stackrox · mtesseract · Jun 8, 2022 · Apr 11, 2022 · Jun 8, 2022
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1957,6 +1957,10 @@ commands:
               fi
             fi
 
+            if [[ -n "${POD_SECURITY_POLICIES:-}" ]]; then
+              cci-export POD_SECURITY_POLICIES "$POD_SECURITY_POLICIES"
+            fi
+
             deploy_dir="deploy/<< parameters.orchestrator-flavor >>"
             "${deploy_dir}/central.sh"
 

diff --git a/central/clusters/deployer.go b/central/clusters/deployer.go
@@ -26,6 +26,8 @@ type RenderOptions struct {
 	CreateUpgraderSA bool
 	SlimCollector    bool
 	IstioVersion     string
+
+	DisablePodSecurityPolicies bool
 }
 
 // FieldsFromClusterAndRenderOpts gets the template values for values.yaml
@@ -37,6 +39,7 @@ func FieldsFromClusterAndRenderOpts(c *storage.Cluster, imageFlavor *defaults.Im
 
 	baseValues := getBaseMetaValues(c, imageFlavor.Versions, &opts)
 	setMainOverride(mainImage, baseValues)
+	baseValues.EnablePodSecurityPolicies = !opts.DisablePodSecurityPolicies
 
 	collectorFull, collectorSlim := determineCollectorImages(mainImage, collectorImage, imageFlavor)
 	setCollectorOverrideToMetaValues(collectorFull, collectorSlim, baseValues)
@@ -175,5 +178,7 @@ func getBaseMetaValues(c *storage.Cluster, versions version.Versions, opts *Rend
 		AdmissionControllerEnabled:       c.GetDynamicConfig().GetAdmissionControllerConfig().GetEnabled(),
 		AdmissionControlEnforceOnUpdates: c.GetDynamicConfig().GetAdmissionControllerConfig().GetEnforceOnUpdates(),
 		ReleaseBuild:                     buildinfo.ReleaseBuild,
+
+		EnablePodSecurityPolicies: true,
 	}
 }
diff --git a/central/clusters/zip/zip.go b/central/clusters/zip/zip.go
@@ -145,6 +145,8 @@ func (z zipHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		CreateUpgraderSA: createUpgraderSA,
 		SlimCollector:    slimCollector,
 		IstioVersion:     params.IstioVersion,
+
+		DisablePodSecurityPolicies: params.DisablePodSecurityPolicies,
 	}
 
 	baseFiles, err := renderBaseFiles(cluster, renderOpts, certs)

diff --git a/central/scanner/handler.go b/central/scanner/handler.go
@@ -94,6 +94,7 @@ func generateFilesForScannerV1(params *apiparams.Scanner, clusterType storage.Cl
 			"scanner-db-key.pem":  scannerDBCert.KeyPEM,
 			"scanner-db-password": dbPassword,
 		},
+		EnablePodSecurityPolicies: !params.DisablePodSecurityPolicies,
 	}
 
 	return renderer.RenderScannerOnly(config, flavor)

diff --git a/deploy/common/k8sbased.sh b/deploy/common/k8sbased.sh
@@ -188,6 +188,10 @@ function launch_central {
     	add_args "--with-config-file=${ROXDEPLOY_CONFIG_FILE_MAP}"
     fi
 
+    if [[ "$POD_SECURITY_POLICIES" == "false" ]]; then
+      add_args "--enable-pod-security-policies=false"
+    fi
+
     local unzip_dir="${k8s_dir}/central-deploy/"
     rm -rf "${unzip_dir}"
     if ! (( use_docker )); then
@@ -286,6 +290,12 @@ function launch_central {
         )
       fi
 
+      if [[ "$POD_SECURITY_POLICIES" == "false" ]]; then
+        helm_args+=(
+          --set system.enablePodSecurityPolicies=false
+        )
+      fi
+
       if [[ -n "$CI" ]]; then
         helm lint "$unzip_dir/chart"
         helm lint "$unzip_dir/chart" -n stackrox

diff --git a/deploy/k8s/deploy-local.sh b/deploy/k8s/deploy-local.sh
@@ -1,10 +1,11 @@
 #!/usr/bin/env bash
 set -e
 
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd)"
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 # assuming deployment on Kubernetes in Docker for Mac or Minikube
 export COLLECTION_METHOD="${COLLECTION_METHOD:-kernel-module}"
 export MONITORING_SUPPORT="${MONITORING_SUPPORT:-false}"
+export POD_SECURITY_POLICIES="${POD_SECURITY_POLICIES:-false}"
 
 $DIR/deploy.sh
@@ -34,3 +34,5 @@ scanner:
     cert: null # string
     key: null # string
     generate: null # bool
+system:
+  enablePodSecurityPolicies: null # bool
@@ -0,0 +1,69 @@
+{{- include "srox.init" . -}}
+
+{{- if and (not ._rox.scanner.disable) ._rox.system.enablePodSecurityPolicies }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }}
+  labels:
+    {{- include "srox.labels" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }}
+  annotations:
+    {{- include "srox.annotations" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }}
+rules:
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  resourceNames:
+  - {{ include "srox.globalResourceName" (list . "stackrox-scanner") }}
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: stackrox-scanner-psp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "srox.labels" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }}
+  annotations:
+    {{- include "srox.annotations" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }}
+subjects:
+  - kind: ServiceAccount
+    name: scanner
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }}
+  labels:
+    {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }}
+  annotations:
+    {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  volumes:
+    - 'configMap'
+    - 'emptyDir'
+    - 'projected'
+    - 'secret'
+    - 'downwardAPI'
+    - 'persistentVolumeClaim'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+{{- end }}
@@ -1,80 +1,7 @@
 {{- include "srox.init" . -}}
 
