Add RBAC to satellite daemonset

[jbanety]

Lokomotive clusters have PodSecurityPolicy (PSP) enabled by default so I need to apply to satellite containers a permissive PSP.

[kvaps]

Thanks, wouldn't it work with the automountServiceAccountToken: false?

[jbanety]

Nop.
We need a service account to assign permissions to access host network, run root containers,...
And to enforce security, Lokomotive has a webhook to disable automounting default service account.
https://kinvolk.io/docs/lokomotive/0.5/concepts/admission-webhook/

[kvaps]

Got it! Could you also contribute PSP policy itself?

Example manifest from old stable repo
https://github.com/helm/charts/blob/2f030a8e9db3e451e8030b12d2658371f5708f7d/stable/elasticsearch/templates/podsecuritypolicy.yaml

[jbanety]

Haha, I have already created static manifests in my Lokomotive component.
I still have to define the permissions to apply.
Containers are running as root.
Can we run them as regular user ?

[kvaps]

Well it's not a problem to run controller and other daemons as unprivileged user. But I'm not sure if it is possible to make satellite daemon running, because it is operating with the LVM, devicemapper, DRBD and ZFS quite hard.
I'm worry that specific permissions are required for it.

[kvaps]

Thanks! I'll review and merge this in a while!🤘

[jbanety]

This is a very permissive policy.
I did not find time to dig into this.

[kvaps]

I think you don't have to. PSP is going to be deprecated in the next Kubernetes release:
kubernetes/kubernetes#97171

[jbanety]

OK. That's enough then.

[jbanety]

Sorry for the mess. This is OK now 🙄

[kvaps]

Let's make this configurable, also add to values.yaml

## Specify if a Pod Security Policy for node-exporter must be created
## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
##
podSecurityPolicy:
  enabled: false

[kvaps]

forgot these two

[kvaps]

merged, thanks!