FEATURE/MAJOR: haproxy: add PSP for sysctl and remove privileged containers use (#144)

* feat(haproxy): added PSP for sysctl, not used privileged containers
* fix(haproxy): added Values.serviceAccount.annotations

Author: Infusible

haproxy/templates/podsecuritypolicy.yaml

@@ -14,25 +14,35 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
-{{- if .Values.podSecurityPolicy.create -}}
+{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}}
 {{- $useHostNetwork := .Values.daemonset.useHostNetwork -}}
 {{- $useHostPort := .Values.daemonset.useHostPort -}}
 {{- $hostPorts := .Values.daemonset.hostPorts -}}
+{{- if .Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy" }}
+apiVersion: policy/v1
+{{- else }}
 apiVersion: policy/v1beta1
+{{- end }}
 kind: PodSecurityPolicy
 metadata:
   name: {{ include "haproxy.fullname" . }}
   labels:
     {{- include "haproxy.labels" . | nindent 4 }}
+{{- if .Values.podSecurityPolicy.annotations }}
+  annotations:
+{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }}
+{{- else }}
   annotations:
     seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
     apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
     seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
     apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+{{- end }}
 spec:
-  allowPrivilegeEscalation: true    # to be able to use privileged containers for initContainers
+  allowPrivilegeEscalation: false
   allowedCapabilities:
     - NET_BIND_SERVICE
+  defaultAllowPrivilegeEscalation: false
   fsGroup:
     rule: MustRunAs
     ranges:
@@ -50,7 +60,7 @@ spec:
 {{- end }}
   hostIPC: false
   hostPID: false
-  privileged: true
+  privileged: false
   runAsUser:
     rule: RunAsAny
   seLinux:
@@ -65,4 +75,8 @@ spec:
     - emptyDir
     - projected
     - secret
+  {{- with .Values.podSecurityPolicy.allowedUnsafeSysctls }}
+  allowedUnsafeSysctls:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
 {{- end }}

haproxy/templates/role.yaml

@@ -0,0 +1,34 @@
+{{/*
+Copyright 2019 HAProxy Technologies LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "haproxy.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "haproxy.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - "policy"
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - {{ include "haproxy.fullname" . }}
+{{- end -}}

haproxy/templates/rolebinding.yaml

@@ -0,0 +1,33 @@
+{{/*
+Copyright 2019 HAProxy Technologies LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "haproxy.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "haproxy.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "haproxy.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "haproxy.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end -}}

haproxy/values.yaml

@@ -17,6 +17,7 @@
 ## Configure Service Account
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
 serviceAccount:
+  annotations: {}
   create: true
   name:
 
@@ -297,14 +298,56 @@ podLabels: {}
 podAnnotations: {}
 #  key: value
 
+## Enable RBAC Authorization
+## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+rbac:
+  create: true
+
 ## Disableable use of Pod Security Policy
 ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
 podSecurityPolicy:
-  create: true
+  annotations: {}
+    ## Specify pod annotations
+    ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
+    ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
+    ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl
+
+    ### WARNING!!! "Apparmor is only available Ubuntu/Debian distributions of Linux."
+
+    # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
+    # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
+  enabled: false
+  # ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
+  # Enable only when added kublet arg: --allowed-unsafe-sysctls strings
+  allowedUnsafeSysctls:
+    # - net.*
 
 ## Pod Security Context
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 podSecurityContext: {}
+  ### ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+  ### Sysctls enable only when added kublet arg: --allowed-unsafe-sysctls strings
+  # sysctls:
+  #   - name: net.ipv4.tcp_rmem
+  #     value: 4096 16060 262144
+  #   - name: net.ipv4.tcp_wmem
+  #     value: 4096 16384 262144
+  #   - name: net.ipv4.tcp_tw_reuse
+  #     value: "1"
+  #   - name: net.ipv4.ip_local_port_range
+  #     value: 1024 65023
+  #   - name: net.ipv4.tcp_max_syn_backlog
+  #     value: "60000"
+  #   - name: net.ipv4.tcp_fin_timeout
+  #     value: "30"
+  #   - name: net.ipv4.tcp_synack_retries
+  #     value: "3"
+  #   - name: net.ipv4.ip_nonlocal_bind
+  #     value: "1"
+  #   - name: net.core.somaxconn
+  #     value: "60000"
 
 ## Container Security Context
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/