From 6be29be37488c14aca48eb03c6b629e580572413 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Wed, 25 Dec 2024 22:50:11 +0100 Subject: [PATCH] Modernize chart (#66) --- .../Chart.yaml | 2 +- .../templates/_helpers.tpl | 5 +- .../templates/certificate.yaml | 17 ++--- .../templates/clusterrole.yaml | 9 +++ .../templates/deployment.yaml | 66 ++++++++++++------- .../templates/mutatingwebhook.yaml | 11 ++-- .../templates/role.yaml | 24 +++++-- .../templates/service.yaml | 7 +- .../templates/servicemonitor.yaml | 7 +- .../values.yaml | 27 +++++--- 10 files changed, 116 insertions(+), 59 deletions(-) diff --git a/charts/amazon-eks-pod-identity-webhook/Chart.yaml b/charts/amazon-eks-pod-identity-webhook/Chart.yaml index e82883d..48eed85 100644 --- a/charts/amazon-eks-pod-identity-webhook/Chart.yaml +++ b/charts/amazon-eks-pod-identity-webhook/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: amazon-eks-pod-identity-webhook description: A Kubernetes webhook for pods that need AWS IAM access -version: 2.3.2 +version: 2.4.0 type: application # renovate: image=amazon/amazon-eks-pod-identity-webhook appVersion: "v0.6.1" diff --git a/charts/amazon-eks-pod-identity-webhook/templates/_helpers.tpl b/charts/amazon-eks-pod-identity-webhook/templates/_helpers.tpl index 2d03767..4d6d0ee 100644 --- a/charts/amazon-eks-pod-identity-webhook/templates/_helpers.tpl +++ b/charts/amazon-eks-pod-identity-webhook/templates/_helpers.tpl @@ -50,7 +50,6 @@ helm.sh/chart: {{ include "amazon-eks-pod-identity-webhook.chart" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} {{/* @@ -72,8 +71,8 @@ Create the name of the service account to use {{- end }} {{- end }} -{{/* -Get PodDisruptionBudget API Version +{{/* +Get PodDisruptionBudget API Version */}} {{- define "amazon-eks-pod-identity-webhook.pdb.apiVersion" -}} {{- if and (.Capabilities.APIVersions.Has "policy/v1") (semverCompare ">= 1.21-0" .Capabilities.KubeVersion.Version) -}} diff --git a/charts/amazon-eks-pod-identity-webhook/templates/certificate.yaml b/charts/amazon-eks-pod-identity-webhook/templates/certificate.yaml index f840772..fe74b9a 100644 --- a/charts/amazon-eks-pod-identity-webhook/templates/certificate.yaml +++ b/charts/amazon-eks-pod-identity-webhook/templates/certificate.yaml @@ -1,17 +1,18 @@ {{- if .Values.pki.certManager.enabled }} +{{- $fullName := include "amazon-eks-pod-identity-webhook.fullname" . }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: {{ include "amazon-eks-pod-identity-webhook.fullname" . }} + name: {{ $fullName }} namespace: {{ include "amazon-eks-pod-identity-webhook.namespace" . }} spec: - secretName: "{{ include "amazon-eks-pod-identity-webhook.fullname" . }}-cert" - commonName: "{{ include "amazon-eks-pod-identity-webhook.fullname" . }}" + secretName: "{{ $fullName }}-cert" + commonName: "{{ $fullName }}" dnsNames: - - "{{ include "amazon-eks-pod-identity-webhook.fullname" . }}" - - "{{ include "amazon-eks-pod-identity-webhook.fullname" . }}.{{ include "amazon-eks-pod-identity-webhook.namespace" . }}" - - "{{ include "amazon-eks-pod-identity-webhook.fullname" . }}.{{ include "amazon-eks-pod-identity-webhook.namespace" . }}.svc" - - "{{ include "amazon-eks-pod-identity-webhook.fullname" . }}.{{ include "amazon-eks-pod-identity-webhook.namespace" . }}.svc.local" + - "{{ $fullName }}" + - "{{ $fullName }}.{{ include "amazon-eks-pod-identity-webhook.namespace" . }}" + - "{{ $fullName }}.