From 0451d01e4d44ca89059705234f3f51256d3bd5a7 Mon Sep 17 00:00:00 2001 From: Alberto Pimpo Date: Mon, 25 Nov 2024 14:01:06 +0100 Subject: [PATCH] Add option to configure seLinux and runAs policies (#538) Signed-off-by: Alberto Pimpo --- charts/fluent-bit/Chart.yaml | 4 ++-- charts/fluent-bit/templates/psp.yaml | 11 +++++++---- charts/fluent-bit/templates/scc.yaml | 8 ++++++-- charts/fluent-bit/values.yaml | 9 +++++++++ 4 files changed, 24 insertions(+), 8 deletions(-) diff --git a/charts/fluent-bit/Chart.yaml b/charts/fluent-bit/Chart.yaml index 18a5e35a..a9283c3a 100644 --- a/charts/fluent-bit/Chart.yaml +++ b/charts/fluent-bit/Chart.yaml @@ -5,7 +5,7 @@ keywords: - logging - fluent-bit - fluentd -version: 0.48.1 +version: 0.48.2 appVersion: 3.2.1 icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/fluentd/fluentbit/icon/fluentbit-icon-color.svg home: https://fluentbit.io/ @@ -23,4 +23,4 @@ maintainers: annotations: artifacthub.io/changes: | - kind: changed - description: "Updated configmap-reload image to v0.14.0" + description: "Add option to configure seLinux and runAs policies" diff --git a/charts/fluent-bit/templates/psp.yaml b/charts/fluent-bit/templates/psp.yaml index 20b38ec9..2e7f500c 100644 --- a/charts/fluent-bit/templates/psp.yaml +++ b/charts/fluent-bit/templates/psp.yaml @@ -20,12 +20,15 @@ spec: hostNetwork: {{ .Values.hostNetwork }} hostIPC: false hostPID: false +{{- with .Values.podSecurityPolicy.runAsUser }} runAsUser: - # TODO: Require the container to run without root privileges. - rule: 'RunAsAny' + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with .Values.podSecurityPolicy.seLinux }} seLinux: - # This policy assumes the nodes are using AppArmor rather than SELinux. - rule: 'RunAsAny' + {{- toYaml . | nindent 4 }} +{{- end }} + supplementalGroups: rule: 'MustRunAs' ranges: diff --git a/charts/fluent-bit/templates/scc.yaml b/charts/fluent-bit/templates/scc.yaml index 5c599106..b9ed6d64 100644 --- a/charts/fluent-bit/templates/scc.yaml +++ b/charts/fluent-bit/templates/scc.yaml @@ -24,10 +24,14 @@ forbiddenSysctls: readOnlyRootFilesystem: false requiredDropCapabilities: - MKNOD +{{- with .Values.openShift.securityContextConstraints.runAsUser }} runAsUser: - type: RunAsAny + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with .Values.openShift.securityContextConstraints.seLinuxContext }} seLinuxContext: - type: MustRunAs + {{- toYaml . | nindent 4 }} +{{- end }} supplementalGroups: type: RunAsAny volumes: diff --git a/charts/fluent-bit/values.yaml b/charts/fluent-bit/values.yaml index e73b4435..df4e47f1 100644 --- a/charts/fluent-bit/values.yaml +++ b/charts/fluent-bit/values.yaml @@ -45,6 +45,11 @@ rbac: podSecurityPolicy: create: false annotations: {} + runAsUser: + rule: RunAsAny + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: RunAsAny # OpenShift-specific configuration openShift: @@ -54,6 +59,10 @@ openShift: create: true name: "" annotations: {} + runAsUser: + type: RunAsAny + seLinuxContext: + type: MustRunAs # Use existing SCC in cluster, rather then create new one existingName: ""