Skip to content

Commit

Permalink
Add recommendation for namespacePSS (#131)
Browse files Browse the repository at this point in the history 
Co-authored-by: Marco Franssen <[email protected]>
  • Loading branch information
@kfox1111 @marcofranssen
kfox1111 and marcofranssen authored Dec 21, 2023
1 parent 0555c87 commit c39dd44
Show file tree
Hide file tree
Showing 5 changed files with 45 additions and 24 deletions.
2 changes: 2 additions & 0 deletions charts/spire/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -160,11 +160,13 @@ Now you can interact with the Spire agent socket from your own application. The
| `global.spire.upstreamServerAddress` | Set what address to use for the upstream server when using nested spire | `""` |
| `global.spire.recommendations.enabled` | Use recommended settings for production deployments. Default is off. | `false` |
| `global.spire.recommendations.namespaceLayout` | Set to true to use recommended values for installing across namespaces | `true` |
| `global.spire.recommendations.namespacePSS` | When chart namespace creation is enabled, label them with preffered Pod Security Standard labels | `true` |
| `global.spire.recommendations.priorityClassName` | Set to true to use recommended values for Pod Priority Class Names | `true` |
| `global.spire.recommendations.strictMode` | Check values, such as trustDomain, are overridden with a suitable value for production. | `true` |
| `global.spire.recommendations.securityContexts` | Set to true to use recommended values for Pod and Container Security Contexts | `true` |
| `global.spire.recommendations.prometheus` | Enable prometheus exporters for monitoring | `true` |
| `global.spire.image.registry` | Override all Spire image registries at once | `""` |
| `global.spire.namespaces.create` | Set to true to Create all namespaces. If this or either of the namespace specific create flags is set, the namespace will be created. | `false` |
| `global.spire.namespaces.system.name` | Name of the Spire system Namespace. | `spire-system` |
| `global.spire.namespaces.system.create` | Create a Namespace for Spire system resources. | `false` |
| `global.spire.namespaces.system.annotations` | Annotations to apply to the Spire system Namespace. | `{}` |
Expand Down
26 changes: 21 additions & 5 deletions charts/spire/templates/spire-server-namespace.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,30 @@
{{- if .Values.global.spire.namespaces.server.create }}
{{- define "spire.namespace.default_server_labels" }}
"pod-security.kubernetes.io/warn": restricted
"pod-security.kubernetes.io/audit": restricted
"pod-security.kubernetes.io/enforce": restricted
{{- end }}
{{- if or .Values.global.spire.namespaces.create .Values.global.spire.namespaces.server.create }}
{{- $labels := dict }}
{{- if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespacePSS" true .Values.global) }}
{{- $labels = mergeOverwrite $labels (include "spire.namespace.default_server_labels" . | fromYaml) }}
{{- if (dig "openshift" false .Values.global) }}
{{- $_ := set $labels "security.openshift.io/scc.podSecurityLabelSync" "false" }}
{{- if (index .Values "spiffe-oidc-discovery-provider").enabled }}
{{- $_ := set $labels "pod-security.kubernetes.io/enforce" "privileged" }}
{{- end }}
{{- end }}
{{- end }}
{{- $labels = mergeOverwrite $labels .Values.global.spire.namespaces.server.labels }}
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Values.global.spire.namespaces.server.name }}
{{- if .Values.global.spire.namespaces.server.labels }}
{{- with $labels }}
labels:
{{- .Values.global.spire.namespaces.server.labels | toYaml | nindent 4 }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if .Values.global.spire.namespaces.server.annotations }}
{{- with .Values.global.spire.namespaces.server.annotations }}
annotations:
{{- .Values.global.spire.namespaces.server.annotations | toYaml | nindent 4 }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
23 changes: 18 additions & 5 deletions charts/spire/templates/spire-system-namespace.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,27 @@
{{- if .Values.global.spire.namespaces.system.create }}
{{- define "spire.namespace.default_system_labels" }}
"pod-security.kubernetes.io/warn": privileged
"pod-security.kubernetes.io/audit": privileged
"pod-security.kubernetes.io/enforce": privileged
{{- end }}
{{- if or .Values.global.spire.namespaces.create .Values.global.spire.namespaces.system.create }}
{{- $labels := dict }}
{{- if and (dig "spire" "recommendations" "enabled" false .Values.global) (dig "spire" "recommendations" "namespacePSS" true .Values.global) }}
{{- $labels = mergeOverwrite $labels (include "spire.namespace.default_system_labels" . | fromYaml) }}
{{- if (dig "openshift" false .Values.global) }}
{{- $_ := set $labels "security.openshift.io/scc.podSecurityLabelSync" "false" }}
{{- end }}
{{- end }}
{{- $labels = mergeOverwrite $labels .Values.global.spire.namespaces.server.labels }}
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Values.global.spire.namespaces.system.name }}
{{- if .Values.global.spire.namespaces.system.labels }}
{{- with $labels }}
labels:
{{- .Values.global.spire.namespaces.system.labels | toYaml | nindent 4 }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if .Values.global.spire.namespaces.system.annotations }}
{{- with .Values.global.spire.namespaces.system.annotations }}
annotations:
{{- .Values.global.spire.namespaces.system.annotations | toYaml | nindent 4 }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
4 changes: 4 additions & 0 deletions charts/spire/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,15 @@ global:

## @param global.spire.recommendations.enabled Use recommended settings for production deployments. Default is off.
## @param global.spire.recommendations.namespaceLayout Set to true to use recommended values for installing across namespaces
## @param global.spire.recommendations.namespacePSS When chart namespace creation is enabled, label them with preffered Pod Security Standard labels
## @param global.spire.recommendations.priorityClassName Set to true to use recommended values for Pod Priority Class Names
## @param global.spire.recommendations.strictMode Check values, such as trustDomain, are overridden with a suitable value for production.
## @param global.spire.recommendations.securityContexts Set to true to use recommended values for Pod and Container Security Contexts
## @param global.spire.recommendations.prometheus Enable prometheus exporters for monitoring
recommendations:
enabled: false
namespaceLayout: true
namespacePSS: true
priorityClassName: true
strictMode: true
securityContexts: true
Expand All @@ -40,6 +42,8 @@ global:
registry: ""

namespaces:
## @param global.spire.namespaces.create Set to true to Create all namespaces. If this or either of the namespace specific create flags is set, the namespace will be created.
create: false
system:
## @param global.spire.namespaces.system.name Name of the Spire system Namespace.
name: "spire-system"
Expand Down
14 changes: 0 additions & 14 deletions examples/openshift/openshift-values.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,2 @@
global:
openshift: true
spire:
namespaces:
system:
labels:
security.openshift.io/scc.podSecurityLabelSync: "false"
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged
pod-security.kubernetes.io/audit: privileged
server:
labels:
security.openshift.io/scc.podSecurityLabelSync: "false"
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged
pod-security.kubernetes.io/audit: privileged

0 comments on commit c39dd44

Please sign in to comment.