From 8ea867abcae9bd00fdf53e2af68d0a967120480e Mon Sep 17 00:00:00 2001
From: Simon Witheridge <simon.witheridge@sainsburys.co.uk>
Date: Fri, 11 Aug 2023 10:24:45 +0100
Subject: [PATCH] Make cleanup-leases security context configurable

The SecurityContext field for this job is currently static, however when deploying policy-controller into a namespace that uses Pod Security Admission controllers this job will not be able to run.

Signed-off-by: Simon Witheridge <simon.witheridge@sainsburys.co.uk>
---
 charts/policy-controller/Chart.yaml           |  2 +-
 charts/policy-controller/README.md            | 23 ++++++++++---------
 .../templates/webhook/cleanup-leases.yaml     |  6 +++++
 charts/policy-controller/values.schema.json   |  8 +++++++
 charts/policy-controller/values.yaml          |  9 ++++++++
 5 files changed, 36 insertions(+), 12 deletions(-)

diff --git a/charts/policy-controller/Chart.yaml b/charts/policy-controller/Chart.yaml
index 7acc301a..82f0f44b 100644
--- a/charts/policy-controller/Chart.yaml
+++ b/charts/policy-controller/Chart.yaml
@@ -8,7 +8,7 @@ sources:
 type: application
 
 name: policy-controller
-version: 0.6.1
+version: 0.6.2
 appVersion: 0.8.2
 
 maintainers:
diff --git a/charts/policy-controller/README.md b/charts/policy-controller/README.md
index 2fd0efb0..d70aebdc 100644
--- a/charts/policy-controller/README.md
+++ b/charts/policy-controller/README.md
@@ -1,6 +1,6 @@
 # policy-controller
 
-![Version: 0.5.8](https://img.shields.io/badge/Version-0.5.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.0](https://img.shields.io/badge/AppVersion-0.7.0-informational?style=flat-square)
+![Version: 0.6.2](https://img.shields.io/badge/Version-0.6.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.2](https://img.shields.io/badge/AppVersion-0.8.2-informational?style=flat-square)
 
 The Helm chart for Policy  Controller
 
@@ -27,17 +27,19 @@ The Helm chart for Policy  Controller
 | cosign.webhookName | string | `"policy.sigstore.dev"` |  |
 | imagePullSecrets | list | `[]` |  |
 | installCRDs | bool | `true` |  |
-| webhook.configData | object | `{}` | Set the data of the `policy-config-controller` configmap |
-| webhook.webhookNames.defaulting | string | `"defaulting.clusterimagepolicy.sigstore.dev"` |  |
-| webhook.webhookNames.validating | string | `"validating.clusterimagepolicy.sigstore.dev"` |  |
+| leasescleanup.image.pullPolicy | string | `"IfNotPresent"` |  |
+| leasescleanup.image.repository | string | `"cgr.dev/chainguard/kubectl"` |  |
+| leasescleanup.image.version | string | `"1.26.0"` |  |
+| leasescleanup.securityContext.enabled | bool | `false` |  |
 | serviceMonitor.enabled | bool | `false` |  |
+| webhook.configData | object | `{}` |  |
 | webhook.env | object | `{}` |  |
 | webhook.extraArgs | object | `{}` |  |
+| webhook.failurePolicy | string | `"Fail"` |  |
 | webhook.image.pullPolicy | string | `"IfNotPresent"` |  |
 | webhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-controller"` |  |
-| webhook.image.version | string | `"sha256:e91bcd954394b414d3b80adfc2cefdae84dd7985fb938a895471eb34aac57744"` | `"v0.8.0"` |
+| webhook.image.version | string | `"sha256:e91bcd954394b414d3b80adfc2cefdae84dd7985fb938a895471eb34aac57744"` | `"v0.8.2"` |
 | webhook.name | string | `"webhook"` |  |
-| webhook.failurePolicy | string | `"Fail"` |  |
 | webhook.namespaceSelector.matchExpressions[0].key | string | `"policy.sigstore.dev/include"` |  |
 | webhook.namespaceSelector.matchExpressions[0].operator | string | `"In"` |  |
 | webhook.namespaceSelector.matchExpressions[0].values[0] | string | `"true"` |  |
@@ -48,8 +50,8 @@ The Helm chart for Policy  Controller
 | webhook.podSecurityContext.runAsUser | int | `1000` |  |
 | webhook.registryCaBundle | object | `{}` |  |
 | webhook.replicaCount | int | `1` |  |
-| webhook.resources.limits.cpu | string | `"100m"` |  |
-| webhook.resources.limits.memory | string | `"256Mi"` |  |
+| webhook.resources.limits.cpu | string | `"200m"` |  |
+| webhook.resources.limits.memory | string | `"512Mi"` |  |
 | webhook.resources.requests.cpu | string | `"100m"` |  |
 | webhook.resources.requests.memory | string | `"128Mi"` |  |
 | webhook.securityContext.enabled | bool | `false` |  |
@@ -62,9 +64,8 @@ The Helm chart for Policy  Controller
 | webhook.serviceAccount.name | string | `""` |  |
 | webhook.volumeMounts | list | `[]` |  |
 | webhook.volumes | list | `[]` |  |
-| leasescleanup.image.pullPolicy | string | `"IfNotPresent"` |  |
-| leasescleanup.image.repository | string | `"cgr.dev/chainguard/kubectl"` |  |
-| leasescleanup.image.version | string | `"1.26.0"` |  |
+| webhook.webhookNames.defaulting | string | `"defaulting.clusterimagepolicy.sigstore.dev"` |  |
+| webhook.webhookNames.validating | string | `"validating.clusterimagepolicy.sigstore.dev"` |  |
 
