Add PSP support to fake event generator

Fixes falcosecurity#128 Signed-off-by: Christian Zunker <christian.zunker@codecentric.cloud>
holyspectral · Oct 21, 2020 · 971f5e1 · 971f5e1
1 parent 7148838
commit 971f5e1
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 1 deletion.
diff --git a/falco/CHANGELOG.md b/falco/CHANGELOG.md
@@ -3,6 +3,12 @@
 This file documents all notable changes to Falco Helm Chart. The release
 numbering uses [semantic versioning](http://semver.org).
 
+## v1.5.2
+
+### Minor Changes
+
+* Add Pod Security Policy Support for the fake event generator
+
 ## v1.5.1
 
 ### Minor Changes

diff --git a/falco/Chart.yaml b/falco/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: falco
-version: 1.5.1
+version: 1.5.2
 appVersion: 0.26.1
 description: Falco
 keywords:

diff --git a/falco/templates/clusterrole.yaml b/falco/templates/clusterrole.yaml
@@ -50,6 +50,9 @@ rules:
       - podsecuritypolicies
     resourceNames:
       - {{ template "falco.fullname" . }}
+{{- if .Values.fakeEventGenerator.enabled }}
+      - event-generator-{{ template "falco.fullname" . }}
+{{- end }}
     verbs:
       - use
 {{- end }}

diff --git a/falco/templates/deployment.yaml b/falco/templates/deployment.yaml
@@ -18,8 +18,11 @@ spec:
       labels:
         app: {{ template "falco.fullname" . }}-event-generator
     spec:
+      serviceAccountName: {{ template "falco.serviceAccountName" .}}
       containers:
       - name: {{ template "falco.fullname" . }}-event-generator
+        securityContext:
+            privileged: false
         image: falcosecurity/event-generator:latest
 {{- with .Values.fakeEventGenerator.args }}
         args:

diff --git a/falco/templates/podsecuritypolicy.yaml b/falco/templates/podsecuritypolicy.yaml
@@ -1,4 +1,5 @@
 {{- if .Values.podSecurityPolicy.create}}
+---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@@ -22,3 +23,30 @@ spec:
     rule: RunAsAny
   volumes: ['*']
 {{- end }}
+{{- if (and .Values.podSecurityPolicy.create .Values.fakeEventGenerator.enabled) }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: event-generator-{{ template "falco.fullname" . }}
+  labels:
+    app: {{ template "falco.fullname" . }}-event-generator
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  privileged: false
+  hostNetwork: false
+  readOnlyRootFilesystem: true
+  requiredDropCapabilities:
+  - ALL
+  fsGroup:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes: []
+{{- end }}