K
Q

Helm template for k8s PodSecurityPolicy

4/24/2020

I'm having a PodSecurityPolicy in my Helm Charts and would like to dynamically change the rule on runAsUser.

When {{- if .Values.global.psp.enabled }} is enabled and the respectrive values.yaml contains something like:

runAsUnprivilegedUser: true

I'm expecting the templates to be rendered like that:

runAsUser:
    # Require the container to run without root privileges.
    rule: 'MustRunAsNonRoot'

and additionally providing a default non-root user with say UID 1000.

If, on the other hand, runAsUnprivilegedUser is set to false, I'd like to have

runAsUser:
    rule: 'RunAsAny'

employed.

-- brandshaide
kubernetes
kubernetes-helm

Similar Questions

An alternative to Consul service TTL health check in Kubernetes
How to get consumed storage percentage for any persistent volume in openshift?
AWS EKS no tiller pod found but helm install is working
Can an existing GKE cluster be made private?

1 Answer

4/24/2020

I think you can do that with conditional statement

kind: PodSecurityPolicy
apiVersion: policy/v1beta1
metadata:
  name: allow-flex-volumes
spec:
  runAsUser:
    # Require the container to run without root privileges.
    {{- if and .Values.global.psp .Values.podSecurityContext}}
    rule: 'MustRunAsNonRoot'
    {{else }}
    rule: 'RunAsAny'
    {{end}}
-- hoque
Source: StackOverflow