Allow priv container for awx_task and option to create psp

2026-01-11 10:00:01 -03:30 · 2020-05-29 20:24:49 +02:00 · 2020-05-29 20:24:49 +02:00 · 4a9603a7ea
commit 4a9603a7ea
parent b13a175668
2 changed files with 69 additions and 1 deletions
--- a/installer/roles/kubernetes/defaults/main.yml
+++ b/installer/roles/kubernetes/defaults/main.yml
@ -14,6 +14,10 @@ kubernetes_task_image: "{{ tower_package_name | default('ansible/awx_task') }}"
 kubernetes_web_version: "{{ tower_package_version | default(dockerhub_version) }}"
 kubernetes_web_image: "{{ tower_package_name | default('ansible/awx_web') }}"

+awx_psp_create: false
+awx_psp_name: 'awx'
+awx_psp_privileged: true
+
 web_mem_request: 1
 web_cpu_request: 500
 web_security_context_enabled: true
@ -22,7 +26,7 @@ web_security_context_privileged: false
 task_mem_request: 2
 task_cpu_request: 1500
 task_security_context_enabled: true
-task_security_context_privileged: false
+task_security_context_privileged: true

 redis_mem_request: 2
 redis_cpu_request: 500
--- a/installer/roles/kubernetes/templates/deployment.yml.j2
+++ b/installer/roles/kubernetes/templates/deployment.yml.j2
@ -15,6 +15,70 @@ imagePullSecrets:
  - name: "{{ kubernetes_image_pull_secrets }}"
 {% endif %}

+{% if awx_psp_create is defined and awx_psp_create | bool %}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ awx_psp_name }}-psp
+spec:
+{% if awx_psp_privileged is defined %}
+  privileged: {{ awx_psp_privileged }}
+  allowPrivilegeEscalation: {{ awx_psp_privileged }}
+{% endif %}
+  requiredDropCapabilities:
+    - ALL
+  volumes:
+    - 'configMap'
+    - 'emptyDir'
+    - 'projected'
+    - 'secret'
+    - 'downwardAPI'
+    - 'persistentVolumeClaim'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: {{ kubernetes_namespace }}
+  name: {{ awx_psp_name }}-role
+rules:
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  resourceNames:
+  - {{ awx_psp_name }}-psp
+  verbs:
+  - use
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ awx_psp_name }}-role-binding
+  namespace: {{ kubernetes_namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ awx_psp_name }}-role
+subjects:
+- kind: ServiceAccount
+  name: awx
+  namespace: {{ kubernetes_namespace }}
+{% endif %}
+
 ---
 apiVersion: {{ kubernetes_deployment_api_version }}
 kind: Deployment