Adds an addon for podSecurityPolicies

Signed-off-by: ArthurSens <arthursens2005@gmail.com>

examples/pod-security-policies.jsonnet

@@ -0,0 +1,23 @@
+local kp =
+  (import 'kube-prometheus/main.libsonnet') +
+  (import 'kube-prometheus/addons/podsecuritypolicies.libsonnet');
+
+{ 'setup/0namespace-namespace': kp.kubePrometheus.namespace } +
+// Add the restricted psp to setup
+{ 'setup/0podsecuritypolicy-restricted': kp.restrictedPodSecurityPolicy } +
+{
+  ['setup/prometheus-operator-' + name]: kp.prometheusOperator[name]
+  for name in std.filter((function(name) name != 'serviceMonitor' && name != 'prometheusRule'), std.objectFields(kp.prometheusOperator))
+} +
+// serviceMonitor and prometheusRule are separated so that they can be created after the CRDs are ready
+{ 'prometheus-operator-serviceMonitor': kp.prometheusOperator.serviceMonitor } +
+{ 'prometheus-operator-prometheusRule': kp.prometheusOperator.prometheusRule } +
+{ 'kube-prometheus-prometheusRule': kp.kubePrometheus.prometheusRule } +
+{ ['alertmanager-' + name]: kp.alertmanager[name] for name in std.objectFields(kp.alertmanager) } +
+{ ['blackbox-exporter-' + name]: kp.blackboxExporter[name] for name in std.objectFields(kp.blackboxExporter) } +
+{ ['grafana-' + name]: kp.grafana[name] for name in std.objectFields(kp.grafana) } +
+{ ['kube-state-metrics-' + name]: kp.kubeStateMetrics[name] for name in std.objectFields(kp.kubeStateMetrics) } +
+{ ['kubernetes-' + name]: kp.kubernetesControlPlane[name] for name in std.objectFields(kp.kubernetesControlPlane) }
+{ ['node-exporter-' + name]: kp.nodeExporter[name] for name in std.objectFields(kp.nodeExporter) } +
+{ ['prometheus-' + name]: kp.prometheus[name] for name in std.objectFields(kp.prometheus) } +
+{ ['prometheus-adapter-' + name]: kp.prometheusAdapter[name] for name in std.objectFields(kp.prometheusAdapter) }

