From 1237843e62bb46395ae7b4eca760a87f2d172dc4 Mon Sep 17 00:00:00 2001
From: ArthurSens <arthursens2005@gmail.com>
Date: Fri, 5 Mar 2021 20:14:19 +0000
Subject: [PATCH] Adds an addon for podSecurityPolicies
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
---
examples/pod-security-policies.jsonnet | 23 ++
.../addons/podsecuritypolicies.libsonnet | 242 ++++++++++++++++++
2 files changed, 265 insertions(+)
create mode 100644 examples/pod-security-policies.jsonnet
create mode 100644 jsonnet/kube-prometheus/addons/podsecuritypolicies.libsonnet
diff --git a/examples/pod-security-policies.jsonnet b/examples/pod-security-policies.jsonnet
new file mode 100644
index 00000000..3274c937
--- /dev/null
+++ b/examples/pod-security-policies.jsonnet
@@ -0,0 +1,23 @@
+local kp =
+ (import 'kube-prometheus/main.libsonnet') +
+ (import 'kube-prometheus/addons/podsecuritypolicies.libsonnet');
+
+{ 'setup/0namespace-namespace': kp.kubePrometheus.namespace } +
+// Add the restricted psp to setup
+{ 'setup/0podsecuritypolicy-restricted': kp.restrictedPodSecurityPolicy } +
+{
+ ['setup/prometheus-operator-' + name]: kp.prometheusOperator[name]
+ for name in std.filter((function(name) name != 'serviceMonitor' && name != 'prometheusRule'), std.objectFields(kp.prometheusOperator))
+} +
+// serviceMonitor and prometheusRule are separated so that they can be created after the CRDs are ready
+{ 'prometheus-operator-serviceMonitor': kp.prometheusOperator.serviceMonitor } +
+{ 'prometheus-operator-prometheusRule': kp.prometheusOperator.prometheusRule } +
+{ 'kube-prometheus-prometheusRule': kp.kubePrometheus.prometheusRule } +
+{ ['alertmanager-' + name]: kp.alertmanager[name] for name in std.objectFields(kp.alertmanager) } +
+{ ['blackbox-exporter-' + name]: kp.blackboxExporter[name] for name in std.objectFields(kp.blackboxExporter) } +
+{ ['grafana-' + name]: kp.grafana[name] for name in std.objectFields(kp.grafana) } +
+{ ['kube-state-metrics-' + name]: kp.kubeStateMetrics[name] for name in std.objectFields(kp.kubeStateMetrics) } +
+{ ['kubernetes-' + name]: kp.kubernetesControlPlane[name] for name in std.objectFields(kp.kubernetesControlPlane) }
+{ ['node-exporter-' + name]: kp.nodeExporter[name] for name in std.objectFields(kp.nodeExporter) } +
+{ ['prometheus-' + name]: kp.prometheus[name] for name in std.objectFields(kp.prometheus) } +
+{ ['prometheus-adapter-' + name]: kp.prometheusAdapter[name] for name in std.objectFields(kp.prometheusAdapter) }
diff --git a/jsonnet/kube-prometheus/addons/podsecuritypolicies.libsonnet b/jsonnet/kube-prometheus/addons/podsecuritypolicies.libsonnet
new file mode 100644
index 00000000..32ef6176
--- /dev/null
+++ b/jsonnet/kube-prometheus/addons/podsecuritypolicies.libsonnet
@@ -0,0 +1,242 @@
+local restrictedPodSecurityPolicy = {
+ apiVersion: 'policy/v1beta1',
+ kind: 'PodSecurityPolicy',
+ metadata: {
+ name: 'restricted',
+ },
+ spec: {
+ privileged: false,
+ // Required to prevent escalations to root.
+ allowPrivilegeEscalation: false,
+ // This is redundant with non-root + disallow privilege escalation,
+ // but we can provide it for defense in depth.
+ requiredDropCapabilities: ['ALL'],
+ // Allow core volume types.
+ volumes: [
+ 'configMap',
+ 'emptyDir',
+ 'secret',
+ // Assume that persistentVolumes set up by the cluster admin are safe to use.
+ 'persistentVolumeClaim',
+ ],
+ hostNetwork: false,
+ hostIPC: false,
+ hostPID: false,
+ runAsUser: {
+ // Require the container to run without root privileges.
+ rule: 'MustRunAsNonRoot',
+ },
+ seLinux: {
+ // This policy assumes the nodes are using AppArmor rather than SELinux.
+ rule: 'RunAsAny',
+ },
+ supplementalGroups: {
+ rule: 'MustRunAs',
+ ranges: [{
+ // Forbid adding the root group.
+ min: 1,
+ max: 65535,
+ }],
+ },
+ fsGroup: {
+ rule: 'MustRunAs',
+ ranges: [{
+ // Forbid adding the root group.
