add psp option

K8s/helm/templates/cart-deployment.yaml

@@ -14,6 +14,9 @@ spec:
       labels:
         service: cart
     spec:
+      {{ if .Values.psp.enabled }}
+      serviceAccountName: robot-shop
+      {{ end }}
       containers:
       - name: cart
         image: {{ .Values.image.repo }}/rs-cart:{{ .Values.image.version }}

K8s/helm/templates/catalogue-deployment.yaml

@@ -14,6 +14,9 @@ spec:
       labels:
         service: catalogue
     spec:
+      {{ if .Values.psp.enabled }}
+      serviceAccountName: robot-shop
+      {{ end }}
       containers:
       - name: catalogue
         image: {{ .Values.image.repo }}/rs-catalogue:{{ .Values.image.version }}

K8s/helm/templates/clusterrole.yaml

@@ -0,0 +1,15 @@
+{{ if .Values.psp.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: robot-shop
+rules:
+- apiGroups:
+  - policy
+  resourceNames:
+  - robot-shop
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+{{ end }}

K8s/helm/templates/clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+{{ if .Values.psp.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: robot-shop
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: robot-shop
+subjects:
+- kind: ServiceAccount
+  name: robot-shop
+  namespace: robot-shop
+{{ end }}

K8s/helm/templates/dispatch-deployment.yaml

@@ -14,6 +14,9 @@ spec:
       labels:
         service: dispatch
     spec:
+      {{ if .Values.psp.enabled }}
+      serviceAccountName: robot-shop
+      {{ end }}
       containers:
       - name: dispatch
         image: {{ .Values.image.repo }}/rs-dispatch:{{ .Values.image.version }}

K8s/helm/templates/mongodb-deployment.yaml

@@ -14,6 +14,9 @@ spec:
       labels:
         service: mongodb
     spec:
+      {{ if .Values.psp.enabled }}
+      serviceAccountName: robot-shop
+      {{ end }}
       containers:
       - name: mongodb
         image: {{ .Values.image.repo }}/rs-mongodb:{{ .Values.image.version }}

K8s/helm/templates/mysql-deployment.yaml

@@ -16,6 +16,9 @@ spec:
       annotations:
         sidecar.istio.io/inject: "false"
     spec:
+      {{ if .Values.psp.enabled }}
+      serviceAccountName: robot-shop
+      {{ end }}
       containers:
       - name: mysql
         image: {{ .Values.image.repo }}/rs-mysql-db:{{ .Values.image.version }}

K8s/helm/templates/payment-deployment.yaml

@@ -17,6 +17,9 @@ spec:
         service: payment
         stage: prod
     spec:
+      {{ if .Values.psp.enabled }}
+      serviceAccountName: robot-shop
+      {{ end }}
       containers:
       - name: payment
         image: {{ .Values.image.repo }}/rs-payment:{{ .Values.image.version }}

K8s/helm/templates/podsecuritypolicy.yaml

@@ -0,0 +1,26 @@
+{{ if .Values.psp.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: robot-shop
+spec:
+  allowPrivilegeEscalation: false
+  fsGroup:
+    rule: RunAsAny
+  privileged: false
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  allowedCapabilities:
+  - 'NET_ADMIN'
+  volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - persistentVolumeClaim
+  - secret
+  - projected
+{{ end }}

K8s/helm/templates/rabbitmq-deployment.yaml

@@ -14,6 +14,9 @@ spec:
       labels:
         service: rabbitmq
     spec:
+      {{ if .Values.psp.enabled }}
+      serviceAccountName: robot-shop
+      {{ end }}
       containers:
       - name: rabbitmq
         image: rabbitmq:3.7-management-alpine

K8s/helm/templates/ratings-deployment.yaml

@@ -14,6 +14,9 @@ spec:
       labels:
         service: ratings
     spec:
+      {{ if .Values.psp.enabled }}
+      serviceAccountName: robot-shop
+      {{ end }}
       containers:
       - name: ratings
         image: {{ .Values.image.repo }}/rs-ratings:{{ .Values.image.version }}

K8s/helm/templates/redis-deployment.yaml

@@ -14,6 +14,9 @@ spec:
       labels:
         service: redis
     spec:
+      {{ if .Values.psp.enabled }}
+      serviceAccountName: robot-shop
+      {{ end }}
       containers:
       - name: redis
         image: redis:4.0.6

K8s/helm/templates/serviceaccount.yaml

@@ -0,0 +1,7 @@
+{{ if .Values.psp.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: robot-shop
+  namespace: robot-shop
+{{ end }}

K8s/helm/templates/shipping-deployment.yaml

@@ -14,6 +14,9 @@ spec:
       labels:
         service: shipping
     spec:
+      {{ if .Values.psp.enabled }}
+      serviceAccountName: robot-shop
+      {{ end }}
       containers:
       - name: shipping
         image: {{ .Values.image.repo }}/rs-shipping:{{ .Values.image.version }}

K8s/helm/templates/user-deployment.yaml

@@ -14,6 +14,9 @@ spec:
       labels:
         service: user
     spec:
+      {{ if .Values.psp.enabled }}
+      serviceAccountName: robot-shop
+      {{ end }}
       containers:
       - name: user
         image: {{ .Values.image.repo }}/rs-user:{{ .Values.image.version }}

K8s/helm/templates/web-deployment.yaml

@@ -14,6 +14,9 @@ spec:
       labels:
         service: web
     spec:
+      {{ if .Values.psp.enabled }}
+      serviceAccountName: robot-shop
+      {{ end }}
       containers:
       - name: web
         image: {{ .Values.image.repo }}/rs-web:{{ .Values.image.version }}

K8s/helm/values.yaml

@@ -17,3 +17,7 @@ eum:
   url: https://eum-eu-west-1.instana.io
   #url: https://eum-us-west-2.instana.io
 
+# Pod Security Policy
+psp:
+  enabled: false
+