Skip to content

Role bindings, service accounts, [openshift] security context constraints for keylime agents #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
galmasi wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Role bindings, service accounts, [openshift] security context constraints for keylime agents #76

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2dff471
Initial commit for enabling a service account, role bindings and secu…
Mar 20, 2024
a368f73
typo fix: broken jinja syntax in the keylime agent daemon set
Apr 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions build/helm/keylime/charts/keylime-agent/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,20 @@ Create the name of the service account to use
{{- end }}
{{- end }}

{{/*
Create the name of the role to use
*/}}
{{- define "agent.roleName" -}}
{{- default (include "agent.fullname" .) .Values.role.name }}
{{- end }}

{{/*
Create the name of the role binding to use
*/}}
{{- define "agent.roleBindingName" -}}
{{- default (include "agent.fullname" .) .Values.roleBinding.name }}
{{- end }}

{{/*
Expand to the name of the config map to be used
*/}}
Expand Down
6 changes: 6 additions & 0 deletions build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ spec:
selector:
matchLabels:
{{- include "agent.selectorLabels" . | nindent 6 }}
{{- if .Values.serviceAccount.create -}}
Copy link
Collaborator

@mayaCostantini mayaCostantini Mar 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There might also be an indentation issue here:

Suggested change
{{- if .Values.serviceAccount.create -}}
{{- if .Values.serviceAccount.create -}}

Copy link
Author

@galmasi galmasi Apr 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the spacing of jinja conditionals does not matter, however the spacing of stanzas covered under jinja conditionals does. That being said, I believe that the service account specification in the case you are pointing out should be associated with the spec not the selector. I should probably move the declaration to make it less ambiguous or easier to read, but experimentation seems to confirm that it's at least correct. Let me know if you think otherwise.

serviceAccountName: {{ include "agent.serviceAccountName" . }}
{{- end }}
Copy link
Contributor

@mheese mheese Apr 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

serviceAccountName should be part of the spec, and I can see it already below here. Or is there something new going on which I'm missing?

template:
metadata:
{{- with .Values.podAnnotations }}
Expand All @@ -21,7 +24,9 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.serviceAccount.create -}}
serviceAccountName: {{ include "agent.serviceAccountName" . }}
{{- end }}
initContainers:
- name: {{ .Chart.Name }}-init
env:
Expand Down Expand Up @@ -167,6 +172,7 @@ spec:
selector:
matchLabels:
{{- include "agentplugin.selectorLabels" . | nindent 6 }}
serviceAccountName: {{ include "agent.serviceAccountName" . }}
Copy link
Contributor

@mheese mheese Apr 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

serviceAccountName should be part of the spec, and I can see it already below here. Or is there something new going on which I'm missing?

template:
metadata:
{{- with .Values.podAnnotations }}
Expand Down
19 changes: 19 additions & 0 deletions build/helm/keylime/charts/keylime-agent/templates/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{{ if .Values.global.openshift }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "agent.roleName" . }}
rules:
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
resourceNames:
{{ if .Values.global.service.agent.privileged }}
- privileged
{{ else }}
- hostmount-anyuid
{{ end }}
verbs:
- use
{{ end }}
14 changes: 14 additions & 0 deletions build/helm/keylime/charts/keylime-agent/templates/rolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{{ if .Values.global.openshift }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "agent.roleBindingName" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "agent.roleName" . }}
subjects:
- kind: ServiceAccount
name: {{ include "agent.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{ end }}
5 changes: 5 additions & 0 deletions build/helm/keylime/charts/keylime-agent/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ serviceAccount:
# If not set and create is true, a name is generated using the fullname template
name: ""

role:
name: ""
roleBinding:
name: ""

podAnnotations: {}

# command (and args) for regular operation
Expand Down