From 1234c223e01d634fb73c8d7b9d3e3440a668e371 Mon Sep 17 00:00:00 2001 From: mrMigles Date: Sun, 19 Oct 2025 17:20:52 +0500 Subject: [PATCH] Automatic patch PSS for namespace --- .../pre-deploy/temp/patch-pss-job.yaml | 64 +++++++++++++++++++ .../pre-deploy/temp/patch-pss-role.yaml | 19 ++++++ .../temp/patch-pss-rolebinding.yaml | 16 +++++ .../temp/patch-pss-serviceaccount.yaml | 15 +++++ .../update-resources-job.yaml | 0 .../update-resources-role.yaml | 0 .../update-resources-rolebinding.yaml | 0 .../update-resources-serviceaccount.yaml | 0 8 files changed, 114 insertions(+) create mode 100644 charts/helm/consul-service/templates/pre-deploy/temp/patch-pss-job.yaml create mode 100644 charts/helm/consul-service/templates/pre-deploy/temp/patch-pss-role.yaml create mode 100644 charts/helm/consul-service/templates/pre-deploy/temp/patch-pss-rolebinding.yaml create mode 100644 charts/helm/consul-service/templates/pre-deploy/temp/patch-pss-serviceaccount.yaml rename charts/helm/consul-service/templates/{update-resources => pre-deploy}/update-resources-job.yaml (100%) rename charts/helm/consul-service/templates/{update-resources => pre-deploy}/update-resources-role.yaml (100%) rename charts/helm/consul-service/templates/{update-resources => pre-deploy}/update-resources-rolebinding.yaml (100%) rename charts/helm/consul-service/templates/{update-resources => pre-deploy}/update-resources-serviceaccount.yaml (100%) diff --git a/charts/helm/consul-service/templates/pre-deploy/temp/patch-pss-job.yaml b/charts/helm/consul-service/templates/pre-deploy/temp/patch-pss-job.yaml new file mode 100644 index 0000000..8459b79 --- /dev/null +++ b/charts/helm/consul-service/templates/pre-deploy/temp/patch-pss-job.yaml @@ -0,0 +1,64 @@ +{{ if and .Values.ENABLE_PRIVILEGED_PSS (eq (include "consul.restrictedEnvironment" .) "false") .Values.client.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-patch-pss + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-patch-pss + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: pss-patch-resources + spec: + securityContext: + {{- include "consul.globalPodSecurityContext" . | nindent 8 }} + {{- with .Values.updateResourcesJob.securityContext }} + {{- toYaml . | nindent 8 }} + {{- end }} + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-patch-pss + containers: + - name: upgrade-preparation + image: {{ template "kubectl.image" . }} + env: + - name: NAMESPACE + value: {{ .Release.Namespace }} + command: + - "/bin/bash" + - "-c" + - | + if [[ -z "$NAMESPACE" ]]; then + echo >&2 "Error: NAMESPACE is not set" + exit 121 + fi + + LABEL_VALUE=$(kubectl get ns "${NAMESPACE}" -o jsonpath='{.metadata.labels.pod-security\.kubernetes\.io/enforce}') + echo "Current enforce label for '${NAMESPACE}': ${LABEL_VALUE}" + if [[ "${LABEL_VALUE}" != "privileged" ]]; then + kubectl label --overwrite ns "${NAMESPACE}" pod-security.kubernetes.io/enforce=privileged + if [[ $? -eq 0 ]]; then + echo "Namespace '${NAMESPACE}' was patched with privileged PSS" + else + echo >&2 "Failed to patch namespace '${NAMESPACE}'" + exit 1 + fi + else + echo "Namespace '${NAMESPACE}' already has 'privileged' PSS" + fi + resources: + requests: + cpu: {{ default "75m" .Values.updateResourcesJob.resources.requests.cpu }} + memory: {{ default "75Mi" .Values.updateResourcesJob.resources.requests.memory }} + limits: + cpu: {{ default "150m" .Values.updateResourcesJob.resources.limits.cpu }} + memory: {{ default "150Mi" .Values.updateResourcesJob.resources.limits.memory }} + securityContext: + {{- include "consul.globalContainerSecurityContext" . | nindent 12 }} +{{ end }} diff --git a/charts/helm/consul-service/templates/pre-deploy/temp/patch-pss-role.yaml b/charts/helm/consul-service/templates/pre-deploy/temp/patch-pss-role.yaml new file mode 100644 index 0000000..dfd72ba --- /dev/null +++ b/charts/helm/consul-service/templates/pre-deploy/temp/patch-pss-role.yaml @@ -0,0 +1,19 @@ +{{ if and .Values.ENABLE_PRIVILEGED_PSS (eq (include "consul.restrictedEnvironment" .) "false") .Values.client.