes components associated with the chart and ## Configuration -| Parameter | Description | Default | -|-----------------------------------|--------------------------------------------------------------------------------------------|---------------------------------| -| `image.repository` | docker image | jertel/elastalert-docker | -| `image.tag` | docker image tag | 0.2.1 | -| `image.pullPolicy` | image pull policy | IfNotPresent | -| `podAnnotations` | Annotations to be added to pods | {} | -| `command` | command override for container | `NULL` | -| `args` | args override for container | `NULL` | -| `replicaCount` | number of replicas to run | 1 | -| `elasticsearch.host` | elasticsearch endpoint to use | elasticsearch | -| `elasticsearch.port` | elasticsearch port to use | 80 | -| `elasticsearch.useSsl` | whether or not to connect to es_host using SSL | False | -| `elasticsearch.username` | Username for ES with basic auth | `NULL` | -| `elasticsearch.password` | Password for ES with basic auth | `NULL` | -| `elasticsearch.verifyCerts` | whether or not to verify TLS certificates | True | -| `elasticsearch.clientCert` | path to a PEM certificate to use as the client certificate | /certs/client.pem | -| `elasticsearch.clientKey` | path to a private key file to use as the client key | /certs/client-key.pem | -| `elasticsearch.caCerts` | path to a CA cert bundle to use to verify SSL connections | /certs/ca.pem | -| `elasticsearch.certsVolumes` | certs volumes, required to mount ssl certificates when elasticsearch has tls enabled | `NULL` | -| `elasticsearch.certsVolumeMounts` | mount certs volumes, required to mount ssl certificates when elasticsearch has tls enabled | `NULL` | -| `extraConfigOptions` | Additional options to propagate to all rules, cannot be `alert`, `type`, `name` or `index` | `{}` | -| `optEnv` | Additional pod environment variable definitions | [] | -| `extraVolumes` | Additional volume definitions | [] | -| `extraVolumeMounts` | Additional volumeMount definitions | [] | -| `resources` | Container resource requests and limits | {} | -| `rules` | Rule and alert configuration for Elastalert | {} example shown in values.yaml | -| `runIntervalMins` | Default interval between alert checks, in minutes | 1 | -| `realertIntervalMins` | Time between alarms for same rule, in minutes | `NULL` | -| `alertRetryLimitMins` | Time to retry failed alert deliveries, in minutes | 2880 (2 days) | -| `bufferTimeMins` | Default rule buffer time, in minutes | 15 | -| `writebackIndex` | Name or prefix of elastalert index(es) | elastalert_status | -| `nodeSelector` | Node selector for deployment | {} | -| `tolerations` | Tolerations for deployment | [] | +| Parameter | Description | Default | +|-----------------------------------|-------------------------------------------------------------------------------------------------------------------------------|---------------------------------| +| `image.repository` | docker image | jertel/elastalert-docker | +| `image.tag` | docker image tag | 0.2.1 | +| `image.pullPolicy` | image pull policy | IfNotPresent | +| `podAnnotations` | Annotations to be added to pods | {} | +| `command` | command override for container | `NULL` | +| `args` | args override for container | `NULL` | +| `replicaCount` | number of replicas to run | 1 | +| `elasticsearch.host` | elasticsearch endpoint to use | elasticsearch | +| `elasticsearch.port` | elasticsearch port to use | 80 | +| `elasticsearch.useSsl` | whether or not to connect to es_host using SSL | False | +| `elasticsearch.username` | Username for ES with basic auth | `NULL` | +| `elasticsearch.password` | Password for ES with basic auth | `NULL` | +| `elasticsearch.verifyCerts` | whether or not to verify TLS certificates | True | +| `elasticsearch.clientCert` | path to a PEM certificate to use as the client certificate | /certs/client.pem | +| `elasticsearch.clientKey` | path to a private key file to use as the client key | /certs/client-key.pem | +| `elasticsearch.caCerts` | path to a CA cert bundle to use to verify SSL connections | /certs/ca.pem | +| `elasticsearch.certsVolumes` | certs volumes, required to mount ssl certificates when elasticsearch has tls enabled | `NULL` | +| `elasticsearch.certsVolumeMounts` | mount certs volumes, required to mount ssl certificates when elasticsearch has tls enabled | `NULL` | +| `extraConfigOptions` | Additional options to propagate to all rules, cannot be `alert`, `type`, `name` or `index` | `{}` | +| `optEnv` | Additional pod environment variable definitions | [] | +| `extraVolumes` | Additional volume definitions | [] | +| `extraVolumeMounts` | Additional volumeMount definitions | [] | +| `serviceAccount.create` | Specifies whether a service