gitpod/install/installer/pkg/components/cluster/podsecuritypolicies.go

// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
// Licensed under the GNU Affero General Public License (AGPL).
// See License.AGPL.txt in the project root for license information.

package cluster

import (
	"fmt"

	"github.com/gitpod-io/gitpod/installer/pkg/common"
	"github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental"
	corev1 "k8s.io/api/core/v1"
	"k8s.io/api/policy/v1beta1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/utils/pointer"
)

func podsecuritypolicies(ctx *common.RenderContext) ([]runtime.Object, error) {
	resources := []runtime.Object{}

	_ = ctx.WithExperimental(func(cfg *experimental.Config) error {
		if cfg.Common != nil && cfg.Common.UsePodSecurityPolicies {
			resources = append(resources,
				&v1beta1.PodSecurityPolicy{
					TypeMeta: common.TypeMetaPodSecurityPolicy,
					ObjectMeta: metav1.ObjectMeta{
						Name:      fmt.Sprintf("%s-ns-privileged", ctx.Namespace),
						Namespace: ctx.Namespace,
						Annotations: map[string]string{
							"apparmor.security.beta.kubernetes.io/allowedProfileNames": "runtime/default",
							"apparmor.security.beta.kubernetes.io/defaultProfileName":  "runtime/default",
							"seccomp.security.alpha.kubernetes.io/allowedProfileNames": "runtime/default",
							"seccomp.security.alpha.kubernetes.io/defaultProfileName":  "runtime/default",
						},
					},
					Spec: v1beta1.PodSecurityPolicySpec{
						Privileged:               true,
						AllowPrivilegeEscalation: pointer.Bool(true),
						AllowedCapabilities:      []corev1.Capability{"*"},
						Volumes:                  []v1beta1.FSType{v1beta1.All},
						HostNetwork:              true,
						HostPorts: []v1beta1.HostPortRange{
							{
								Min: 0,
								Max: 65535,
							},
						},
						HostIPC:            true,
						HostPID:            true,
						RunAsUser:          v1beta1.RunAsUserStrategyOptions{Rule: v1beta1.RunAsUserStrategyRunAsAny},
						SELinux:            v1beta1.SELinuxStrategyOptions{Rule: v1beta1.SELinuxStrategyRunAsAny},
						SupplementalGroups: v1beta1.SupplementalGroupsStrategyOptions{Rule: v1beta1.SupplementalGroupsStrategyRunAsAny},
						FSGroup:            v1beta1.FSGroupStrategyOptions{Rule: v1beta1.FSGroupStrategyRunAsAny},
					},
				},
				&v1beta1.PodSecurityPolicy{
					TypeMeta: common.TypeMetaPodSecurityPolicy,
					ObjectMeta: metav1.ObjectMeta{
						Name:      fmt.Sprintf("%s-ns-privileged-unconfined", ctx.Namespace),
						Namespace: ctx.Namespace,
						Annotations: map[string]string{
							"apparmor.security.beta.kubernetes.io/allowedProfileNames": "unconfined",
							"apparmor.security.beta.kubernetes.io/defaultProfileName":  "unconfined",
							"seccomp.security.alpha.kubernetes.io/allowedProfileNames": "runtime/default,unconfined",
							"seccomp.security.alpha.kubernetes.io/defaultProfileName":  "runtime/default",
						},
					},
					Spec: v1beta1.PodSecurityPolicySpec{
						Privileged:               true,
						AllowPrivilegeEscalation: pointer.Bool(true),
						AllowedCapabilities:      []corev1.Capability{"*"},
						Volumes:                  []v1beta1.FSType{v1beta1.All},
						HostNetwork:              false,
						HostPorts: []v1beta1.HostPortRange{
							{
								Min: 0,
								Max: 65535,
							},
						},
						HostIPC:            false,
						HostPID:            true,
						RunAsUser:          v1beta1.RunAsUserStrategyOptions{Rule: v1beta1.RunAsUserStrategyRunAsAny},
						SELinux:            v1beta1.SELinuxStrategyOptions{Rule: v1beta1.SELinuxStrategyRunAsAny},
						SupplementalGroups: v1beta1.SupplementalGroupsStrategyOptions{Rule: v1beta1.SupplementalGroupsStrategyRunAsAny},
