charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon kubereboot

podSecurityAdmission Template

Open orenr2301 opened this issue 1 year ago • 0 comments

@ckotzbauer

Following that issue: https://github.com/kubereboot/charts/issues/39

I would like to suggest to add another template for securityPodAdmission Since Kubernetes moved from PSP to PSA at version 1.25.1 and above, I believe addressing this to those who have clusters with higher versions and not a legacy version

I facing the same issue as mentioned issue here, and I also noticed it is still hard-coded at the template/chart level at the latest version 5.3.1

Since it's related to the privilege escalation matter I would suggest making a dependency

podSecurityAdmission create: true hostPID: false hostIPC: false 

{{- if 
.Values.podSecurityAdmission.create - here to handled
}}
apiVersion: {{ template 
"kured.psp.apiVersion"
 . }}
3
kind: PodSecurityAdmission - also changing kind 
4
metadata:
5
  name: {{ template 
"kured.fullname"
 . }}
6
  labels:
7
    {{- include 
"kured.labels"
 . | 

nindent
 4 }}
8
spec:
9
  privileged: true - need to be templated
10
  hostPID: true - need to be templated 
11
  allowedCapabilities: ['*'] - also to be templated 
12
  fsGroup:
13
    rule: RunAsAny
14
  runAsUser:
15
    rule: RunAsAny
16
  seLinux:
17
    rule: RunAsAny
18
  supplementalGroups:
19
    rule: RunAsAny
20
  volumes: ['*']
21
{{- end }}

As currently im having a 1.26.3 cluster version and has to make a manual change :(

If further details is needed from me than let me know

Regards, orenr2301

orenr2301 avatar Dec 12 '23 09:12 orenr2301