{{ include "amazon-eks-pod-identity-webhook.namespace" . }}.svc" + - "{{ $fullName }}.{{ include "amazon-eks-pod-identity-webhook.namespace" . }}.svc.local" duration: "{{ .Values.pki.certManager.certificate.duration }}" renewBefore: "{{ .Values.pki.certManager.certificate.renewBefore }}" issuerRef: @@ -19,7 +20,7 @@ spec: name: {{ .Values.pki.certManager.existingIssuer.name }} kind: {{ .Values.pki.certManager.existingIssuer.kind }} {{- else }} - name: {{ include "amazon-eks-pod-identity-webhook.fullname" . }} + name: {{ $fullName }} kind: Issuer {{- end }} {{- end }} diff --git a/charts/amazon-eks-pod-identity-webhook/templates/clusterrole.yaml b/charts/amazon-eks-pod-identity-webhook/templates/clusterrole.yaml index e4d30b1..43f2da5 100644 --- a/charts/amazon-eks-pod-identity-webhook/templates/clusterrole.yaml +++ b/charts/amazon-eks-pod-identity-webhook/templates/clusterrole.yaml @@ -14,3 +14,12 @@ rules: - get - watch - list + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - create + - get + - list + - watch diff --git a/charts/amazon-eks-pod-identity-webhook/templates/deployment.yaml b/charts/amazon-eks-pod-identity-webhook/templates/deployment.yaml index 36aed72..1b1c976 100644 --- a/charts/amazon-eks-pod-identity-webhook/templates/deployment.yaml +++ b/charts/amazon-eks-pod-identity-webhook/templates/deployment.yaml @@ -31,13 +31,11 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: "{{ .Values.priorityClassName }}" + {{- with .Values.priorityClassName }} + priorityClassName: {{ . | quote }} {{- end }} containers: - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} command: @@ -46,9 +44,10 @@ spec: - --aws-default-region={{ .Values.config.defaultAwsRegion }} - --in-cluster=false - --logtostderr - - --namespace={{ include "amazon-eks-pod-identity-webhook.namespace" . }} + - --namespace=$(POD_NAMESPACE) - --metrics-port={{ .Values.config.ports.metrics }} - --port={{ .Values.config.ports.webhook }} + - --service-name={{ include "amazon-eks-pod-identity-webhook.fullname" . }} - --sts-regional-endpoint={{ .Values.config.stsRegionalEndpoint }} - --token-audience={{ .Values.config.tokenAudience }} - --token-expiration={{ .Values.config.tokenExpiration }} @@ -61,10 +60,6 @@ spec: {{- if .Values.config.extraArgs }} {{- toYaml .Values.config.extraArgs | nindent 12 }} {{- end }} - volumeMounts: - - name: cert - mountPath: "/etc/webhook/certs" - readOnly: true ports: - name: https containerPort: {{ .Values.config.ports.webhook }} @@ -72,16 +67,49 @@ spec: - name: metrics containerPort: {{ .Values.config.ports.metrics }} protocol: TCP + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- with .Values.livenessProbe }} livenessProbe: - {{- toYaml .Values.livenessProbe | nindent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} readinessProbe: - {{- toYaml .Values.readinessProbe | nindent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.resources }} resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: cert + mountPath: "/etc/webhook/certs" + readOnly: true hostNetwork: {{ .Values.hostNetwork }} serviceAccountName: {{ include "amazon-eks-pod-identity-webhook.