feat: Add support for PodSecurityPolicy

James Alseth · shaimendel · commit e8fce325cb8d · 2020-09-24T11:52:53.000+03:00
diff --git a/snyk-monitor/README.md b/snyk-monitor/README.md
@@ -126,6 +126,21 @@ helm upgrade --install ... \
   --set no_proxy=long.domain.name.local,example.local
 ```
 
+## PodSecurityPolicies
+**This should not be used when installing on OpenShift.**
+
+Using PodSecurityPolicies can be achieved by setting the following values in the Helm chart:
+* psp.enabled - default is `false`. Set to `true` if PodSecurityPolicy is needed
+* psp.name - default is empty. Leave it empty if you want us to install the necessary PodSecurityPolicy. Modify it to specify an existing PodSecurityPolicy rather than creating a new one.
+
+For example:
+```bash
+helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
+  --namespace snyk-monitor \
+  --set clusterName="Production cluster" \
+  --set psp.enabled=true
+```
+
 ## Terms and conditions ##
 
 *The Snyk Container Kubernetes integration uses Red Hat UBI (Universal Base Image).*
diff --git a/snyk-monitor/templates/clusterrole.yaml b/snyk-monitor/templates/clusterrole.yaml
@@ -53,4 +53,16 @@ rules:
   - get
   - list
   - watch
+{{- if .Values.psp.enabled }}
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - get
+  - list
+  - use
+  resourceNames:
+  - {{ if eq .Values.psp.name "" }}{{ include "snyk-monitor.name" . }}{{ else }}{{ .Values.psp.name }}{{- end }}
+{{- end }}
 {{- end }}
diff --git a/snyk-monitor/templates/psp.yaml b/snyk-monitor/templates/psp.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.psp.enabled }}{{- if eq .Values.psp.name "" }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ include "snyk-monitor.name" . }}
+spec:
+  allowPrivilegeEscalation: false
+  requiredDropCapabilities:
+  - ALL
+  fsGroup:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
+  seLinux:
+    rule: RunAsAny
+  runAsUser:
+    rule: MustRunAsNonRoot
+  supplementalGroups:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  readOnlyRootFilesystem: true
+  volumes:
+    - secret
+    - configMap
+    - emptyDir
+{{- end }}{{- end }}
diff --git a/snyk-monitor/templates/role.yaml b/snyk-monitor/templates/role.yaml
@@ -51,4 +51,16 @@ rules:
   - get
   - list
   - watch
+{{- if .Values.psp.enabled }}
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - get
+  - list
+  - use
+  resourceNames:
+  - {{ if eq .Values.psp.name "" }}{{ include "snyk-monitor.name" . }}{{ else }}{{ .Values.psp.name }}{{- end }}
+{{- end }}
 {{- end }}
diff --git a/snyk-monitor/values.yaml b/snyk-monitor/values.yaml
@@ -45,3 +45,7 @@ https_proxy:
 no_proxy:
 
 nodeSelector: {}
+
+psp:
+  enabled: false
+  name: ""
diff --git a/test/helpers/kubectl.ts b/test/helpers/kubectl.ts
@@ -211,3 +211,16 @@ async function getLatestStableK8sRelease(): Promise<string> {
   console.log(`The latest stable K8s release is ${k8sRelease}`);
   return k8sRelease;
 }
+
+export async function verifyPodSecurityPolicy(name: string): Promise<boolean> {
+  console.log(`Trying to find Pod Security Policy ${name}`);
+  for (let attempt = 0; attempt < 60; attempt++) {
+    try {
+      await exec(`./kubectl get podsecuritypolicy ${name}`);
+      return true;
+    } catch (err) {
+      await sleep(500);
+    }
+  }
+  return false;
+}
diff --git a/test/integration/kubernetes.test.ts b/test/integration/kubernetes.test.ts
@@ -366,6 +366,18 @@ tap.test('snyk-monitor has nodeSelector', async (t) => {
   t.ok('nodeSelector' in spec, 'snyk-monitor has nodeSelector');
 });
 
+tap.test('snyk-monitor has PodSecurityPolicy', async (t) => {
+  t.plan(1);
+
+  if (process.env['DEPLOYMENT_TYPE'] !== 'Helm') {
+    t.pass('Not testing PodSecurityPolicy because we\'re not installing with Helm');
+    return;
+  }
+
+  const pspExists = await kubectl.verifyPodSecurityPolicy('snyk-monitor');
+  t.ok(pspExists, 'PodSecurityPolicy was deployed');
+});
+
 tap.test('snyk-monitor secure configuration is as expected', async (t) => {
   const kubeConfig = new KubeConfig();
   kubeConfig.loadFromDefault();
diff --git a/test/setup/deployers/helm.ts b/test/setup/deployers/helm.ts
@@ -30,7 +30,8 @@ async function deployKubernetesMonitor(
       `--set image.tag=${imageTag} ` +
       `--set image.pullPolicy=${imagePullPolicy} ` +
       '--set integrationApi=https://kubernetes-upstream.dev.snyk.io ' +
-      '--set nodeSelector."kubernetes\\.io/os"=linux'
+      '--set nodeSelector."kubernetes\\.io/os"=linux ' +
+      '--set psp.enabled=true'
   );
   console.log(`Deployed ${imageOptions.nameAndTag} with pull policy ${imageOptions.pullPolicy}`);
 }