						FSGroup:            v1beta1.FSGroupStrategyOptions{Rule: v1beta1.FSGroupStrategyRunAsAny},
					},
				},
				&v1beta1.PodSecurityPolicy{
					TypeMeta: common.TypeMetaPodSecurityPolicy,
					ObjectMeta: metav1.ObjectMeta{
						Name:      fmt.Sprintf("%s-ns-restricted-root-user", ctx.Namespace),
						Namespace: ctx.Namespace,
						Annotations: map[string]string{
							"seccomp.security.alpha.kubernetes.io/allowedProfileNames": "runtime/default",
							"apparmor.security.beta.kubernetes.io/allowedProfileNames": "runtime/default",
							"seccomp.security.alpha.kubernetes.io/defaultProfileName":  "runtime/default",
							"apparmor.security.beta.kubernetes.io/defaultProfileName":  "runtime/default",
						},
					},
					Spec: v1beta1.PodSecurityPolicySpec{
						Privileged: true,
						Volumes: []v1beta1.FSType{
							v1beta1.ConfigMap,
							v1beta1.Projected,
							v1beta1.Secret,
							v1beta1.EmptyDir,
							v1beta1.PersistentVolumeClaim,
							v1beta1.HostPath,
						},
						HostNetwork: true,
						HostPorts: []v1beta1.HostPortRange{
							{
								Min: 30000,
								Max: 33000,
							},
						},
						HostIPC:   false,
						HostPID:   false,
						RunAsUser: v1beta1.RunAsUserStrategyOptions{Rule: v1beta1.RunAsUserStrategyRunAsAny},
						SELinux:   v1beta1.SELinuxStrategyOptions{Rule: v1beta1.SELinuxStrategyRunAsAny},
						SupplementalGroups: v1beta1.SupplementalGroupsStrategyOptions{
							Rule: v1beta1.SupplementalGroupsStrategyMustRunAs,
							Ranges: []v1beta1.IDRange{
								{
									Min: 1,
									Max: 65535,
								},
							},
						},
						FSGroup: v1beta1.FSGroupStrategyOptions{
							Rule: v1beta1.FSGroupStrategyMustRunAs,
							Ranges: []v1beta1.IDRange{
								{
									Min: 1,
									Max: 65535,
								},
							},
						},
						ReadOnlyRootFilesystem: false,
					},
				},
				&v1beta1.PodSecurityPolicy{
					TypeMeta: common.TypeMetaPodSecurityPolicy,
					ObjectMeta: metav1.ObjectMeta{
						Name:      fmt.Sprintf("%s-ns-unprivileged", ctx.Namespace),
						Namespace: ctx.Namespace,
						Annotations: map[string]string{
							"seccomp.security.alpha.kubernetes.io/allowedProfileNames": "runtime/default",
							"apparmor.security.beta.kubernetes.io/allowedProfileNames": "runtime/default",
							"seccomp.security.alpha.kubernetes.io/defaultProfileName":  "runtime/default",
							"apparmor.security.beta.kubernetes.io/defaultProfileName":  "runtime/default",
						},
					},
					Spec: v1beta1.PodSecurityPolicySpec{
						Privileged:               false,
						AllowPrivilegeEscalation: pointer.Bool(false),
						RequiredDropCapabilities: []corev1.Capability{"ALL"},
						Volumes: []v1beta1.FSType{
							v1beta1.ConfigMap,
							v1beta1.EmptyDir,
							v1beta1.Projected,
							v1beta1.Secret,
							v1beta1.PersistentVolumeClaim,
						},
						HostNetwork: false,
						HostIPC:     false,
						HostPID:     false,
						RunAsUser:   v1beta1.RunAsUserStrategyOptions{Rule: v1beta1.RunAsUserStrategyMustRunAsNonRoot},
						SELinux:     v1beta1.SELinuxStrategyOptions{Rule: v1beta1.SELinuxStrategyRunAsAny},
						SupplementalGroups: v1beta1.SupplementalGroupsStrategyOptions{
							Rule: v1beta1.SupplementalGroupsStrategyMustRunAs,
							Ranges: []v1beta1.IDRange{
								{
									Min: 1,
									Max: 65535,
								},
							},
						},
						FSGroup: v1beta1.FSGroupStrategyOptions{
							Rule: v1beta1.FSGroupStrategyMustRunAs,
							Ranges: []v1beta1.IDRange{
								{
									Min: 1,
									Max: 65535,
								},
							},
						},
						ReadOnlyRootFilesystem: false,
					},
				},
			)
		}
		return nil
	})

	return resources, nil
}