From e4524aec1872a8ec2af34a1e3547928ae54e8330 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krupa=20=28paulfantom=29?= Date: Tue, 19 Jul 2022 17:15:17 +0200 Subject: [PATCH 1/2] add agent Role object --- charts/parca/templates/agent-role.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 charts/parca/templates/agent-role.yaml diff --git a/charts/parca/templates/agent-role.yaml b/charts/parca/templates/agent-role.yaml new file mode 100644 index 000000000..4681aca19 --- /dev/null +++ b/charts/parca/templates/agent-role.yaml @@ -0,0 +1,18 @@ +{{- if .Values.agent.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + {{- include "parca.labels.agent" . | nindent 4 }} + name: {{ include "parca.fullname" . }}-agent + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "parca.fullname" . }}-agent + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} \ No newline at end of file From 3f7c9c3f0cac9e4fc1ba73f19219fa828fa602d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krupa=20=28paulfantom=29?= Date: Mon, 19 Sep 2022 10:38:10 +0200 Subject: [PATCH 2/2] charts/parca: allow disabling PSP --- charts/parca/templates/agent-podsecuritypolicy.yaml | 4 ++-- charts/parca/templates/agent-role.yaml | 4 ++-- charts/parca/templates/agent-rolebinding.yaml | 4 ++-- charts/parca/values.yaml | 3 +++ 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/charts/parca/templates/agent-podsecuritypolicy.yaml b/charts/parca/templates/agent-podsecuritypolicy.yaml index cc82f5c59..d1a425633 100644 --- a/charts/parca/templates/agent-podsecuritypolicy.yaml +++ b/charts/parca/templates/agent-podsecuritypolicy.yaml @@ -1,4 +1,4 @@ -{{- if .Values.agent.enabled -}} +{{- if and .Values.agent.enabled .Values.agent.podSecurityPolicy.enabled -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -36,4 +36,4 @@ spec: - downwardAPI - persistentVolumeClaim - hostPath -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/parca/templates/agent-role.yaml b/charts/parca/templates/agent-role.yaml index 4681aca19..09d41be9c 100644 --- a/charts/parca/templates/agent-role.yaml +++ b/charts/parca/templates/agent-role.yaml @@ -1,4 +1,4 @@ -{{- if .Values.agent.enabled -}} +{{- if and .Values.agent.enabled .Values.agent.podSecurityPolicy.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -15,4 +15,4 @@ rules: - podsecuritypolicies verbs: - use -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/parca/templates/agent-rolebinding.yaml b/charts/parca/templates/agent-rolebinding.yaml index 39d304184..b0cf5e6c7 100644 --- a/charts/parca/templates/agent-rolebinding.yaml +++ b/charts/parca/templates/agent-rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.agent.enabled -}} +{{- if and .Values.agent.enabled .Values.agent.podSecurityPolicy.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -13,4 +13,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "parca.fullname" . }}-agent -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/parca/values.yaml b/charts/parca/values.yaml index ddc38774b..b1f28dbf5 100644 --- a/charts/parca/values.yaml +++ b/charts/parca/values.yaml @@ -54,6 +54,9 @@ agent: operator: Exists # -- resource limits and requests resources: {} + # -- podSecurityPolicy for agent + podSecurityPolicy: + enabled: true server: # -- Allows disabling parca server