Skip to content

Commit

Permalink
Support Openshift deployment (#13)
Browse files Browse the repository at this point in the history 
* Add support for SPIRE deployment on OpenShift 4.13

Signed-off-by: Mariusz Sabath <[email protected]>
Co-authored-by: Trilok Geer <[email protected]>
Co-authored-by: Andrew Block <[email protected]>

* Render README

Signed-off-by: Mariusz Sabath <[email protected]>

* Fix tornjak HTTP/HTTPS port values

Signed-off-by: Mariusz Sabath <[email protected]>

* Update Frontend README

Signed-off-by: Mariusz Sabath <[email protected]>

* Add env. variable to Agent to inject node name

Signed-off-by: Mariusz Sabath <[email protected]>

* Implement Marco's suggestion on CSI CSS version

Signed-off-by: Mariusz Sabath <[email protected]>

* Add MY_NODE_NAME env. variable to agent for openshift example

Signed-off-by: Mariusz Sabath <[email protected]>

* Move Openshift examples to dedicated directory

Signed-off-by: Mariusz Sabath <[email protected]>

* Simplified the install instructions

Signed-off-by: Mariusz Sabath <[email protected]>

* Suggested changes

Signed-off-by: Kevin Fox <[email protected]>

* Apply suggestions from code review

Co-authored-by: Andrew Block <[email protected]>
Signed-off-by: kfox1111 <[email protected]>

* Update docs, fix default for backwards compat

Signed-off-by: Kevin Fox <[email protected]>

* Don't recommend experimental features by default, dont debug helm install by default and explain how to add additional features

Signed-off-by: Kevin Fox <[email protected]>

* Add notes about openshift to the project for other reviewers.

Signed-off-by: Kevin Fox <[email protected]>

* Fix incorrectly reverted change

Signed-off-by: Kevin Fox <[email protected]>

* Correct notes

Signed-off-by: Kevin Fox <[email protected]>

* Update default

Signed-off-by: Kevin Fox <[email protected]>

* Fix issue created from bad merge conflict resolution

Signed-off-by: kfox1111 <[email protected]>

* Update examples/openshift/openshift-values.yaml

Co-authored-by: kfox1111 <[email protected]>
Signed-off-by: Mariusz Sabath <[email protected]>

* Update examples/openshift/openshift-values.yaml

Co-authored-by: kfox1111 <[email protected]>
Signed-off-by: Mariusz Sabath <[email protected]>

* Update examples/openshift/openshift-values.yaml

Co-authored-by: kfox1111 <[email protected]>
Signed-off-by: Mariusz Sabath <[email protected]>

* Update examples/openshift/openshift-values.yaml

Co-authored-by: kfox1111 <[email protected]>
Signed-off-by: Mariusz Sabath <[email protected]>

---------

Signed-off-by: Mariusz Sabath <[email protected]>
Signed-off-by: Kevin Fox <[email protected]>
Signed-off-by: kfox1111 <[email protected]>
Co-authored-by: Trilok Geer <[email protected]>
Co-authored-by: Andrew Block <[email protected]>
Co-authored-by: Kevin Fox <[email protected]>
  • Loading branch information
@mrsabath @TrilokGeer
@sabre1041 @kfox1111
4 people authored Oct 31, 2023
1 parent ed23d8b commit 3b01684
Show file tree
Hide file tree
Showing 18 changed files with 432 additions and 40 deletions.
73 changes: 39 additions & 34 deletions charts/spire/charts/spiffe-csi-driver/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,37 +28,42 @@ A Helm chart to install the SPIFFE CSI driver.