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} volumes: - name: cert secret: @@ -90,15 +118,3 @@ spec: {{- else }} secretName: "{{ include "amazon-eks-pod-identity-webhook.fullname" . }}-cert" {{- end }} - {{- if .Values.nodeSelector }} - nodeSelector: - {{- tpl (toYaml .Values.nodeSelector) . | nindent 8 }} - {{- end }} - {{- if .Values.affinity }} - affinity: - {{- tpl (toYaml .Values.affinity ) . | nindent 8 }} - {{- end }} - {{- if .Values.tolerations }} - tolerations: - {{- tpl (toYaml .Values.tolerations) . | nindent 8 }} - {{- end }} diff --git a/charts/amazon-eks-pod-identity-webhook/templates/mutatingwebhook.yaml b/charts/amazon-eks-pod-identity-webhook/templates/mutatingwebhook.yaml index 4a4f763..10a2be9 100644 --- a/charts/amazon-eks-pod-identity-webhook/templates/mutatingwebhook.yaml +++ b/charts/amazon-eks-pod-identity-webhook/templates/mutatingwebhook.yaml @@ -33,15 +33,18 @@ webhooks: {{- end }} objectSelector: matchExpressions: + - key: "eks.amazonaws.com/skip-pod-identity-webhook" + operator: "DoesNotExist" + values: [] - key: "app.kubernetes.io/name" operator: "NotIn" values: - "{{ include "amazon-eks-pod-identity-webhook.name" . }}" - {{- if .Values.mutatingWebhook.objectSelector.matchExpressions }} - {{- toYaml .Values.mutatingWebhook.objectSelector.matchExpressions | nindent 8 }} + {{- with .Values.mutatingWebhook.objectSelector.matchExpressions }} + {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.mutatingWebhook.objectSelector.matchLabels }} - matchLabels: {{- toYaml .Values.mutatingWebhook.objectSelector.matchLabels | nindent 8 }} + {{- with .Values.mutatingWebhook.objectSelector.matchLabels }} + matchLabels: {{- toYaml . | nindent 8 }} {{- end }} sideEffects: None admissionReviewVersions: diff --git a/charts/amazon-eks-pod-identity-webhook/templates/role.yaml b/charts/amazon-eks-pod-identity-webhook/templates/role.yaml index 2023c3f..b1c4fb5 100644 --- a/charts/amazon-eks-pod-identity-webhook/templates/role.yaml +++ b/charts/amazon-eks-pod-identity-webhook/templates/role.yaml @@ -1,9 +1,10 @@ --- {{- if .Values.config.podIdentityWebhookMap.enabled }} +{{- $fullName := include "amazon-eks-pod-identity-webhook.fullname" . }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ include "amazon-eks-pod-identity-webhook.fullname" . }} + name: {{ $fullName }} namespace: {{ include "amazon-eks-pod-identity-webhook.namespace" . }} labels: {{- include "amazon-eks-pod-identity-webhook.labels" . | nindent 4 }} @@ -11,25 +12,34 @@ rules: - apiGroups: - "" resources: - - configmaps + - secrets + verbs: + - create + - apiGroups: + - "" + resources: + - secrets verbs: - get - - watch - - list + - update + - patch + resourceNames: + {{- /* This is the service account name, ref: https://github.com/aws/amazon-eks-pod-identity-webhook/blob/ac3554488585c1a35bea552f771ef3bd4e6e0ddd/pkg/handler/handler.go#L436 */}} + - "{{ include "amazon-eks-pod-identity-webhook.serviceAccountName" . }}" --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ include "amazon-eks-pod-identity-webhook.fullname" . }} + name: {{ $fullName }} namespace: {{ include "amazon-eks-pod-identity-webhook.namespace" . }} labels: {{- include "amazon-eks-pod-identity-webhook.