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-patch-pss + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + - apiGroups: + - '' + resources: + - namespaces + verbs: + - patch + - get + resourceNames: + - {{ .Release.Namespace }} +{{ end }} diff --git a/charts/helm/consul-service/templates/pre-deploy/temp/patch-pss-rolebinding.yaml b/charts/helm/consul-service/templates/pre-deploy/temp/patch-pss-rolebinding.yaml new file mode 100644 index 0000000..550e155 --- /dev/null +++ b/charts/helm/consul-service/templates/pre-deploy/temp/patch-pss-rolebinding.yaml @@ -0,0 +1,16 @@ +{{ if and .Values.ENABLE_PRIVILEGED_PSS (eq (include "consul.restrictedEnvironment" .) "false") .Values.client.enabled }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "consul.fullname" . }}-patch-pss + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-patch-pss +roleRef: + kind: Role + name: {{ template "consul.fullname" . }}-patch-pss + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/helm/consul-service/templates/pre-deploy/temp/patch-pss-serviceaccount.yaml b/charts/helm/consul-service/templates/pre-deploy/temp/patch-pss-serviceaccount.yaml new file mode 100644 index 0000000..bb5e522 --- /dev/null +++ b/charts/helm/consul-service/templates/pre-deploy/temp/patch-pss-serviceaccount.yaml @@ -0,0 +1,15 @@ +{{ if and .Values.ENABLE_PRIVILEGED_PSS (eq (include "consul.restrictedEnvironment" .) "false") .Values.client.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-patch-pss + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{ end }} diff --git a/charts/helm/consul-service/templates/update-resources/update-resources-job.yaml b/charts/helm/consul-service/templates/pre-deploy/update-resources-job.yaml similarity index 100% rename from charts/helm/consul-service/templates/update-resources/update-resources-job.yaml rename to charts/helm/consul-service/templates/pre-deploy/update-resources-job.yaml diff --git a/charts/helm/consul-service/templates/update-resources/update-resources-role.yaml b/charts/helm/consul-service/templates/pre-deploy/update-resources-role.yaml similarity index 100% rename from charts/helm/consul-service/templates/update-resources/update-resources-role.yaml rename to charts/helm/consul-service/templates/pre-deploy/update-resources-role.yaml diff --git a/charts/helm/consul-service/templates/update-resources/update-resources-rolebinding.yaml b/charts/helm/consul-service/templates/pre-deploy/update-resources-rolebinding.yaml similarity index 100% rename from charts/helm/consul-service/templates/update-resources/update-resources-rolebinding.yaml rename to charts/helm/consul-service/templates/pre-deploy/update-resources-rolebinding.yaml diff --git a/charts/helm/consul-service/templates/update-resources/update-resources-serviceaccount.yaml b/charts/helm/consul-service/templates/pre-deploy/update-resources-serviceaccount.yaml similarity index 100% rename from charts/helm/consul-service/templates/update-resources/update-resources-serviceaccount.yaml rename to charts/helm/consul-service/templates/pre-deploy/update-resources-serviceaccount.yaml