diff --git a/CHANGELOG.md b/CHANGELOG.md index 659b85c1..647d046f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Added + +- Add `global.podSecurityStandards.enforced` value for PSS migration. + ## [2.5.0] - 2023-10-09 ### Changed diff --git a/helm/cluster-api-provider-aws/files/copy/psp.yaml b/helm/cluster-api-provider-aws/files/copy/psp.yaml index 7cec3acc..9cf65a46 100644 --- a/helm/cluster-api-provider-aws/files/copy/psp.yaml +++ b/helm/cluster-api-provider-aws/files/copy/psp.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.global.podSecurityStandards.enforced }} {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy @@ -66,4 +67,4 @@ roleRef: name: {{ include "resource.psp.name" . }} apiGroup: rbac.authorization.k8s.io {{- end }} - +{{- end }} diff --git a/helm/cluster-api-provider-aws/templates/crd-install/crd-psp.yaml b/helm/cluster-api-provider-aws/templates/crd-install/crd-psp.yaml index 9da10f9e..c0d18fb8 100644 --- a/helm/cluster-api-provider-aws/templates/crd-install/crd-psp.yaml +++ b/helm/cluster-api-provider-aws/templates/crd-install/crd-psp.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.global.podSecurityStandards.enforced }} {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy @@ -37,3 +38,4 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} +{{- end }} diff --git a/helm/cluster-api-provider-aws/templates/crd-install/crd-rbac.yaml b/helm/cluster-api-provider-aws/templates/crd-install/crd-rbac.yaml index 8c8ce43f..c3a2e9bb 100644 --- a/helm/cluster-api-provider-aws/templates/crd-install/crd-rbac.yaml +++ b/helm/cluster-api-provider-aws/templates/crd-install/crd-rbac.yaml @@ -28,6 +28,7 @@ rules: - delete - get - patch +{{- if not .Values.global.podSecurityStandards.enforced }} {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} - apiGroups: - policy @@ -38,6 +39,7 @@ rules: verbs: - use {{- end }} +{{- end }} - apiGroups: - apps - extensions diff --git a/helm/cluster-api-provider-aws/templates/psp.yaml b/helm/cluster-api-provider-aws/templates/psp.yaml index 7cec3acc..9cf65a46 100644 --- a/helm/cluster-api-provider-aws/templates/psp.yaml +++ b/helm/cluster-api-provider-aws/templates/psp.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.global.podSecurityStandards.enforced }} {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy @@ -66,4 +67,4 @@ roleRef: name: {{ include "resource.psp.name" . }} apiGroup: rbac.authorization.k8s.io {{- end }} - +{{- end }} diff --git a/helm/cluster-api-provider-aws/values.schema.json b/helm/cluster-api-provider-aws/values.schema.json index 0294bdab..596eda5d 100644 --- a/helm/cluster-api-provider-aws/values.schema.json +++ b/helm/cluster-api-provider-aws/values.schema.json @@ -167,6 +167,19 @@ "type": "boolean" } } + }, + "global": { + "type": "object", + "properties": { + "podSecurityStandards": { + "type": "object", + "properties": { + "enforced": { + "type": "boolean" + } + } + } + } } } } diff --git a/helm/cluster-api-provider-aws/values.yaml b/helm/cluster-api-provider-aws/values.yaml index 947fb427..5853b39e 100644 --- a/helm/cluster-api-provider-aws/values.yaml +++ b/helm/cluster-api-provider-aws/values.yaml @@ -59,3 +59,7 @@ registry: verticalPodAutoscaler: enabled: true + +global: + podSecurityStandards: + enforced: false