From 3c4ebf017209396f85094eaeba7ec7c5fbf46a43 Mon Sep 17 00:00:00 2001
From: Phil Sphicas <phil.sphicas@att.com>
Date: Sun, 1 Aug 2021 07:08:15 +0000
Subject: [PATCH] namespace-config: Grant access to existing PSP

This change updates the namespace-config chart to (optionally) create
RBAC rules allowing service accounts in the namespace 'use' access to an
existing Pod Security Policy in the cluster. The policy is specified as:

    podSecurityPolicy:
      existingPsp: name-of-existing-psp

This aligns with the PSP deprecation guidance provided to date [0],
which suggests easing the transition to the "PSP Replacement Policy" by
establishing the standard PSPs (Restricted, Baseline, and Privileged),
assigning a cluster-wide default, and binding more-permissive policies
as needed in certain namespaces.

[0] https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/

Change-Id: I46da230abf822e0cc3553561fd779444439c34a7
---
 namespace-config/Chart.yaml              |  2 +-
 namespace-config/templates/psp-rbac.yaml | 29 ++++++++++++++++++++++++
 namespace-config/values.yaml             |  6 +++++
 releasenotes/notes/namespace-config.yaml |  1 +
 4 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 namespace-config/templates/psp-rbac.yaml

diff --git a/namespace-config/Chart.yaml b/namespace-config/Chart.yaml
index 2e7e60b3d..f6da8d2e9 100644
--- a/namespace-config/Chart.yaml
+++ b/namespace-config/Chart.yaml
@@ -15,6 +15,6 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Namespace Config
 name: namespace-config
-version: 0.1.0
+version: 0.1.1
 home: https://kubernetes.io/docs/concepts/policy/limit-range/
 ...
diff --git a/namespace-config/templates/psp-rbac.yaml b/namespace-config/templates/psp-rbac.yaml
new file mode 100644
index 000000000..916a2c1c6
--- /dev/null
+++ b/namespace-config/templates/psp-rbac.yaml
@@ -0,0 +1,29 @@
+{{- if (not (empty .Values.podSecurityPolicy.existingPsp)) -}}
+{{- $name := printf "psp:%s:%s" .Release.Name .Values.podSecurityPolicy.existingPsp -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $name }}
+subjects:
+- kind: Group
+  name: system:serviceaccounts:{{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $name }}
+rules:
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - {{ .Values.podSecurityPolicy.existingPsp }}
+{{- end -}}
diff --git a/namespace-config/values.yaml b/namespace-config/values.yaml
index 1df4eb122..ae3311d81 100644
--- a/namespace-config/values.yaml
+++ b/namespace-config/values.yaml
@@ -24,4 +24,10 @@ limits:
     defaultRequest:
       cpu: 0.1
       memory: 64Mi
+
+podSecurityPolicy:
+  # Optionally specify the name of an existing pod security policy.
+  # If specified, a role and rolebinding will be created granting access for
+  # service accounts in this namespace to use existingPsp.
+  existingPsp: ""
 ...
diff --git a/releasenotes/notes/namespace-config.yaml b/releasenotes/notes/namespace-config.yaml
index deb05966e..42d525ee3 100644
--- a/releasenotes/notes/namespace-config.yaml
+++ b/releasenotes/notes/namespace-config.yaml
@@ -1,4 +1,5 @@
 ---
 namespace-config:
   - 0.1.0 Initial Chart
+  - 0.1.1 Grant access to existing PodSecurityPolicy
 ...