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ include "amazon-eks-pod-identity-webhook.fullname" . }} + name: {{ $fullName }} subjects: - kind: ServiceAccount - name: {{ include "amazon-eks-pod-identity-webhook.fullname" . }} + name: {{ $fullName }} namespace: {{ include "amazon-eks-pod-identity-webhook.namespace" . }} {{- end }} diff --git a/charts/amazon-eks-pod-identity-webhook/templates/service.yaml b/charts/amazon-eks-pod-identity-webhook/templates/service.yaml index a1013a8..eb8e4f2 100644 --- a/charts/amazon-eks-pod-identity-webhook/templates/service.yaml +++ b/charts/amazon-eks-pod-identity-webhook/templates/service.yaml @@ -6,7 +6,10 @@ metadata: namespace: {{ include "amazon-eks-pod-identity-webhook.namespace" . }} labels: {{- include "amazon-eks-pod-identity-webhook.labels" . | nindent 4 }} - {{- with .Values.serviceAnnotations }} + {{- with .Values.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.service.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} @@ -16,9 +19,11 @@ spec: - port: {{ .Values.config.ports.webhook }} targetPort: https protocol: TCP + appProtocol: https name: https - port: {{ .Values.config.ports.metrics }} targetPort: metrics + appProtocol: http protocol: TCP name: metrics selector: diff --git a/charts/amazon-eks-pod-identity-webhook/templates/servicemonitor.yaml b/charts/amazon-eks-pod-identity-webhook/templates/servicemonitor.yaml index ec72ec7..888243e 100644 --- a/charts/amazon-eks-pod-identity-webhook/templates/servicemonitor.yaml +++ b/charts/amazon-eks-pod-identity-webhook/templates/servicemonitor.yaml @@ -30,7 +30,10 @@ spec: {{- if .Values.metrics.serviceMonitor.honorLabels }} honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} {{- end }} - {{- if .Values.metrics.serviceMonitor.relabelings }} - relabelings: {{- toYaml .Values.metrics.serviceMonitor.relabelings | nindent 6 }} + {{- with .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.endpointAdditionalProperties }} + {{- toYaml . | nindent 6 }} {{- end }} {{- end -}} diff --git a/charts/amazon-eks-pod-identity-webhook/values.yaml b/charts/amazon-eks-pod-identity-webhook/values.yaml index 832e2c2..a388a7f 100644 --- a/charts/amazon-eks-pod-identity-webhook/values.yaml +++ b/charts/amazon-eks-pod-identity-webhook/values.yaml @@ -133,6 +133,8 @@ metrics: honorLabels: false # -- RelabelConfigs to apply to samples before scraping. relabelings: [] + # -- More properties for the endpoint configuration of the service monitor. + endpointAdditionalProperties: {} readinessProbe: httpGet: @@ -169,20 +171,33 @@ resources: requests: {} securityContext: - # -- Pod securityContext: Enable read-only root filesystem + # -- Container securityContext: Allow privilege escalation + allowPrivilegeEscalation: false + # -- Container securityContext: Enable read-only root filesystem readOnlyRootFilesystem: true - # -- Pod securityContext: Run primary group id + # -- Container securityContext: Run primary group id runAsGroup: 1 - # -- Pod securityContext: Disable root user + # -- Container securityContext: Disable root user runAsNonRoot: false - # -- Pod securityContext: Run user id + # -- Container securityContext: Run user id runAsUser: 65534 + # -- Container securityContext: Drop capabilities + capabilities: + drop: ["ALL"] + + +podSecurityContext: + # -- Pod securityContext: Seccomp profile + seccompProfile: + type: RuntimeDefault service: # -- Service type type: ClusterIP # -- Service annotations annotations: {} + # -- Service labels. + labels: {} serviceAccount: # -- Enable creation of ServiceAccount for nginx pod @@ -202,10 +217,6 @@ podAnnotations: {} # prometheus.io/scheme: "http" # prometheus.io/scrape: "true" -# -- amazon-eks-pod-identity-webhook pods' Security Context. -podSecurityContext: {} -# fsGroup: 2000 - # -- Affinity for pod assignment affinity: {}