Skip to content

Commit

Permalink
Make cleanup-leases security context configurable
Browse files Browse the repository at this point in the history
The SecurityContext field for this job is currently static, however when deploying policy-controller into a namespace that uses Pod Security Admission controllers this job will not be able to run.

Signed-off-by: Simon Witheridge <[email protected]>
  • Loading branch information
sirisaacnuketon committed Aug 14, 2023
1 parent bb32f5f commit c32ccd6
Show file tree
Hide file tree
Showing 5 changed files with 36 additions and 12 deletions.
2 changes: 1 addition & 1 deletion charts/policy-controller/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ sources:
type: application

name: policy-controller
version: 0.6.0
version: 0.7.0
appVersion: 0.8.0

maintainers:
Expand Down
23 changes: 12 additions & 11 deletions charts/policy-controller/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# policy-controller

![Version: 0.5.8](https://img.shields.io/badge/Version-0.5.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.0](https://img.shields.io/badge/AppVersion-0.7.0-informational?style=flat-square)
![Version: 0.7.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.0](https://img.shields.io/badge/AppVersion-0.8.0-informational?style=flat-square)

The Helm chart for Policy Controller

Expand All @@ -27,17 +27,19 @@ The Helm chart for Policy Controller
| cosign.webhookName | string | `"policy.sigstore.dev"` | |
| imagePullSecrets | list | `[]` | |
| installCRDs | bool | `true` | |
| webhook.configData | object | `{}` | Set the data of the `policy-config-controller` configmap |
| webhook.webhookNames.defaulting | string | `"defaulting.clusterimagepolicy.sigstore.dev"` | |
| webhook.webhookNames.validating | string | `"validating.clusterimagepolicy.sigstore.dev"` | |
| leasescleanup.image.pullPolicy | string | `"IfNotPresent"` | |
| leasescleanup.image.repository | string | `"cgr.dev/chainguard/kubectl"` | |
| leasescleanup.image.version | string | `"1.26.0"` | |
| leasescleanup.securityContext.enabled | bool | `false` | |
| serviceMonitor.enabled | bool | `false` | |
| webhook.configData | object | `{}` | |
| webhook.env | object | `{}` | |
| webhook.extraArgs | object | `{}` | |
| webhook.failurePolicy | string | `"Fail"` | |
| webhook.image.pullPolicy | string | `"IfNotPresent"` | |
| webhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-controller"` | |
| webhook.image.version | string | `"sha256:e91bcd954394b414d3b80adfc2cefdae84dd7985fb938a895471eb34aac57744"` | `"v0.8.0"` |
| webhook.image.version | string | `"sha256:e91bcd954394b414d3b80adfc2cefdae84dd7985fb938a895471eb34aac57744"` | |
| webhook.name | string | `"webhook"` | |
| webhook.failurePolicy | string | `"Fail"` | |
| webhook.namespaceSelector.matchExpressions[0].key | string | `"policy.sigstore.dev/include"` | |
| webhook.namespaceSelector.matchExpressions[0].operator | string | `"In"` | |
| webhook.namespaceSelector.matchExpressions[0].values[0] | string | `"true"` | |
Expand All @@ -48,8 +50,8 @@ The Helm chart for Policy Controller
| webhook.podSecurityContext.runAsUser | int | `1000` | |
| webhook.registryCaBundle | object | `{}` | |
| webhook.replicaCount | int | `1` | |
| webhook.resources.limits.cpu | string | `"100m"` | |
| webhook.resources.limits.memory | string | `"256Mi"` | |
| webhook.resources.limits.cpu | string | `"200m"` | |
| webhook.resources.limits.memory | string | `"512Mi"` | |
| webhook.resources.requests.cpu | string | `"100m"` | |
| webhook.resources.requests.memory | string | `"128Mi"` | |
| webhook.securityContext.enabled | bool | `false` | |
Expand All @@ -62,9 +64,8 @@ The Helm chart for Policy Controller
| webhook.serviceAccount.name | string | `""` | |
| webhook.volumeMounts | list | `[]` | |
| webhook.volumes | list | `[]` | |
| leasescleanup.image.pullPolicy | string | `"IfNotPresent"` | |
| leasescleanup.image.repository | string | `"cgr.dev/chainguard/kubectl"` | |
| leasescleanup.image.version | string | `"1.26.0"` | |
| webhook.webhookNames.defaulting | string | `"defaulting.clusterimagepolicy.sigstore.dev"` | |
| webhook.webhookNames.validating | string | `"validating.clusterimagepolicy.sigstore.dev"` | |

### Deploy `policy-controller` Helm Chart

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,12 @@ spec:
- -c
- kubectl delete leases --all --ignore-not-found -n {{ .Release.Namespace }}
restartPolicy: OnFailure
{{- if .Values.leasescleanup.securityContext.enabled }}
securityContext:
{{- with .Values.leasescleanup.securityContext }}
{{- omit . "enabled" | toYaml | nindent 8}}
{{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
Expand Down
8 changes: 8 additions & 0 deletions charts/policy-controller/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,14 @@
}
}
}
},
"securityContext": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
}
}
},
"serviceMonitor": {
Expand Down
9 changes: 9 additions & 0 deletions charts/policy-controller/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,15 @@ leasescleanup:
repository: cgr.dev/chainguard/kubectl
version: 1.26.0
pullPolicy: IfNotPresent
## set pod security context options to harden the pod or allow exceptions
securityContext:
enabled: false
# allowPrivilegeEscalation: false
# readOnlyRootFilesystem: true
# runAsUser: 1000
# capabilities:
# drop:
# - ALL

## common node selector for all the pods
commonNodeSelector: {}
Expand Down

0 comments on commit c32ccd6

Please sign in to comment.