fix: fix load balancer bits

bendehaan · bendehaan · commit dfcebacc33ea · 2023-03-10T16:26:02.000+01:00
diff --git a/aws/k8s-aws-alb-script.sh b/aws/k8s-aws-alb-script.sh
@@ -42,6 +42,10 @@ echo "do helm eks application"
 helm repo add eks https://aws.github.io/eks-charts
 helm repo update
 
+LOAD_BALANCER_CONTROLLER_ROLE_ARN="$(terraform output -raw load_balancer_controller_role_arn)"
+kubectl create serviceaccount -n kube-system aws-load-balancer-controller
+kubectl annotate serviceaccount -n kube-system --overwrite aws-load-balancer-controller eks.amazonaws.com/role-arn=${LOAD_BALANCER_CONTROLLER_ROLE_ARN}
+
 echo "upgrade alb controller with helm"
 helm upgrade -i aws-load-balancer-controller \
   eks/aws-load-balancer-controller \
diff --git a/aws/k8s/workspace-psa.yml b/aws/k8s/workspace-psa.yml
@@ -3,5 +3,6 @@ kind: Namespace
 metadata:
   name: default
   labels:
-    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/audit: restricted
+    # pod-security.kubernetes.io/enforce: baseline
     kubernetes.io/metadata.name: default
diff --git a/aws/outputs.tf b/aws/outputs.tf
@@ -54,6 +54,16 @@ output "cluster_autoscaler_role_arn" {
   value       = module.cluster_autoscaler_irsa_role.iam_role_arn
 }
 
+output "load_balancer_controller_role" {
+  description = "Load balancer controller role"
+  value       = module.load_balancer_controller_irsa_role.iam_role_name
+}
+
+output "load_balancer_controller_role_arn" {
+  description = "Load balancer controller role arn"
+  value       = module.load_balancer_controller_irsa_role.iam_role_arn
+}
+
 output "state_bucket_name" {
   description = "Terraform s3 state bucket name"
   value       = split(":", var.state_bucket_arn)[length(split(":", var.state_bucket_arn)) - 1]
diff --git a/helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/deployment.yaml b/helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/deployment.yaml
@@ -23,6 +23,8 @@ spec:
         runAsUser: 1000
         runAsGroup: 3000
         fsGroup: 2000
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: wrongsecrets-balancer
       containers:
         - name: {{ .Chart.Name }}
@@ -96,6 +98,8 @@ spec:
               add:
                 - CAP_NET_ADMIN
                 - CAP_NET_BIND_SERVICE
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: config-volume
               mountPath: /home/app/config/
