From 9773b117fd9a6e7e6777435bef85887107503c17 Mon Sep 17 00:00:00 2001 From: Terje Sannum Date: Wed, 15 Jan 2020 16:51:50 +0100 Subject: [PATCH] helm: add podsecuritypolicy for fluent-bit (#1506) --- production/helm/fluent-bit/Chart.yaml | 2 +- .../templates/podsecuritypolicy.yaml | 33 +++++++++++++++++++ .../helm/fluent-bit/templates/role.yaml | 19 +++++++++++ .../fluent-bit/templates/rolebinding.yaml | 19 +++++++++++ production/helm/loki-stack/Chart.yaml | 2 +- 5 files changed, 73 insertions(+), 2 deletions(-) create mode 100644 production/helm/fluent-bit/templates/podsecuritypolicy.yaml create mode 100644 production/helm/fluent-bit/templates/role.yaml create mode 100644 production/helm/fluent-bit/templates/rolebinding.yaml diff --git a/production/helm/fluent-bit/Chart.yaml b/production/helm/fluent-bit/Chart.yaml index 68d88c1fe184..b6a091e8c9db 100644 --- a/production/helm/fluent-bit/Chart.yaml +++ b/production/helm/fluent-bit/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: "v1" name: fluent-bit -version: 0.0.3 +version: 0.0.4 appVersion: v0.0.1 kubeVersion: "^1.10.0-0" description: "Uses fluent-bit Loki go plugin for gathering logs and sending them to Loki" diff --git a/production/helm/fluent-bit/templates/podsecuritypolicy.yaml b/production/helm/fluent-bit/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000000..c347fdc7c617 --- /dev/null +++ b/production/helm/fluent-bit/templates/podsecuritypolicy.yaml @@ -0,0 +1,33 @@ +{{- if .Values.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "fluent-bit-loki.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "fluent-bit-loki.name" . }} + chart: {{ template "fluent-bit-loki.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'secret' + - 'configMap' + - 'hostPath' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL +{{- end }} diff --git a/production/helm/fluent-bit/templates/role.yaml b/production/helm/fluent-bit/templates/role.yaml new file mode 100644 index 000000000000..036c2889a7a2 --- /dev/null +++ b/production/helm/fluent-bit/templates/role.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "fluent-bit-loki.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "fluent-bit-loki.name" . }} + chart: {{ template "fluent-bit-loki.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.rbac.pspEnabled }} +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ template "fluent-bit-loki.fullname" . }}] +{{- end }} +{{- end }} diff --git a/production/helm/fluent-bit/templates/rolebinding.yaml b/production/helm/fluent-bit/templates/rolebinding.yaml new file mode 100644 index 000000000000..90315e85c11d --- /dev/null +++ b/production/helm/fluent-bit/templates/rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "fluent-bit-loki.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "fluent-bit-loki.name" . }} + chart: {{ template "fluent-bit-loki.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "fluent-bit-loki.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "fluent-bit-loki.serviceAccountName" . }} +{{- end }} diff --git a/production/helm/loki-stack/Chart.yaml b/production/helm/loki-stack/Chart.yaml index c22802469f36..d7e5f0b2a431 100644 --- a/production/helm/loki-stack/Chart.yaml +++ b/production/helm/loki-stack/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: "v1" name: loki-stack -version: 0.24.0 +version: 0.25.0 appVersion: v1.2.0 kubeVersion: "^1.10.0-0" description: "Loki: like Prometheus, but for logs."