From 3d47849eed7a69914f34fb742d4f60d4a1e77f44 Mon Sep 17 00:00:00 2001 From: wilsonge Date: Sat, 26 Feb 2022 11:35:00 +0000 Subject: [PATCH] Allow extra customisations of pod security policies in the chart --- .../templates/clusterrole-postgres-pod.yaml | 4 ++-- charts/postgres-operator/templates/clusterrole.yaml | 4 ++-- charts/postgres-operator/values.yaml | 5 +++++ 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/charts/postgres-operator/templates/clusterrole-postgres-pod.yaml b/charts/postgres-operator/templates/clusterrole-postgres-pod.yaml index 33c43822f..2b9c8b6f3 100644 --- a/charts/postgres-operator/templates/clusterrole-postgres-pod.yaml +++ b/charts/postgres-operator/templates/clusterrole-postgres-pod.yaml @@ -63,14 +63,14 @@ rules: - services verbs: - create -{{- if toString .Values.configKubernetes.spilo_privileged | eq "true" }} +{{- if or (toString .Values.configKubernetes.spilo_privileged | eq "true") (.Values.rbac.spiloRunWithPsp) }} # to run privileged pods - apiGroups: - extensions resources: - podsecuritypolicies resourceNames: - - privileged + - {{ .Values.rbac.spiloPrivilegedPodSecurityPolicy }} verbs: - use {{- end }} diff --git a/charts/postgres-operator/templates/clusterrole.yaml b/charts/postgres-operator/templates/clusterrole.yaml index 87fd38cd2..a7a782fdf 100644 --- a/charts/postgres-operator/templates/clusterrole.yaml +++ b/charts/postgres-operator/templates/clusterrole.yaml @@ -230,14 +230,14 @@ rules: verbs: - get - create -{{- if toString .Values.configKubernetes.spilo_privileged | eq "true" }} +{{- if or (toString .Values.configKubernetes.spilo_privileged | eq "true") (.Values.rbac.operatorRunWithPsp) }} # to run privileged pods - apiGroups: - extensions resources: - podsecuritypolicies resourceNames: - - privileged + - {{ .Values.rbac.operatorPrivilegedPodSecurityPolicy }} verbs: - use {{- end }} diff --git a/charts/postgres-operator/values.yaml b/charts/postgres-operator/values.yaml index 0602a0e93..3c4d8980f 100644 --- a/charts/postgres-operator/values.yaml +++ b/charts/postgres-operator/values.yaml @@ -372,6 +372,11 @@ rbac: create: true # Specifies whether ClusterRoles that are aggregated into the K8s default roles should be created. (https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings) createAggregateClusterRoles: false + # If cluster is set to run as privileged - which pod security policy should be used + operatorRunWithPsp: false + spiloRunWithPsp: false + spiloPrivilegedPodSecurityPolicy: privileged + operatorPrivilegedPodSecurityPolicy: privileged serviceAccount: # Specifies whether a ServiceAccount should be created