### SPIFFE CSI Driver Chart parameters

| Name | Description | Value |
| ---------------------------------------- | ------------------------------------------------------------------------------------------- | ------------------------------------------- |
| `pluginName` | Set the csi driver name deployed to Kubernetes. | `csi.spiffe.io` |
| `image.registry` | The OCI registry to pull the image from | `ghcr.io` |
| `image.repository` | The repository within the registry | `spiffe/spiffe-csi-driver` |
| `image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
| `resources` | Resource requests and limits for spiffe-csi-driver | `{}` |
| `healthChecks.port` | The healthcheck port for spiffe-csi-driver | `9809` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` |
| `livenessProbe.timeoutSeconds` | Timeout value in seconds for livenessProbe | `5` |
| `imagePullSecrets` | Image pull secret details for spiffe-csi-driver | `[]` |
| `nameOverride` | Name override for spiffe-csi-driver | `""` |
| `namespaceOverride` | Namespace to install spiffe-csi-driver | `""` |
| `fullnameOverride` | Full name override for spiffe-csi-driver | `""` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` |
| `podAnnotations` | Pod annotations for spiffe-csi-driver | `{}` |
| `podSecurityContext` | Security context for CSI driver pods | `{}` |
| `securityContext.readOnlyRootFilesystem` | Flag for read only root filesystem | `true` |
| `securityContext.privileged` | Flag for specifying privileged mode | `true` |
| `nodeSelector` | Node selector for CSI driver pods | `{}` |
| `tolerations` | Tolerations for CSI driver pods | `[]` |
| `nodeDriverRegistrar.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` |
| `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` |
| `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `nodeDriverRegistrar.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.0` |
| `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` |
| `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` |
| `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` |
| `priorityClassName` | Priority class assigned to daemonset pods | `""` |
| Name | Description | Value |
| ---------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------------------------------------- |
| `pluginName` | Set the csi driver name deployed to Kubernetes. | `csi.spiffe.io` |
| `image.registry` | The OCI registry to pull the image from | `ghcr.io` |
| `image.repository` | The repository within the registry | `spiffe/spiffe-csi-driver` |
| `image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
| `image.tag` | Overrides the image tag whose default is the chart appVersion | `""` |
| `resources` | Resource requests and limits for spiffe-csi-driver | `{}` |
| `healthChecks.port` | The healthcheck port for spiffe-csi-driver | `9809` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` |
| `livenessProbe.timeoutSeconds` | Timeout value in seconds for livenessProbe | `5` |
| `imagePullSecrets` | Image pull secret details for spiffe-csi-driver | `[]` |
| `nameOverride` | Name override for spiffe-csi-driver | `""` |
| `namespaceOverride` | Namespace to install spiffe-csi-driver | `""` |
| `fullnameOverride` | Full name override for spiffe-csi-driver | `""` |
| `csiDriverLabels` | Labels to apply to the CSIDriver | `{}` |
| `initContainers` | Init Containers to apply to the CSI Driver DaemonSet | `[]` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated. | `""` |
| `podAnnotations` | Pod annotations for spiffe-csi-driver | `{}` |
| `podSecurityContext` | Security context for CSI driver pods | `{}` |
| `securityContext.readOnlyRootFilesystem` | Flag for read only root filesystem | `true` |
| `securityContext.privileged` | Flag for specifying privileged mode | `true` |
| `nodeSelector` | Node selector for CSI driver pods | `{}` |
| `tolerations` | Tolerations for CSI driver pods | `[]` |
| `nodeDriverRegistrar.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` |
| `nodeDriverRegistrar.image.repository` | The repository within the registry | `sig-storage/csi-node-driver-registrar` |
| `nodeDriverRegistrar.image.pullPolicy` | The image pull policy | `IfNotPresent` |
| `nodeDriverRegistrar.image.version` | This value is deprecated in favor of tag. (Will be removed in a future release) | `""` |
| `nodeDriverRegistrar.image.tag` | Overrides the image tag | `v2.9.0` |
| `nodeDriverRegistrar.resources` | Resource requests and limits for CSI driver pods | `{}` |
| `agentSocketPath` | The unix socket path to the spire-agent | `/run/spire/agent-sockets/spire-agent.sock` |
| `kubeletPath` | Path to kubelet file | `/var/lib/kubelet` |
| `priorityClassName` | Priority class assigned to daemonset pods | `""` |
| `restrictedScc.enabled` | Enables the creation of a SecurityContextConstraint based on the restricted SCC with CSI volume support | `false` |
| `restrictedScc.name` | Set the name of the restricted SCC with CSI support | `""` |
| `restrictedScc.version` | Version of the restricted SCC | `2` |
4 changes: 4 additions & 0 deletions charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,10 @@ spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- with .Values.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
# This is the container which runs the SPIFFE CSI driver.
- name: {{ .Chart.Name }}
Expand Down
61 changes: 61 additions & 0 deletions charts/spire/charts/spiffe-csi-driver/templates/scc-restricted-csi.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
{{- if and .Values.global.openshift .Values.restrictedScc.enabled }}
{{- $name := default (printf "restricted-%scsi" (eq (.Values.restrictedScc.version | toString) "2" | ternary "v2-" "")) .Values.restrictedScc.name -}}
{{- $v2Description := "This is the most restrictive SCC and it is used by default for authenticated users. On top of the legacy 'restricted' SCC, it also requires to drop ALL capabilities and does not allow privilege escalation binaries. It will also default the seccomp profile to runtime/default if unset, otherwise this seccomp profile is required." -}}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
allowHostPorts: false
priority: null
requiredDropCapabilities:
{{- if eq (.Values.restrictedScc.version | toString) "2" }}
- ALL
{{- else }}
- KILL
- MKNOD
- SETUID
- SETGID
{{- end }}
allowPrivilegedContainer: false
runAsUser:
type: MustRunAsRange
users: []
allowHostDirVolumePlugin: false
{{- if eq (.Values.restrictedScc.version | toString) "2" }}
seccompProfiles:
- runtime/default
{{- end }}
allowHostIPC: false
seLinuxContext:
type: MustRunAs
readOnlyRootFilesystem: false
metadata:
name: {{ $name }}
annotations:
kubernetes.io/description: >-
{{ $name }} denies access to all host features and requires pods to be
run with a UID, and SELinux context that are allocated to the namespace.
{{ eq (.Values.restrictedScc.version | toString) "2" | ternary $v2Description "" }}
fsGroup:
type: MustRunAs
groups: []
defaultAddCapabilities: null
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
allowHostPID: false
allowHostNetwork: false
allowPrivilegeEscalation: {{ eq (.Values.restrictedScc.version | toString) "2" | ternary false true }}
{{- if eq (.Values.restrictedScc.version | toString) "2" }}
allowedCapabilities:
- NET_BIND_SERVICE
{{ else}}
allowedCapabilities: null
{{- end }}
{{- end }}
30 changes: 30 additions & 0 deletions charts/spire/charts/spiffe-csi-driver/templates/scc-spiffe-csi-driver.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{{- if eq (.Values.global.openshift | toString) "true" }}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: {{ include "spiffe-csi-driver.fullname" . }}
readOnlyRootFilesystem: true
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:{{ include "spiffe-csi-driver.namespace" . }}:{{ include "spiffe-csi-driver.serviceAccountName" . }}
volumes:
- configmap
- hostPath
- secret
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
fsGroup:
type: RunAsAny
groups: []

