From 426004b192b8a63c5bb829ec9fb9d4ae4e9c32c8 Mon Sep 17 00:00:00 2001 From: Adam Martin <42001113+amartin120@users.noreply.github.com> Date: Mon, 23 Sep 2024 09:42:22 -0400 Subject: [PATCH] updates for rancher 2.8.8 (#224) Signed-off-by: Adam Martin --- charts/rancher/Chart.yaml | 6 ++-- charts/rancher/templates/_helpers.tpl | 25 ++++++++++++++ .../post-delete-hook-cluster-role.yaml | 10 +++++- .../templates/post-delete-hook-psp.yaml | 34 +++++++++++++++++++ charts/rancher/values.yaml | 9 ++++- 5 files changed, 79 insertions(+), 5 deletions(-) create mode 100644 charts/rancher/templates/post-delete-hook-psp.yaml diff --git a/charts/rancher/Chart.yaml b/charts/rancher/Chart.yaml index e715600..d069caa 100644 --- a/charts/rancher/Chart.yaml +++ b/charts/rancher/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 name: rancher description: Install Rancher Server to manage Kubernetes clusters across providers -version: 2.9.1 -appVersion: v2.9.1 -kubeVersion: < 1.31.0-0 +version: 2.8.8 +appVersion: v2.8.8 +kubeVersion: < 1.29.0-0 home: https://rancher.com icon: https://github.com/rancher/ui/blob/master/public/assets/images/logos/welcome-cow.svg keywords: diff --git a/charts/rancher/templates/_helpers.tpl b/charts/rancher/templates/_helpers.tpl index 969e08c..91e37cf 100644 --- a/charts/rancher/templates/_helpers.tpl +++ b/charts/rancher/templates/_helpers.tpl @@ -73,4 +73,29 @@ add below linux tolerations to workloads could be scheduled to those linux nodes {{- printf "%s/" .Values.systemDefaultRegistry -}} {{- end -}} {{- end -}} +{{- end -}} + +{{/* +Define the chosen value for PSPs. If this value is "", then the user did not set the value. This will +result in psps on <=1.24 and no psps on >=1.25. If the value is true/false, then the user specifically +chose an option, and that option will be used. If it is set otherwise, then we fail so the user can correct +the invalid value. +*/}} + +{{- define "rancher.chart_psp_enabled" -}} +{{- if kindIs "bool" .Values.global.cattle.psp.enabled -}} +{{ .Values.global.cattle.psp.enabled }} +{{- else if empty .Values.global.cattle.psp.enabled -}} + {{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} + {{- if (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") -}} +true + {{- else -}} +false + {{- end -}} + {{- else -}} +true + {{- end -}} +{{- else -}} +{{- fail "Invalid value for .Values.global.cattle.psp.enabled - must be a bool of true, false, or \"\"" -}} +{{- end -}} {{- end -}} \ No newline at end of file diff --git a/charts/rancher/templates/post-delete-hook-cluster-role.yaml b/charts/rancher/templates/post-delete-hook-cluster-role.yaml index 4e6b7d3..174c1d3 100644 --- a/charts/rancher/templates/post-delete-hook-cluster-role.yaml +++ b/charts/rancher/templates/post-delete-hook-cluster-role.yaml @@ -30,10 +30,18 @@ rules: - apiGroups: [ "admissionregistration.k8s.io" ] resources: [ "validatingwebhookconfigurations", "mutatingwebhookconfigurations" ] verbs: [ "get", "list", "delete" ] + - apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: ["delete", "create" ] +{{- if eq (include "rancher.chart_psp_enabled" . ) "true" }} + - apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: [ "use"] +{{- end }} - apiGroups: [ "networking.k8s.io" ] resources: [ "ingresses" ] verbs: [ "delete" ] - apiGroups: [ "cert-manager.io" ] resources: [ "issuers" ] verbs: [ "delete" ] -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/rancher/templates/post-delete-hook-psp.yaml b/charts/rancher/templates/post-delete-hook-psp.yaml new file mode 100644 index 0000000..baa70b0 --- /dev/null +++ b/charts/rancher/templates/post-delete-hook-psp.yaml @@ -0,0 +1,34 @@ +{{- if eq (include "rancher.chart_psp_enabled" . ) "true" -}} + apiVersion: policy/v1beta1 + kind: PodSecurityPolicy + metadata: + name: {{ include "rancher.fullname" . }}-post-delete + labels: {{ include "rancher.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed + spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'secret' + - 'configMap' + {{- end }} \ No newline at end of file diff --git a/charts/rancher/values.yaml b/charts/rancher/values.yaml index f658a28..9d5a15a 100644 --- a/charts/rancher/values.yaml +++ b/charts/rancher/values.yaml @@ -163,7 +163,7 @@ postDelete: enabled: true image: repository: rancher/shell - tag: v0.2.1 + tag: v0.1.26 namespaceList: - cattle-fleet-system - cattle-system @@ -190,6 +190,13 @@ readinessProbe: periodSeconds: 30 failureThreshold: 5 +global: + cattle: + psp: + # will default to true on 1.24 and below, and false for 1.25 and above + # can be changed manually to true or false to bypass version checks and force that option + enabled: "" + # helm values to use when installing the rancher-webhook chart. # helm values set here will override all other global values used when installing the webhook such as priorityClassName and systemRegistry settings. webhook: ""