[stable/nginx-ingress] Support pod security policies on default backe…

…nd (helm#16856)

* [stable/nginx-ingress] Support pod security policies on default backend

Co-authored-by: Harsha Katepal <hkatepal@ford.com>
Signed-off-by: Stu Charlton <scharlton@pivotal.io>
Signed-off-by: Harsha Katepal <hkatepal@ford.com>

* Bump chart major version

Signed-off-by: Stu Charlton <scharlton@pivotal.io>

* Don't rename the controller PSP, keep it as is.

Signed-off-by: Stu Charlton <scharlton@pivotal.io>

stable/nginx-ingress/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: nginx-ingress
-version: 1.18.0
+version: 1.19.0
 appVersion: 0.25.1
 home: https://github.com/kubernetes/ingress-nginx
 description: An nginx Ingress controller that uses ConfigMap to store the nginx configuration.

stable/nginx-ingress/README.md

@@ -190,8 +190,10 @@ Parameter | Description | Default
 `imagePullSecrets` | name of Secret resource containing private registry credentials | `nil`
 `rbac.create` | if `true`, create & use RBAC resources | `true`
 `podSecurityPolicy.enabled` | if `true`, create & use Pod Security Policy resources | `false`
-`serviceAccount.create` | if `true`, create a service account | `true`
-`serviceAccount.name` | The name of the service account to use. If not set and `create` is `true`, a name is generated using the fullname template. | ``
+`serviceAccount.create` | if `true`, create a service account for the controller | `true`
+`serviceAccount.name` | The name of the controller service account to use. If not set and `create` is `true`, a name is generated using the fullname template. | ``
+`serviceAccount.backend.create` | if `true`, create a backend service account. Only useful if you need a pod security policy to run the backend. | `true`
+`serviceAccount.backend.name` | The name of the backend service account to use. If not set and `create` is `true`, a name is generated using the fullname template. Only useful if you need a pod security policy to run the backend. | ``
 `revisionHistoryLimit` | The number of old history to retain to allow rollback. | `10`
 `tcp` | TCP service key:value pairs. The value is evaluated as a template. | `{}`
 `udp` | UDP service key:value pairs The value is evaluated as a template. | `{}`

stable/nginx-ingress/templates/_helpers.tpl

@@ -55,7 +55,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 
 {{/*
-Create the name of the service account to use
+Create the name of the controller service account to use
 */}}
 {{- define "nginx-ingress.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create -}}
@@ -64,3 +64,14 @@ Create the name of the service account to use
     {{ default "default" .Values.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
+*/}}
+{{- define "nginx-ingress.defaultBackend.serviceAccountName" -}}
+{{- if .Values.defaultBackend.serviceAccount.create -}}
+    {{ default (printf "%s-backend" (include "nginx-ingress.fullname" .)) .Values.defaultBackend.serviceAccount.name }}
+{{- else -}}
+    {{ default "default-backend" .Values.defaultBackend.serviceAccount.name }}
+{{- end -}}
+{{- end -}}

stable/nginx-ingress/templates/podsecuritypolicy.yaml → stable/nginx-ingress/templates/controller-psp.yaml

@@ -2,7 +2,7 @@
 apiVersion: extensions/v1beta1
 kind: PodSecurityPolicy
 metadata:
-  name: {{ template "nginx-ingress.fullname" . }} 
+  name: {{ template "nginx-ingress.fullname" . }}
   labels:
     app: {{ template "nginx-ingress.name" . }}
     chart: {{ .Chart.Name }}-{{ .Chart.Version }}

stable/nginx-ingress/templates/default-backend-deployment.yaml

@@ -87,6 +87,7 @@ spec:
       nodeSelector:
 {{ toYaml .Values.defaultBackend.nodeSelector | indent 8 }}
     {{- end }}
+      serviceAccountName: {{ template "nginx-ingress.defaultBackend.serviceAccountName" . }}
     {{- if .Values.defaultBackend.tolerations }}
       tolerations:
 {{ toYaml .Values.defaultBackend.tolerations | indent 8 }}

stable/nginx-ingress/templates/default-backend-psp.yaml

@@ -0,0 +1,35 @@
+{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "nginx-ingress.fullname" . }}-backend
+  labels:
+    app: {{ template "nginx-ingress.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  allowPrivilegeEscalation: false
+  fsGroup:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  requiredDropCapabilities:
+  - ALL
+  runAsUser:
+    rule: MustRunAsNonRoot
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  volumes:
+  - configMap
+  - emptyDir
+  - projected
+  - secret
+  - downwardAPI
+{{- end -}}

stable/nginx-ingress/templates/default-backend-role.yaml

@@ -0,0 +1,16 @@
+{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  labels:
+    app: {{ template "nginx-ingress.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "nginx-ingress.fullname" . }}-backend
+rules:
+  - apiGroups:      ['extensions']
+    resources:      ['podsecuritypolicies']
+    verbs:          ['use']
+    resourceNames:  [{{ template "nginx-ingress.fullname" . }}-backend]
+{{- end -}}

stable/nginx-ingress/templates/default-backend-rolebinding.yaml

@@ -0,0 +1,19 @@
+{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  labels:
+    app: {{ template "nginx-ingress.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "nginx-ingress.fullname" . }}-backend
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "nginx-ingress.fullname" . }}-backend
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "nginx-ingress.defaultBackend.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}

stable/nginx-ingress/templates/default-backend-serviceaccount.yaml

@@ -0,0 +1,11 @@
+{{- if and .Values.defaultBackend.enabled  .Values.defaultBackend.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: {{ template "nginx-ingress.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "nginx-ingress.defaultBackend.serviceAccountName" . }}
+{{- end }}

stable/nginx-ingress/values.yaml

@@ -384,6 +384,9 @@ defaultBackend:
 
   extraArgs: {}
 
+  serviceAccount:
+    create: true
+    name:
   ## Additional environment variables to set for defaultBackend pods
   extraEnvs: []