{{ end }}
5 changes: 5 additions & 0 deletions charts/spire/charts/spiffe-csi-driver/templates/spiffe-csi-driver.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,11 @@ apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: {{ .Values.pluginName | quote }}
{{- with .Values.csiDriverLabels }}
labels:
{{- toYaml . | nindent 4 }}
{{- end }}

spec:
# Only ephemeral, inline volumes are supported. There is no need for a
# controller to provision and attach volumes.
Expand Down
15 changes: 15 additions & 0 deletions charts/spire/charts/spiffe-csi-driver/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,12 @@ namespaceOverride: ""
## @param fullnameOverride Full name override for spiffe-csi-driver
fullnameOverride: ""

## @param csiDriverLabels Labels to apply to the CSIDriver
csiDriverLabels: {}

## @param initContainers Init Containers to apply to the CSI Driver DaemonSet
initContainers: []

## @param serviceAccount.create Specifies whether a service account should be created
## @param serviceAccount.annotations Annotations to add to the service account
## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated.
Expand Down Expand Up @@ -126,3 +132,12 @@ kubeletPath: /var/lib/kubelet

## @param priorityClassName Priority class assigned to daemonset pods
priorityClassName: ""

restrictedScc:
## @param restrictedScc.enabled Enables the creation of a SecurityContextConstraint based on the restricted SCC with CSI volume support
enabled: false

## @param restrictedScc.name Set the name of the restricted SCC with CSI support
name: ""
## @param restrictedScc.version Version of the restricted SCC
version: 2
38 changes: 38 additions & 0 deletions ...re/charts/spiffe-oidc-discovery-provider/templates/scc-spire-oidc-discovery-provider.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
{{- if eq (.Values.global.openshift | toString) "true" }}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: {{ include "spiffe-oidc-discovery-provider.fullname" . }}
readOnlyRootFilesystem: true
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:{{ include "spiffe-oidc-discovery-provider.namespace" . }}:{{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}
- system:serviceaccount:{{ include "spiffe-oidc-discovery-provider.namespace" . }}:{{ include "spiffe-oidc-discovery-provider.serviceAccountName" . }}-pre-delete
volumes:
- configMap
- hostPath
- projected
- secret
- ephemeral
- downwardAPI
- csi
- emptyDir
allowHostDirVolumePlugin: true
allowHostIPC: true
allowHostNetwork: true
allowHostPID: true
allowHostPorts: true
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
fsGroup:
type: RunAsAny
groups: []
seccompProfiles:
- '*'

{{ end }}
Loading

0 comments on commit 3b01684

Please sign in to comment.