account should be created. | `true` | +| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | | +| `serviceAccount.annotations` | ServiceAccount annotations | | +| `podSecurityPolicy.create` | Create pod security policy resources | `false` | +| `resources` | Container resource requests and limits | {} | +| `rules` | Rule and alert configuration for Elastalert | {} example shown in values.yaml | +| `runIntervalMins` | Default interval between alert checks, in minutes | 1 | +| `realertIntervalMins` | Time between alarms for same rule, in minutes | `NULL` | +| `alertRetryLimitMins` | Time to retry failed alert deliveries, in minutes | 2880 (2 days) | +| `bufferTimeMins` | Default rule buffer time, in minutes | 15 | +| `writebackIndex` | Name or prefix of elastalert index(es) | elastalert_status | +| `nodeSelector` | Node selector for deployment | {} | +| `tolerations` | Tolerations for deployment | [] | diff --git a/stable/elastalert/templates/_helpers.tpl b/stable/elastalert/templates/_helpers.tpl index 6e62bee649b9..2fbdad460bb1 100644 --- a/stable/elastalert/templates/_helpers.tpl +++ b/stable/elastalert/templates/_helpers.tpl @@ -23,3 +23,14 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} {{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "elastalert.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "elastalert.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/stable/elastalert/templates/deployment.yaml b/stable/elastalert/templates/deployment.yaml index ec367cf3044f..153075951df5 100644 --- a/stable/elastalert/templates/deployment.yaml +++ b/stable/elastalert/templates/deployment.yaml @@ -28,6 +28,7 @@ spec: app: {{ template "elastalert.name" . }} release: {{ .Release.Name }} spec: + serviceAccountName: {{ include "elastalert.serviceAccountName" . }} containers: - name: elastalert image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -86,5 +87,5 @@ spec: {{- end }} {{- if .Values.extraVolumes }} {{ toYaml .Values.extraVolumes | indent 8 }} -{{- end }} +{{- end }} {{- end }} diff --git a/stable/elastalert/templates/podsecuritypolicy.yaml b/stable/elastalert/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000000..e3777203558c --- /dev/null +++ b/stable/elastalert/templates/podsecuritypolicy.yaml @@ -0,0 +1,39 @@ +{{- if .Values.podSecurityPolicy.create }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "elastalert.fullname" . }} + labels: + app: {{ template "elastalert.name" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + # Prevents running in privileged mode + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + volumes: + - configMap + - secret + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/stable/elastalert/templates/role.yaml b/stable/elastalert/templates/role.yaml new file mode 100644 index 000000000000..13a619e64ac6 --- /dev/null +++ b/stable/elastalert/templates/role.yaml @@ -0,0 +1,20 @@ +{{- if .Values.podSecurityPolicy.create }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ template "elastalert.fullname" . }} + labels: + app: {{ template "elastalert.name" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "elastalert.fullname" . }} + verbs: + - use +{{- end -}} diff --git a/stable/elastalert/templates/rolebinding.yaml b/stable/elastalert/templates/rolebinding.yaml new file mode 100644 index 000000000000..4f05a40c339a --- /dev/null +++ b/stable/elastalert/templates/rolebinding.yaml @@ -0,0 +1,18 @@ +{{- if .Values.podSecurityPolicy.create }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ template "elastalert.fullname" . }} + labels: + app: {{ template "elastalert.name" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "elastalert.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "elastalert.serviceAccountName" . }} +{{- end -}} diff --git a/stable/elastalert/templates/serviceaccount.yaml b/stable/elastalert/templates/serviceaccount.yaml new file mode 100644 index 000000000000..dc1e08c522e4 --- /dev/null +++ b/stable/elastalert/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "elastalert.serviceAccountName" . }} + labels: + app: {{ template "elastalert.name" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/stable/elastalert/values.yaml b/stable/elastalert/values.yaml index f79bb6b454ed..1768bcd8169c 100644 --- a/stable/elastalert/values.yaml +++ b/stable/elastalert/values.yaml @@ -117,6 +117,20 @@ rules: {} # pagerduty_service_key: dummy # pagerduty_client_name: Elastalert Deadman Switch +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + +# Enable pod security policy +# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +podSecurityPolicy: + create: false + # Support using node selectors and tolerations # nodeSelector: # "node-role.kubernetes.io/infra_worker": "true"