summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTodd Malsbary <todd.malsbary@intel.com>2021-06-03 17:05:16 -0700
committerTodd Malsbary <todd.malsbary@intel.com>2021-06-04 14:25:36 -0700
commit225885f76eef52ac1b7d14353833d0b318359d9c (patch)
tree4fdc2b8cfb088cc23bbc5776edb136e2a7c711e4
parent99f2be307f194e1f6a60e4098e82f6775c8dad5b (diff)
The sink app needs the CAP_NET_RAW capability
The CAP_NET_RAW capability is not available with the default PodSecurityPolicy. Create a service account and role binding to the privileged policy and specify the sink to use it. Issue-ID: MULTICLOUD-1310 Signed-off-by: Todd Malsbary <todd.malsbary@intel.com> Change-Id: Ib00ee1e8797d497d024a167fc9a0336d4c2a7ae1
-rw-r--r--kud/demo/composite-firewall/sink/templates/_helpers.tpl11
-rw-r--r--kud/demo/composite-firewall/sink/templates/deployment.yaml1
-rw-r--r--kud/demo/composite-firewall/sink/templates/rolebinding.yaml14
-rw-r--r--kud/demo/composite-firewall/sink/templates/serviceaccount.yaml10
-rw-r--r--kud/demo/composite-firewall/sink/values.yaml17
5 files changed, 53 insertions, 0 deletions
diff --git a/kud/demo/composite-firewall/sink/templates/_helpers.tpl b/kud/demo/composite-firewall/sink/templates/_helpers.tpl
index 7d82d08d..f60b7ce6 100644
--- a/kud/demo/composite-firewall/sink/templates/_helpers.tpl
+++ b/kud/demo/composite-firewall/sink/templates/_helpers.tpl
@@ -30,3 +30,14 @@ Create chart name and version as used by the chart label.
{{- define "sink.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "sink.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+ {{ default (include "sink.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+ {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
diff --git a/kud/demo/composite-firewall/sink/templates/deployment.yaml b/kud/demo/composite-firewall/sink/templates/deployment.yaml
index f1f56b28..e65a64fb 100644
--- a/kud/demo/composite-firewall/sink/templates/deployment.yaml
+++ b/kud/demo/composite-firewall/sink/templates/deployment.yaml
@@ -18,6 +18,7 @@ spec:
app: {{ include "sink.name" . }}
release: {{ .Release.Name }}
spec:
+ serviceAccountName: {{ include "sink.serviceAccountName" . }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.sinkrepo }}:{{ .Values.image.sinktag }}"
diff --git a/kud/demo/composite-firewall/sink/templates/rolebinding.yaml b/kud/demo/composite-firewall/sink/templates/rolebinding.yaml
new file mode 100644
index 00000000..14c5b758
--- /dev/null
+++ b/kud/demo/composite-firewall/sink/templates/rolebinding.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "sink.fullname" . }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: psp:privileged
+subjects:
+- kind: ServiceAccount
+ name: {{ include "sink.serviceAccountName" . }}
+ namespace: {{ $.Release.Namespace }}
+{{- end }}
diff --git a/kud/demo/composite-firewall/sink/templates/serviceaccount.yaml b/kud/demo/composite-firewall/sink/templates/serviceaccount.yaml
new file mode 100644
index 00000000..2dcd900c
--- /dev/null
+++ b/kud/demo/composite-firewall/sink/templates/serviceaccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "sink.serviceAccountName" . }}
+ {{- with .Values.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end -}}
diff --git a/kud/demo/composite-firewall/sink/values.yaml b/kud/demo/composite-firewall/sink/values.yaml
index 245c9dea..b7ba1913 100644
--- a/kud/demo/composite-firewall/sink/values.yaml
+++ b/kud/demo/composite-firewall/sink/values.yaml
@@ -59,3 +59,20 @@ global:
demoArtifactsVersion: 1.6.0
dcaeCollectorIp: 10.0.4.1
dcaeCollectorPort: 8081
+
+###
+
+serviceAccount:
+ # Specifies whether a service account should be created
+ create: true
+ # Annotations to add to the service account
+ annotations: {}
+ # The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template
+ name:
+
+## RBAC parameteres
+## https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+##
+rbac:
+ create: true