jsonnet/kube-prometheus/addons/podsecuritypolicies.libsonnet

@@ -0,0 +1,242 @@
+local restrictedPodSecurityPolicy = {
+  apiVersion: 'policy/v1beta1',
+  kind: 'PodSecurityPolicy',
+  metadata: {
+    name: 'restricted',
+  },
+  spec: {
+    privileged: false,
+    // Required to prevent escalations to root.
+    allowPrivilegeEscalation: false,
+    // This is redundant with non-root + disallow privilege escalation,
+    // but we can provide it for defense in depth.
+    requiredDropCapabilities: ['ALL'],
+    // Allow core volume types.
+    volumes: [
+      'configMap',
+      'emptyDir',
+      'secret',
+      // Assume that persistentVolumes set up by the cluster admin are safe to use.
+      'persistentVolumeClaim',
+    ],
+    hostNetwork: false,
+    hostIPC: false,
+    hostPID: false,
+    runAsUser: {
+      // Require the container to run without root privileges.
+      rule: 'MustRunAsNonRoot',
+    },
+    seLinux: {
+      // This policy assumes the nodes are using AppArmor rather than SELinux.
+      rule: 'RunAsAny',
+    },
+    supplementalGroups: {
+      rule: 'MustRunAs',
+      ranges: [{
+        // Forbid adding the root group.
+        min: 1,
+        max: 65535,
+      }],
+    },
+    fsGroup: {
+      rule: 'MustRunAs',
+      ranges: [{
+        // Forbid adding the root group.
+        min: 1,
+        max: 65535,
+      }],
+    },
+    readOnlyRootFilesystem: false,
+  },
+};
+
+{
+  restrictedPodSecurityPolicy: restrictedPodSecurityPolicy,
+
+  alertmanager+: {
+    role: {
+      apiVersion: 'rbac.authorization.k8s.io/v1',
+      kind: 'Role',
+      metadata: {
+        name: 'alertmanager-' + $.values.alertmanager.name,
+      },
+      rules: [{
+        apiGroups: ['policy'],
+        resources: ['podsecuritypolicies'],
+        verbs: ['use'],
+        resourceNames: [restrictedPodSecurityPolicy.metadata.name],
+      }],
+    },
+
+    roleBinding: {
+      apiVersion: 'rbac.authorization.k8s.io/v1',
+      kind: 'RoleBinding',
+      metadata: {
+        name: 'alertmanager-' + $.values.alertmanager.name,
+      },
+      roleRef: {
+        apiGroup: 'rbac.authorization.k8s.io',
+        kind: 'Role',
+        name: 'alertmanager-' + $.values.alertmanager.name,
+      },
+      subjects: [{
+        kind: 'ServiceAccount',
+        name: 'alertmanager-' + $.values.alertmanager.name,
+        namespace: $.values.alertmanager.namespace,
+      }],
+    },
+  },
+
+  blackboxExporter+: {
+    clusterRole+: {
+      rules+: [
+        {
+          apiGroups: ['policy'],
+          resources: ['podsecuritypolicies'],
+          verbs: ['use'],
+          resourceNames: ['blackbox-exporter-psp'],
+        },
+      ],
+    },
+
+    podSecurityPolicy:
+      local blackboxExporterPspPrivileged =
+        if $.blackboxExporter.config.privileged then
+          {
+            metadata+: {
+              name: 'blackbox-exporter-psp',
+            },
+            spec+: {
+              privileged: true,
+              allowedCapabilities: ['NET_RAW'],
+              runAsUser: {
+                rule: 'RunAsAny',
+              },
+            },
+          }
+        else
+          {};
+
+      restrictedPodSecurityPolicy + blackboxExporterPspPrivileged,
+  },
+
+  grafana+: {
+    role: {
+      apiVersion: 'rbac.authorization.k8s.io/v1',
+      kind: 'Role',
+      metadata: {
+        name: 'grafana',
+      },
+      rules: [{
+        apiGroups: ['policy'],
+        resources: ['podsecuritypolicies'],
+        verbs: ['use'],
+        resourceNames: [restrictedPodSecurityPolicy.metadata.name],
+      }],
+    },
+
+    roleBinding: {
+      apiVersion: 'rbac.authorization.k8s.io/v1',
+      kind: 'RoleBinding',
+      metadata: {
+        name: 'grafana',
+      },
+      roleRef: {
+        apiGroup: 'rbac.authorization.k8s.io',
+        kind: 'Role',
+        name: 'grafana',
+      },
+      subjects: [{
+        kind: 'ServiceAccount',
+        name: $.grafana.serviceAccount.metadata.name,
+        namespace: $.grafana.serviceAccount.metadata.namespace,
+      }],
+    },
+  },
+
+  kubeStateMetrics+: {
+    clusterRole+: {
+      rules+: [{
+        apiGroups: ['policy'],
+        resources: ['podsecuritypolicies'],
+        verbs: ['use'],
+        resourceNames: [restrictedPodSecurityPolicy.metadata.name],
+      }],
+    },
+  },
+
+  nodeExporter+: {
+    clusterRole+: {
+      rules+: [{
+        apiGroups: ['policy'],
+        resources: ['podsecuritypolicies'],
+        verbs: ['use'],
+        resourceNames: ['node-exporter-psp'],
+      }],
+    },
+
+    podSecurityPolicy: restrictedPodSecurityPolicy {
+      metadata+: {
+        name: 'node-exporter-psp',
+      },
+      spec+: {
+        allowedHostPaths+: [
+          {
+            pathPrefix: '/proc',
+            readOnly: true,
+          },
+          {
+            pathPrefix: '/sys',
+            readOnly: true,
+          },
+          {
+            pathPrefix: '/',
+            readOnly: true,
+          },
+        ],
+        hostNetwork: true,
+        hostPID: true,
+        hostPorts: [
+          {
+            max: 9100,
+            min: 9100,
+          },
+        ],
+        readOnlyRootFilesystem: true,
+      },
+    },
+  },
+
+  prometheusAdapter+: {
+    clusterRole+: {
+      rules+: [{
+        apiGroups: ['policy'],
+        resources: ['podsecuritypolicies'],
+        verbs: ['use'],
+        resourceNames: [restrictedPodSecurityPolicy.metadata.name],
+      }],
+    },
+  },
+
+  prometheusOperator+: {
+    clusterRole+: {
+      rules+: [{
+        apiGroups: ['policy'],
+        resources: ['podsecuritypolicies'],
+        verbs: ['use'],
+        resourceNames: [restrictedPodSecurityPolicy.metadata.name],
+      }],
+    },
+  },
+
+  prometheus+: {
+    clusterRole+: {
+      rules+: [{
+        apiGroups: ['policy'],
+        resources: ['podsecuritypolicies'],
+        verbs: ['use'],
+        resourceNames: [restrictedPodSecurityPolicy.metadata.name],
+      }],
+    },
+  },
+}