github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/rancher-backup/templates/hardened.yaml (about) 1 apiVersion: batch/v1 2 kind: Job 3 metadata: 4 name: {{ include "backupRestore.fullname" . }}-patch-sa 5 namespace: {{ .Release.Namespace }} 6 labels: {{ include "backupRestore.labels" . | nindent 4 }} 7 annotations: 8 "helm.sh/hook": post-install, post-upgrade 9 "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation 10 spec: 11 backoffLimit: 1 12 template: 13 spec: 14 serviceAccountName: {{ include "backupRestore.fullname" . }}-patch-sa 15 securityContext: 16 runAsNonRoot: true 17 runAsUser: 1000 18 restartPolicy: Never 19 nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} 20 {{- if .Values.nodeSelector }} 21 {{ toYaml .Values.nodeSelector | indent 8 }} 22 {{- end }} 23 tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} 24 {{- if .Values.tolerations }} 25 {{ toYaml .Values.tolerations | indent 8 }} 26 {{- end }} 27 containers: 28 - name: {{ include "backupRestore.fullname" . }}-patch-sa 29 image: {{ include "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }} 30 imagePullPolicy: IfNotPresent 31 command: ["kubectl", "-n", {{ .Release.Namespace | quote }}, "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] 32 --- 33 apiVersion: v1 34 kind: ServiceAccount 35 metadata: 36 name: {{ include "backupRestore.fullname" . }}-patch-sa 37 namespace: {{ .Release.Namespace }} 38 labels: {{ include "backupRestore.labels" . | nindent 4 }} 39 annotations: 40 "helm.sh/hook": post-install, post-upgrade 41 "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation 42 --- 43 apiVersion: rbac.authorization.k8s.io/v1 44 kind: ClusterRole 45 metadata: 46 name: {{ include "backupRestore.fullname" . }}-patch-sa 47 labels: {{ include "backupRestore.labels" . | nindent 4 }} 48 annotations: 49 "helm.sh/hook": post-install, post-upgrade 50 "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation 51 rules: 52 - apiGroups: [""] 53 resources: ["serviceaccounts"] 54 verbs: ["get", "patch"] 55 {{- if .Values.psp.enabled }} 56 {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} 57 - apiGroups: ["policy"] 58 resources: ["podsecuritypolicies"] 59 verbs: ["use"] 60 resourceNames: 61 - {{ include "backupRestore.fullname" . }}-patch-sa 62 {{- end }} 63 {{- end }} 64 --- 65 apiVersion: rbac.authorization.k8s.io/v1 66 kind: ClusterRoleBinding 67 metadata: 68 name: {{ include "backupRestore.fullname" . }}-patch-sa 69 labels: {{ include "backupRestore.labels" . | nindent 4 }} 70 annotations: 71 "helm.sh/hook": post-install, post-upgrade 72 "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation 73 roleRef: 74 apiGroup: rbac.authorization.k8s.io 75 kind: ClusterRole 76 name: {{ include "backupRestore.fullname" . }}-patch-sa 77 subjects: 78 - kind: ServiceAccount 79 name: {{ include "backupRestore.fullname" . }}-patch-sa 80 namespace: {{ .Release.Namespace }} 81 --- 82 {{- if .Values.psp.enabled }} 83 {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} 84 apiVersion: policy/v1beta1 85 kind: PodSecurityPolicy 86 metadata: 87 name: {{ include "backupRestore.fullname" . }}-patch-sa 88 labels: {{ include "backupRestore.labels" . | nindent 4 }} 89 annotations: 90 "helm.sh/hook": post-install, post-upgrade 91 "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation 92 spec: 93 privileged: false 94 hostNetwork: false 95 hostIPC: false 96 hostPID: false 97 runAsUser: 98 rule: 'MustRunAsNonRoot' 99 seLinux: 100 rule: 'RunAsAny' 101 supplementalGroups: 102 rule: 'MustRunAs' 103 ranges: 104 - min: 1 105 max: 65535 106 fsGroup: 107 rule: 'MustRunAs' 108 ranges: 109 - min: 1 110 max: 65535 111 readOnlyRootFilesystem: false 112 volumes: 113 - 'secret' 114 {{- end }} 115 {{- end }} 116 --- 117 apiVersion: networking.k8s.io/v1 118 kind: NetworkPolicy 119 metadata: 120 name: {{ include "backupRestore.fullname" . }}-default-allow-all 121 namespace: {{ .Release.Namespace }} 122 spec: 123 podSelector: {} 124 egress: 125 - {} 126 policyTypes: 127 - Ingress 128 - Egress