From 2ac83e31725547c4846bdc43f73cca7609badc98 Mon Sep 17 00:00:00 2001 From: Alberto Pimpo Date: Tue, 6 Aug 2024 13:14:22 +0200 Subject: [PATCH] Add option to configure seLinux and runAs policies Signed-off-by: Alberto Pimpo --- charts/fluent-bit/Chart.yaml | 2 +- charts/fluent-bit/templates/psp.yaml | 11 +++++++---- charts/fluent-bit/templates/scc.yaml | 8 ++++++-- charts/fluent-bit/values.yaml | 9 +++++++++ 4 files changed, 23 insertions(+), 7 deletions(-) diff --git a/charts/fluent-bit/Chart.yaml b/charts/fluent-bit/Chart.yaml index 6b57a66d..c8b5b1c4 100644 --- a/charts/fluent-bit/Chart.yaml +++ b/charts/fluent-bit/Chart.yaml @@ -5,7 +5,7 @@ keywords: - logging - fluent-bit - fluentd -version: 0.47.11 +version: 0.47.12 appVersion: 3.1.10 icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/fluentd/fluentbit/icon/fluentbit-icon-color.svg home: https://fluentbit.io/ diff --git a/charts/fluent-bit/templates/psp.yaml b/charts/fluent-bit/templates/psp.yaml index 20b38ec9..2e7f500c 100644 --- a/charts/fluent-bit/templates/psp.yaml +++ b/charts/fluent-bit/templates/psp.yaml @@ -20,12 +20,15 @@ spec: hostNetwork: {{ .Values.hostNetwork }} hostIPC: false hostPID: false +{{- with .Values.podSecurityPolicy.runAsUser }} runAsUser: - # TODO: Require the container to run without root privileges. - rule: 'RunAsAny' + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with .Values.podSecurityPolicy.seLinux }} seLinux: - # This policy assumes the nodes are using AppArmor rather than SELinux. - rule: 'RunAsAny' + {{- toYaml . | nindent 4 }} +{{- end }} + supplementalGroups: rule: 'MustRunAs' ranges: diff --git a/charts/fluent-bit/templates/scc.yaml b/charts/fluent-bit/templates/scc.yaml index 5c599106..b9ed6d64 100644 --- a/charts/fluent-bit/templates/scc.yaml +++ b/charts/fluent-bit/templates/scc.yaml @@ -24,10 +24,14 @@ forbiddenSysctls: readOnlyRootFilesystem: false requiredDropCapabilities: - MKNOD +{{- with .Values.openShift.securityContextConstraints.runAsUser }} runAsUser: - type: RunAsAny + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with .Values.openShift.securityContextConstraints.seLinuxContext }} seLinuxContext: - type: MustRunAs + {{- toYaml . | nindent 4 }} +{{- end }} supplementalGroups: type: RunAsAny volumes: diff --git a/charts/fluent-bit/values.yaml b/charts/fluent-bit/values.yaml index 2705819e..22135f4c 100644 --- a/charts/fluent-bit/values.yaml +++ b/charts/fluent-bit/values.yaml @@ -45,6 +45,11 @@ rbac: podSecurityPolicy: create: false annotations: {} + runAsUser: + rule: 'RunAsAny' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' # OpenShift-specific configuration openShift: @@ -54,6 +59,10 @@ openShift: create: true name: "" annotations: {} + runAsUser: + type: RunAsAny + seLinuxContext: + type: MustRunAs # Use existing SCC in cluster, rather then create new one existingName: ""