From 225885f76eef52ac1b7d14353833d0b318359d9c Mon Sep 17 00:00:00 2001
From: Todd Malsbary <todd.malsbary@intel.com>
Date: Thu, 3 Jun 2021 17:05:16 -0700
Subject: The sink app needs the CAP_NET_RAW capability

The CAP_NET_RAW capability is not available with the default
PodSecurityPolicy.  Create a service account and role binding to the
privileged policy and specify the sink to use it.

Issue-ID: MULTICLOUD-1310
Signed-off-by: Todd Malsbary <todd.malsbary@intel.com>
Change-Id: Ib00ee1e8797d497d024a167fc9a0336d4c2a7ae1
---
 kud/demo/composite-firewall/sink/templates/_helpers.tpl | 11 +++++++++++
 .../composite-firewall/sink/templates/deployment.yaml   |  1 +
 .../composite-firewall/sink/templates/rolebinding.yaml  | 14 ++++++++++++++
 .../sink/templates/serviceaccount.yaml                  | 10 ++++++++++
 kud/demo/composite-firewall/sink/values.yaml            | 17 +++++++++++++++++
 5 files changed, 53 insertions(+)
 create mode 100644 kud/demo/composite-firewall/sink/templates/rolebinding.yaml
 create mode 100644 kud/demo/composite-firewall/sink/templates/serviceaccount.yaml

diff --git a/kud/demo/composite-firewall/sink/templates/_helpers.tpl b/kud/demo/composite-firewall/sink/templates/_helpers.tpl
index 7d82d08d..f60b7ce6 100644
--- a/kud/demo/composite-firewall/sink/templates/_helpers.tpl
+++ b/kud/demo/composite-firewall/sink/templates/_helpers.tpl
@@ -30,3 +30,14 @@ Create chart name and version as used by the chart label.
 {{- define "sink.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "sink.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "sink.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
diff --git a/kud/demo/composite-firewall/sink/templates/deployment.yaml b/kud/demo/composite-firewall/sink/templates/deployment.yaml
index f1f56b28..e65a64fb 100644
--- a/kud/demo/composite-firewall/sink/templates/deployment.yaml
+++ b/kud/demo/composite-firewall/sink/templates/deployment.yaml
@@ -18,6 +18,7 @@ spec:
         app: {{ include "sink.name" . }}
         release: {{ .Release.Name }}
     spec:
+      serviceAccountName: {{ include "sink.serviceAccountName" . }}
       containers:
       - name: {{ .Chart.Name }}
         image: "{{ .Values.image.sinkrepo }}:{{ .Values.image.sinktag }}"
diff --git a/kud/demo/composite-firewall/sink/templates/rolebinding.yaml b/kud/demo/composite-firewall/sink/templates/rolebinding.yaml
new file mode 100644
index 00000000..14c5b758
--- /dev/null
+++ b/kud/demo/composite-firewall/sink/templates/rolebinding.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "sink.fullname" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp:privileged
+subjects:
+- kind: ServiceAccount
+  name: {{ include "sink.serviceAccountName" . }}
+  namespace: {{ $.Release.Namespace }}
+{{- end }}
diff --git a/kud/demo/composite-firewall/sink/templates/serviceaccount.yaml b/kud/demo/composite-firewall/sink/templates/serviceaccount.yaml
new file mode 100644
index 00000000..2dcd900c
--- /dev/null
+++ b/kud/demo/composite-firewall/sink/templates/serviceaccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "sink.serviceAccountName" . }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}
diff --git a/kud/demo/composite-firewall/sink/values.yaml b/kud/demo/composite-firewall/sink/values.yaml
index 245c9dea..b7ba1913 100644
--- a/kud/demo/composite-firewall/sink/values.yaml
+++ b/kud/demo/composite-firewall/sink/values.yaml
@@ -59,3 +59,20 @@ global:
   demoArtifactsVersion: 1.6.0
   dcaeCollectorIp: 10.0.4.1
   dcaeCollectorPort: 8081
+
+###
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+
+## RBAC parameteres
+## https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+##
+rbac:
+  create: true
-- 
cgit 1.2.3-korg