A Slightly More Restrictive PSP (#3085)

* Adds more PSP restrictions * Update test fixtures * Updates PSP to be conditional on initContainer - The proxy-init container runs as root and needs the PSP to allow this user when there is an init container. Signed-off-by: Cody Vandermyn <cody.vandermyn@nordstrom.com>
2019-07-24 10:12:33 -07:00 · 2019-07-24 10:12:33 -07:00 · 808fa381f9
parent c832d354f2
commit 808fa381f9
2 changed files with 17 additions and 3 deletions
--- a/chart/templates/psp.yaml
+++ b/chart/templates/psp.yaml
@ -26,17 +26,31 @@ spec:
  seLinux:
    rule: RunAsAny
  runAsUser:
+    {{- if .NoInitContainer }}
+    rule: MustRunAsNonRoot
+    {{- else }}
    rule: RunAsAny
+    {{- end }}
  supplementalGroups:
    rule: MustRunAs
    ranges:
+    {{- if .NoInitContainer }}
+    - min: 10001
+      max: 65535
+    {{- else }}
    - min: 1
      max: 65535
+    {{- end }}
  fsGroup:
    rule: MustRunAs
    ranges:
+    {{- if .NoInitContainer }}
+    - min: 10001
+      max: 65535
+    {{- else }}
    - min: 1
      max: 65535
+    {{- end }}
  volumes:
  - configMap
  - emptyDir
--- a/cli/cmd/testdata/install_no_init_container.golden
+++ b/cli/cmd/testdata/install_no_init_container.golden
@ -511,16 +511,16 @@ spec:
  seLinux:
    rule: RunAsAny
  runAsUser:
-    rule: RunAsAny
+    rule: MustRunAsNonRoot
  supplementalGroups:
    rule: MustRunAs
    ranges:
-    - min: 1
+    - min: 10001
      max: 65535
  fsGroup:
    rule: MustRunAs
    ranges:
-    - min: 1
+    - min: 10001
      max: 65535
  volumes:
  - configMap