 ### Deploy `policy-controller` Helm Chart
 
diff --git a/charts/policy-controller/templates/webhook/cleanup-leases.yaml b/charts/policy-controller/templates/webhook/cleanup-leases.yaml
index 0cccbb16..e973ab3f 100644
--- a/charts/policy-controller/templates/webhook/cleanup-leases.yaml
+++ b/charts/policy-controller/templates/webhook/cleanup-leases.yaml
@@ -25,6 +25,12 @@ spec:
             - -c
             - kubectl delete leases --all --ignore-not-found -n {{ .Release.Namespace }}
       restartPolicy: OnFailure
+      {{- if .Values.leasescleanup.securityContext.enabled }}
+      securityContext:
+        {{- with .Values.leasescleanup.securityContext }}
+        {{- omit . "enabled" | toYaml | nindent 8}}
+        {{- end }}
+      {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
diff --git a/charts/policy-controller/values.schema.json b/charts/policy-controller/values.schema.json
index 53a222f9..9a77f8ec 100644
--- a/charts/policy-controller/values.schema.json
+++ b/charts/policy-controller/values.schema.json
@@ -42,6 +42,14 @@
                         }
                     }
                 }
+            },
+            "securityContext": {
+                "type": "object",
+                "properties": {
+                    "enabled": {
+                        "type": "boolean"
+                    }
+                }
             }
         },
         "serviceMonitor": {
diff --git a/charts/policy-controller/values.yaml b/charts/policy-controller/values.yaml
index 04ffde0b..cc1073e5 100644
--- a/charts/policy-controller/values.yaml
+++ b/charts/policy-controller/values.yaml
@@ -65,6 +65,15 @@ leasescleanup:
     repository: cgr.dev/chainguard/kubectl
     version: 1.26.0
     pullPolicy: IfNotPresent
+  ## set pod security context options to harden the pod or allow exceptions
+  securityContext:
+    enabled: false
+    # allowPrivilegeEscalation: false
+    # readOnlyRootFilesystem: true
+    # runAsUser: 1000
+    # capabilities:
+    #   drop:
+    #     - ALL
 
 ## common node selector for all the pods
 commonNodeSelector: {}