From 2dff47146bb97417fd96b74b40fee4278d2f5c4c Mon Sep 17 00:00:00 2001 From: George Almasi Date: Wed, 20 Mar 2024 13:12:12 +0000 Subject: [PATCH 1/2] Initial commit for enabling a service account, role bindings and security context constraints for agents Signed-off-by: George Almasi --- .../keylime-agent/templates/_helpers.tpl | 14 ++++++++++++++ .../keylime-agent/templates/daemonset.yaml | 6 ++++++ .../charts/keylime-agent/templates/role.yaml | 19 +++++++++++++++++++ .../keylime-agent/templates/rolebinding.yaml | 14 ++++++++++++++ .../keylime/charts/keylime-agent/values.yaml | 5 +++++ 5 files changed, 58 insertions(+) create mode 100644 build/helm/keylime/charts/keylime-agent/templates/role.yaml create mode 100644 build/helm/keylime/charts/keylime-agent/templates/rolebinding.yaml diff --git a/build/helm/keylime/charts/keylime-agent/templates/_helpers.tpl b/build/helm/keylime/charts/keylime-agent/templates/_helpers.tpl index 944f53d..bed65aa 100644 --- a/build/helm/keylime/charts/keylime-agent/templates/_helpers.tpl +++ b/build/helm/keylime/charts/keylime-agent/templates/_helpers.tpl @@ -69,6 +69,20 @@ Create the name of the service account to use {{- end }} {{- end }} +{{/* +Create the name of the role to use +*/}} +{{- define "agent.roleName" -}} +{{- default (include "agent.fullname" .) .Values.role.name }} +{{- end }} + +{{/* +Create the name of the role binding to use +*/}} +{{- define "agent.roleBindingName" -}} +{{- default (include "agent.fullname" .) .Values.roleBinding.name }} +{{- end }} + {{/* Expand to the name of the config map to be used */}} diff --git a/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml b/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml index ef3bccf..fdcb328 100644 --- a/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml +++ b/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml @@ -8,6 +8,9 @@ spec: selector: matchLabels: {{- include "agent.selectorLabels" . | nindent 6 }} + {{- if .Values.serviceAccount.create -}} + serviceAccountName: {{ include "agent.serviceAccountName" . }} + {{- end }} template: metadata: {{- with .Values.podAnnotations }} @@ -21,7 +24,9 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.serviceAccount.create -}} serviceAccountName: {{ include "agent.serviceAccountName" . }} + {{- end }} initContainers: - name: {{ .Chart.Name }}-init env: @@ -167,6 +172,7 @@ spec: selector: matchLabels: {{- include "agentplugin.selectorLabels" . | nindent 6 }} + serviceAccountName: {{ include "agent.serviceAccountName" . }} template: metadata: {{- with .Values.podAnnotations }} diff --git a/build/helm/keylime/charts/keylime-agent/templates/role.yaml b/build/helm/keylime/charts/keylime-agent/templates/role.yaml new file mode 100644 index 0000000..f379f4b --- /dev/null +++ b/build/helm/keylime/charts/keylime-agent/templates/role.yaml @@ -0,0 +1,19 @@ +{{ if .Values.global.openshift }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "agent.roleName" . }} +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: +{{ if .Values.global.service.agent.privileged }} + - privileged +{{ else }} + - hostmount-anyuid +{{ end }} + verbs: + - use +{{ end }} diff --git a/build/helm/keylime/charts/keylime-agent/templates/rolebinding.yaml b/build/helm/keylime/charts/keylime-agent/templates/rolebinding.yaml new file mode 100644 index 0000000..61103ee --- /dev/null +++ b/build/helm/keylime/charts/keylime-agent/templates/rolebinding.yaml @@ -0,0 +1,14 @@ +{{ if .Values.global.openshift }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "agent.roleBindingName" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "agent.roleName" . }} +subjects: + - kind: ServiceAccount + name: {{ include "agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{ end }} diff --git a/build/helm/keylime/charts/keylime-agent/values.yaml b/build/helm/keylime/charts/keylime-agent/values.yaml index 78bb9d6..a037f21 100644 --- a/build/helm/keylime/charts/keylime-agent/values.yaml +++ b/build/helm/keylime/charts/keylime-agent/values.yaml @@ -29,6 +29,11 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: "" +role: + name: "" +roleBinding: + name: "" + podAnnotations: {} # command (and args) for regular operation From a368f73d14075798af4fd3327932bfa82f7034d3 Mon Sep 17 00:00:00 2001 From: George Almasi Date: Wed, 10 Apr 2024 13:49:12 +0000 Subject: [PATCH 2/2] typo fix: broken jinja syntax in the keylime agent daemon set Signed-off-by: George Almasi --- .../keylime/charts/keylime-agent/templates/daemonset.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml b/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml index fdcb328..a9067a6 100644 --- a/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml +++ b/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml @@ -8,7 +8,7 @@ spec: selector: matchLabels: {{- include "agent.selectorLabels" . | nindent 6 }} - {{- if .Values.serviceAccount.create -}} + {{- if .Values.serviceAccount.create }} serviceAccountName: {{ include "agent.serviceAccountName" . }} {{- end }} template: @@ -24,7 +24,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.serviceAccount.create -}} + {{- if .Values.serviceAccount.create }} serviceAccountName: {{ include "agent.serviceAccountName" . }} {{- end }} initContainers: