add psp option
This commit is contained in:
Steve Waterworth
@@ -14,6 +14,9 @@ spec:
|
||||
labels:
|
||||
service: cart
|
||||
spec:
|
||||
{{ if .Values.psp.enabled }}
|
||||
serviceAccountName: robot-shop
|
||||
{{ end }}
|
||||
containers:
|
||||
- name: cart
|
||||
image: {{ .Values.image.repo }}/rs-cart:{{ .Values.image.version }}
|
||||
|
||||
@@ -14,6 +14,9 @@ spec:
|
||||
labels:
|
||||
service: catalogue
|
||||
spec:
|
||||
{{ if .Values.psp.enabled }}
|
||||
serviceAccountName: robot-shop
|
||||
{{ end }}
|
||||
containers:
|
||||
- name: catalogue
|
||||
image: {{ .Values.image.repo }}/rs-catalogue:{{ .Values.image.version }}
|
||||
|
||||
15
K8s/helm/templates/clusterrole.yaml
Normal file
15
K8s/helm/templates/clusterrole.yaml
Normal file
@@ -0,0 +1,15 @@
|
||||
{{ if .Values.psp.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: robot-shop
|
||||
rules:
|
||||
- apiGroups:
|
||||
- policy
|
||||
resourceNames:
|
||||
- robot-shop
|
||||
resources:
|
||||
- podsecuritypolicies
|
||||
verbs:
|
||||
- use
|
||||
{{ end }}
|
||||
14
K8s/helm/templates/clusterrolebinding.yaml
Normal file
14
K8s/helm/templates/clusterrolebinding.yaml
Normal file
@@ -0,0 +1,14 @@
|
||||
{{ if .Values.psp.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: robot-shop
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: robot-shop
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: robot-shop
|
||||
namespace: robot-shop
|
||||
{{ end }}
|
||||
@@ -14,6 +14,9 @@ spec:
|
||||
labels:
|
||||
service: dispatch
|
||||
spec:
|
||||
{{ if .Values.psp.enabled }}
|
||||
serviceAccountName: robot-shop
|
||||
{{ end }}
|
||||
containers:
|
||||
- name: dispatch
|
||||
image: {{ .Values.image.repo }}/rs-dispatch:{{ .Values.image.version }}
|
||||
|
||||
@@ -14,6 +14,9 @@ spec:
|
||||
labels:
|
||||
service: mongodb
|
||||
spec:
|
||||
{{ if .Values.psp.enabled }}
|
||||
serviceAccountName: robot-shop
|
||||
{{ end }}
|
||||
containers:
|
||||
- name: mongodb
|
||||
image: {{ .Values.image.repo }}/rs-mongodb:{{ .Values.image.version }}
|
||||
|
||||
@@ -16,6 +16,9 @@ spec:
|
||||
annotations:
|
||||
sidecar.istio.io/inject: "false"
|
||||
spec:
|
||||
{{ if .Values.psp.enabled }}
|
||||
serviceAccountName: robot-shop
|
||||
{{ end }}
|
||||
containers:
|
||||
- name: mysql
|
||||
image: {{ .Values.image.repo }}/rs-mysql-db:{{ .Values.image.version }}
|
||||
|
||||
@@ -17,6 +17,9 @@ spec:
|
||||
service: payment
|
||||
stage: prod
|
||||
spec:
|
||||
{{ if .Values.psp.enabled }}
|
||||
serviceAccountName: robot-shop
|
||||
{{ end }}
|
||||
containers:
|
||||
- name: payment
|
||||
image: {{ .Values.image.repo }}/rs-payment:{{ .Values.image.version }}
|
||||
|
||||
26
K8s/helm/templates/podsecuritypolicy.yaml
Normal file
26
K8s/helm/templates/podsecuritypolicy.yaml
Normal file
@@ -0,0 +1,26 @@
|
||||
{{ if .Values.psp.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: robot-shop
|
||||
spec:
|
||||
allowPrivilegeEscalation: false
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
privileged: false
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
allowedCapabilities:
|
||||
- 'NET_ADMIN'
|
||||
volumes:
|
||||
- configMap
|
||||
- downwardAPI
|
||||
- emptyDir
|
||||
- persistentVolumeClaim
|
||||
- secret
|
||||
- projected
|
||||
{{ end }}
|
||||
@@ -14,6 +14,9 @@ spec:
|
||||
labels:
|
||||
service: rabbitmq
|
||||
spec:
|
||||
{{ if .Values.psp.enabled }}
|
||||
serviceAccountName: robot-shop
|
||||
{{ end }}
|
||||
containers:
|
||||
- name: rabbitmq
|
||||
image: rabbitmq:3.7-management-alpine
|
||||
|
||||
@@ -14,6 +14,9 @@ spec:
|
||||
labels:
|
||||
service: ratings
|
||||
spec:
|
||||
{{ if .Values.psp.enabled }}
|
||||
serviceAccountName: robot-shop
|
||||
{{ end }}
|
||||
containers:
|
||||
- name: ratings
|
||||
image: {{ .Values.image.repo }}/rs-ratings:{{ .Values.image.version }}
|
||||
|
||||
@@ -14,6 +14,9 @@ spec:
|
||||
labels:
|
||||
service: redis
|
||||
spec:
|
||||
{{ if .Values.psp.enabled }}
|
||||
serviceAccountName: robot-shop
|
||||
{{ end }}
|
||||
containers:
|
||||
- name: redis
|
||||
image: redis:4.0.6
|
||||
|
||||
7
K8s/helm/templates/serviceaccount.yaml
Normal file
7
K8s/helm/templates/serviceaccount.yaml
Normal file
@@ -0,0 +1,7 @@
|
||||
{{ if .Values.psp.enabled }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: robot-shop
|
||||
namespace: robot-shop
|
||||
{{ end }}
|
||||
@@ -14,6 +14,9 @@ spec:
|
||||
labels:
|
||||
service: shipping
|
||||
spec:
|
||||
{{ if .Values.psp.enabled }}
|
||||
serviceAccountName: robot-shop
|
||||
{{ end }}
|
||||
containers:
|
||||
- name: shipping
|
||||
image: {{ .Values.image.repo }}/rs-shipping:{{ .Values.image.version }}
|
||||
|
||||
@@ -14,6 +14,9 @@ spec:
|
||||
labels:
|
||||
service: user
|
||||
spec:
|
||||
{{ if .Values.psp.enabled }}
|
||||
serviceAccountName: robot-shop
|
||||
{{ end }}
|
||||
containers:
|
||||
- name: user
|
||||
image: {{ .Values.image.repo }}/rs-user:{{ .Values.image.version }}
|
||||
|
||||
@@ -14,6 +14,9 @@ spec:
|
||||
labels:
|
||||
service: web
|
||||
spec:
|
||||
{{ if .Values.psp.enabled }}
|
||||
serviceAccountName: robot-shop
|
||||
{{ end }}
|
||||
containers:
|
||||
- name: web
|
||||
image: {{ .Values.image.repo }}/rs-web:{{ .Values.image.version }}
|
||||
|
||||
@@ -17,3 +17,7 @@ eum:
|
||||
url: https://eum-eu-west-1.instana.io
|
||||
#url: https://eum-us-west-2.instana.io
|
||||
|
||||
# Pod Security Policy
|
||||
psp:
|
||||
enabled: false
|
||||
|
||||
|
||||
Reference in New Issue
Block a user