Merge pull request #16 from goci-io/shorten-rbac

feat: default allow all users to use default psp
goci-io · May 23, 2020 · a71e25b · a71e25b
2 parents 0b5c9a3 + 166f15d
commit a71e25b
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@
 
 ![terraform](https://github.com/goci-io/k8s-namespace-provisioning/workflows/terraform/badge.svg?branch=master)
 
-This terraform module provisions a ready to use namespace with docker registry secrets, resource quotas, limits and a service account with limited rbac permissions.
+This terraform module provisions a ready to use namespace with docker registry secrets, resource quotas and limits. Additionally it allows everyone in the namespace to use a Pod security policy specified by `pod_security_policy_name`. This behaviour can also be disabled. We suggest to install a default PSP which does not allow Pods without a Security Context or using inapproriate permissions.
 
 ### Usage
 

diff --git a/psp.tf b/psp.tf
@@ -0,0 +1,36 @@
+resource "kubernetes_role" "use_psp" {
+  count = var.enable_pod_security_policy ? 1 : 0
+
+  metadata {
+    name      = "psp-${var.pod_security_policy_name}"
+    namespace = kubernetes_namespace.namespace.metadata.0.name
+  }
+
+  rule {
+    api_groups     = ["policy"]
+    verbs          = ["use"]
+    resources      = ["podsecuritypolicies"]
+    resource_names = [var.pod_security_policy_name]
+  }
+}
+
+resource "kubernetes_role_binding" "psp_binding" {
+  count = var.enable_pod_security_policy ? 1 : 0
+
+  metadata {
+    name      = "psp-${var.pod_security_policy_name}"
+    namespace = kubernetes_namespace.namespace.metadata.0.name
+  }
+
+  role_ref {
+    name      = join("", kubernetes_role.use_psp.*.metadata.0.name)
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "Role"
+  }
+
+  subject {
+    kind      = "Group"
+    name      = "system:authenticated"
+    namespace = kubernetes_namespace.namespace.metadata.0.name
+  }
+}
diff --git a/terraform.tfvars.example b/terraform.tfvars.example
@@ -13,4 +13,4 @@ image_pull_secrets = {
   docker config file
 }
 EOF
-}
+}
diff --git a/variables.tf b/variables.tf
@@ -42,12 +42,6 @@ variable "image_pull_secrets" {
   description = "Pull secrets to provide to the service account to fetch docker images"
 }
 
-variable "enabled_rbac_binding" {
-  type        = bool
-  default     = true
-  description = "Deploys additional RBAC role binding to a service account named like the namespace (+-apps)"
-}
-
 variable "max_pv_claims" {
   type        = number
   default     = 30
@@ -107,6 +101,18 @@ variable "service_accounts" {
   description = "Creates additional service accounts with a dedicated RBAC role"
 }
 
+variable "enable_pod_security_policy" {
+  type        = bool
+  default     = true
+  description = "Deploys a Pod Security Policy which does not allow root or host access"
+}
+
+variable "pod_security_policy_name" {
+  type        = string
+  default     = "default"
+  description = "Allows all authenticated users/service accounts in the current namespace to use the specified security policy"
+}
+
 variable "enable_network_policies" {
   type        = bool
   default     = true
-Original file line number
+Diff line change
@@ Expand Up / @@ -13,4 +13,4 @@ image_pull_secrets = { @@
       docker config file
     }
     EOF
-    }
+    }