+ min: 1,
+ max: 65535,
+ }],
+ },
+ readOnlyRootFilesystem: false,
+ },
+};
+
+{
+ restrictedPodSecurityPolicy: restrictedPodSecurityPolicy,
+
+ alertmanager+: {
+ role: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'Role',
+ metadata: {
+ name: 'alertmanager-' + $.values.alertmanager.name,
+ },
+ rules: [{
+ apiGroups: ['policy'],
+ resources: ['podsecuritypolicies'],
+ verbs: ['use'],
+ resourceNames: [restrictedPodSecurityPolicy.metadata.name],
+ }],
+ },
+
+ roleBinding: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'RoleBinding',
+ metadata: {
+ name: 'alertmanager-' + $.values.alertmanager.name,
+ },
+ roleRef: {
+ apiGroup: 'rbac.authorization.k8s.io',
+ kind: 'Role',
+ name: 'alertmanager-' + $.values.alertmanager.name,
+ },
+ subjects: [{
+ kind: 'ServiceAccount',
+ name: 'alertmanager-' + $.values.alertmanager.name,
+ namespace: $.values.alertmanager.namespace,
+ }],
+ },
+ },
+
+ blackboxExporter+: {
+ clusterRole+: {
+ rules+: [
+ {
+ apiGroups: ['policy'],
+ resources: ['podsecuritypolicies'],
+ verbs: ['use'],
+ resourceNames: ['blackbox-exporter-psp'],
+ },
+ ],
+ },
+
+ podSecurityPolicy:
+ local blackboxExporterPspPrivileged =
+ if $.blackboxExporter.config.privileged then
+ {
+ metadata+: {
+ name: 'blackbox-exporter-psp',
+ },
+ spec+: {
+ privileged: true,
+ allowedCapabilities: ['NET_RAW'],
+ runAsUser: {
+ rule: 'RunAsAny',
+ },
+ },
+ }
+ else
+ {};
+
+ restrictedPodSecurityPolicy + blackboxExporterPspPrivileged,
+ },
+
+ grafana+: {
+ role: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'Role',
+ metadata: {
+ name: 'grafana',
+ },
+ rules: [{
+ apiGroups: ['policy'],
+ resources: ['podsecuritypolicies'],
+ verbs: ['use'],
+ resourceNames: [restrictedPodSecurityPolicy.metadata.name],
+ }],
+ },
+
+ roleBinding: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'RoleBinding',
+ metadata: {
+ name: 'grafana',
+ },
+ roleRef: {
+ apiGroup: 'rbac.authorization.k8s.io',
+ kind: 'Role',
+ name: 'grafana',
+ },
+ subjects: [{
+ kind: 'ServiceAccount',
+ name: $.grafana.serviceAccount.metadata.name,
+ namespace: $.grafana.serviceAccount.metadata.namespace,
+ }],
+ },
+ },
+
+ kubeStateMetrics+: {
+ clusterRole+: {
+ rules+: [{
+ apiGroups: ['policy'],
+ resources: ['podsecuritypolicies'],
+ verbs: ['use'],
+ resourceNames: [restrictedPodSecurityPolicy.metadata.name],
+ }],
+ },
+ },
+
+ nodeExporter+: {
+ clusterRole+: {
+ rules+: [{
+ apiGroups: ['policy'],
+ resources: ['podsecuritypolicies'],
+ verbs: ['use'],
+ resourceNames: ['node-exporter-psp'],
+ }],
+ },
+
+ podSecurityPolicy: restrictedPodSecurityPolicy {
+ metadata+: {
+ name: 'node-exporter-psp',
+ },
+ spec+: {
+ allowedHostPaths+: [
+ {
+ pathPrefix: '/proc',
+ readOnly: true,
+ },
+ {
+ pathPrefix: '/sys',
+ readOnly: true,
+ },
+ {
+ pathPrefix: '/',
+ readOnly: true,
+ },
+ ],
+ hostNetwork: true,
+ hostPID: true,
+ hostPorts: [
+ {
+ max: 9100,
+ min: 9100,
+ },
+ ],
+ readOnlyRootFilesystem: true,
+ },
+ },
+ },
+
+ prometheusAdapter+: {
+ clusterRole+: {
+ rules+: [{
+ apiGroups: ['policy'],
+ resources: ['podsecuritypolicies'],
+ verbs: ['use'],
+ resourceNames: [restrictedPodSecurityPolicy.metadata.name],
+ }],
+ },
+ },
+
+ prometheusOperator+: {
+ clusterRole+: {
+ rules+: [{
+ apiGroups: ['policy'],
+ resources: ['podsecuritypolicies'],
+ verbs: ['use'],
+ resourceNames: [restrictedPodSecurityPolicy.metadata.name],
+ }],
+ },
+ },
+
+ prometheus+: {
+ clusterRole+: {
+ rules+: [{
+ apiGroups: ['policy'],
+ resources: ['podsecuritypolicies'],
+ verbs: ['use'],
+ resourceNames: [restrictedPodSecurityPolicy.metadata.name],
+ }],
+ },
+ },
+}
--
GitLab