-{{- if not ._rox.scanner.disable -}}
-
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }}
-  labels:
-    {{- include "srox.labels" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }}
-  annotations:
-    {{- include "srox.annotations" (list . "clusterrole" "stackrox-scanner-psp") | nindent 4 }}
-rules:
-- apiGroups:
-  - policy
-  resources:
-  - podsecuritypolicies
-  resourceNames:
-  - {{ include "srox.globalResourceName" (list . "stackrox-scanner") }}
-  verbs:
-  - use
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: stackrox-scanner-psp
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "srox.labels" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }}
-  annotations:
-    {{- include "srox.annotations" (list . "rolebinding" "stackrox-scanner-psp") | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ include "srox.globalResourceName" (list . "stackrox-scanner-psp") }}
-subjects:
-  - kind: ServiceAccount
-    name: scanner
-    namespace: {{ .Release.Namespace }}
-
----
-
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ include "srox.globalResourceName" (list . "stackrox-scanner") }}
-  labels:
-    {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }}
-  annotations:
-    {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-scanner") | nindent 4 }}
-spec:
-  privileged: false
-  allowPrivilegeEscalation: false
-  volumes:
-    - 'configMap'
-    - 'emptyDir'
-    - 'projected'
-    - 'secret'
-    - 'downwardAPI'
-    - 'persistentVolumeClaim'
-  hostNetwork: false
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    rule: 'RunAsAny'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'RunAsAny'
-  fsGroup:
-    rule: 'RunAsAny'
-
+{{- if not ._rox.scanner.disable }}
 {{- if and ._rox.env.openshift ._rox.system.createSCCs }}
----
-
 kind: SecurityContextConstraints
 apiVersion: security.openshift.io/v1
 metadata:
@@ -147,6 +74,5 @@ subjects:
 - kind: ServiceAccount
   name: scanner
   namespace: {{ .Release.Namespace }}
-{{ end -}}
-
-{{ end -}}
+{{- end }}
+{{- end }}
@@ -120,3 +120,4 @@ meta:
 globalPrefix: null # string
 system:
   createSCCs: null # bool
+  enablePodSecurityPolicies: null # bool
@@ -82,6 +82,7 @@ defaults:
 
   system:
     createSCCs: [< not .Operator >]
+    enablePodSecurityPolicies: [< .EnablePodSecurityPolicies >]
 
   enableOpenShiftMonitoring: false
 

@@ -111,6 +111,8 @@ spec:
       kind: StorageClass
     - group: networking.istio.io
       kind: DestinationRule
+{{- if ._rox.system.enablePodSecurityPolicies }}
     - group: policy
       kind: PodSecurityPolicy
 {{- end }}
+{{- end }}
@@ -0,0 +1,80 @@
+{{- include "srox.init" . -}}
+
+{{- if and ._rox.central.enableCentralDB ._rox.system.enablePodSecurityPolicies }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "srox.globalResourceName" (list . "stackrox-central-db-psp") }}
+  labels:
+    {{- include "srox.labels" (list . "clusterrole" "stackrox-central-db-psp") | nindent 4 }}
+  annotations:
+    {{- include "srox.annotations" (list . "clusterrole" "stackrox-central-db-psp") | nindent 4 }}
+rules:
+  - apiGroups:
+      - policy
+    resources:
+      - podsecuritypolicies
+    resourceNames:
+      - {{ include "srox.globalResourceName" (list . "stackrox-central-db") }}
+    verbs:
+      - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: stackrox-central-db-psp
+  namespace: {{.Release.Namespace}}
+  labels:
+    {{- include "srox.labels" (list . "rolebinding" "stackrox-central-db-psp") | nindent 4 }}
+  annotations:
+    {{- include "srox.annotations" (list . "rolebinding" "stackrox-central-db-psp") | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "srox.globalResourceName" (list . "stackrox-central-db-psp") }}
+subjects:
+  - kind: ServiceAccount
+    name: central-db
+    namespace: {{.Release.Namespace}}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ include "srox.globalResourceName" (list . "stackrox-central-db") }}
+  labels:
+    {{- include "srox.labels" (list . "podsecuritypolicy" "stackrox-central-db") | nindent 4 }}
+  annotations:
+    {{- include "srox.annotations" (list . "podsecuritypolicy" "stackrox-central-db") | nindent 4 }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  volumes:
+    - 'emptyDir'
+    - 'projected'
+    - 'secret'
+    - 'downwardAPI'
+    - 'persistentVolumeClaim'
+    - 'hostPath'
+  {{- if ._rox.central.persistence.hostPath }}
+  allowedHostPaths:
+    {{- /* TODO(ROX-9807): Use a designated path for central-db for now. Need to move hostPath from central to central-db */}}
+    - pathPrefix: {{._rox.central.persistence.hostPath}}-db
+  {{- end}}
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 70
+        max: 70
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 70
+        max: 70
+{{- end }}
-Original file line number
+Diff line change
@@ Expand Up / @@ -82,6 +82,7 @@ defaults: @@
       system:
         createSCCs: [< not .Operator >]
+        enablePodSecurityPolicies: [< .EnablePodSecurityPolicies >]
       enableOpenShiftMonitoring: false
@@ Expand Down @@