AETHER-2600: Add PSP to omec-user-plane chart
Change-Id: I59193df2e811ca6cb1982efbc3189982f16e0ef4
diff --git a/omec/omec-user-plane/Chart.yaml b/omec/omec-user-plane/Chart.yaml
index 9a70a94..ce75cb9 100644
--- a/omec/omec-user-plane/Chart.yaml
+++ b/omec/omec-user-plane/Chart.yaml
@@ -7,4 +7,4 @@
name: omec-user-plane
icon: https://guide.opencord.org/logos/cord.svg
-version: 0.5.0
+version: 0.5.1
diff --git a/omec/omec-user-plane/templates/podsecuritypolicy-upf.yaml b/omec/omec-user-plane/templates/podsecuritypolicy-upf.yaml
new file mode 100644
index 0000000..ab8f133
--- /dev/null
+++ b/omec/omec-user-plane/templates/podsecuritypolicy-upf.yaml
@@ -0,0 +1,48 @@
+{{/*
+# Copyright 2020-present Open Networking Foundation
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+*/}}
+
+{{- if .Values.podsecuritypolicy.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: 1-upf
+spec:
+ {{ if or .Values.config.coreDump.enabled .Values.config.upf.privileged }}
+ privileged: true
+ allowPrivilegeEscalation: true
+ {{ else }}
+ privileged: false
+ allowPrivilegeEscalation: false
+ {{ end }}
+ allowedCapabilities:
+ - IPC_LOCK
+ - NET_ADMIN
+ volumes:
+ - 'configMap'
+ - 'emptyDir'
+ - 'secret'
+ {{- if .Values.config.coreDump.enabled }}
+ - 'hostPath'
+ allowedHostPaths:
+ - pathPrefix: "/"
+ - pathPrefix: "/tmp/coredump"
+ {{- end }}
+ seLinux:
+ rule: RunAsAny
+ supplementalGroups:
+ rule: 'MustRunAs'
+ ranges:
+ # Forbid adding the root group.
+ - min: 1
+ max: 65535
+ runAsUser:
+ rule: RunAsAny
+ fsGroup:
+ rule: 'MustRunAs'
+ ranges:
+ # Forbid adding the root group.
+ - min: 1
+ max: 65535
+{{- end }}
diff --git a/omec/omec-user-plane/templates/pspclusterrole-upf.yaml b/omec/omec-user-plane/templates/pspclusterrole-upf.yaml
new file mode 100644
index 0000000..e9b2af7
--- /dev/null
+++ b/omec/omec-user-plane/templates/pspclusterrole-upf.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright 2020-present Open Networking Foundation
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+*/}}
+
+{{- if .Values.podsecuritypolicy.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: psp:upf
+rules:
+- apiGroups: ['policy']
+ resources: ['podsecuritypolicies']
+ verbs: ['use']
+ resourceNames:
+ - 1-upf
+{{- end }}
diff --git a/omec/omec-user-plane/templates/psprolebinding-upf.yaml b/omec/omec-user-plane/templates/psprolebinding-upf.yaml
new file mode 100644
index 0000000..b2d8451
--- /dev/null
+++ b/omec/omec-user-plane/templates/psprolebinding-upf.yaml
@@ -0,0 +1,20 @@
+{{/*
+# Copyright 2020-present Open Networking Foundation
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+*/}}
+
+{{- if .Values.podsecuritypolicy.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: role:psp:upf
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: psp:upf
+subjects:
+- kind: Group
+ name: system:serviceaccounts:{{ .Release.Namespace }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/omec/omec-user-plane/values.yaml b/omec/omec-user-plane/values.yaml
index af72640..53968a0 100644
--- a/omec/omec-user-plane/values.yaml
+++ b/omec/omec-user-plane/values.yaml
@@ -128,3 +128,6 @@
servicemonitor:
enabled: false
+
+podsecuritypolicy:
+ enabled: false