Merge pull request #120 from shafeeqes/enh/podsecurity

Don't deploy `PSP`s when `PodSecurityPolicy` plugin is disabled

charts/internal/cilium/charts/agent/templates/daemonset.yaml

@@ -528,6 +528,10 @@ spec:
 {{- if and (eq .Release.Namespace "kube-system") (or (gt .Capabilities.KubeVersion.Minor "10") (gt .Capabilities.KubeVersion.Major "1"))}}
       priorityClassName: system-node-critical
 {{- end }}
+      securityContext:
+        fsGroup: 1
+        supplementalGroups:
+        - 1
       serviceAccount: "cilium"
       serviceAccountName: "cilium"
       terminationGracePeriodSeconds: 1

charts/internal/cilium/charts/operator/templates/deployment.yaml

@@ -42,6 +42,14 @@ spec:
             topologyKey: kubernetes.io/hostname
       nodeSelector:
         kubernetes.io/os: linux
+      securityContext:
+        fsGroup: 1
+        supplementalGroups:
+        - 1
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+          - ALL
       containers:
       - name: cilium-operator
         command:

pkg/charts/utils.go

@@ -160,12 +160,17 @@ func generateChartValues(config *ciliumv1alpha1.NetworkConfig, network *extensio
 		globalConfig.LocalRedirectPolicy.Enabled = true
 	}
 
+	// disable PSPs if it's disabled in the shoot
+	if helper.IsPSPDisabled(cluster.Shoot) {
+		globalConfig.Psp.Enabled = false
+	}
+
 	if config == nil {
 		return requirementsConfig, globalConfig, nil
 	}
 
-	// check if PSPs are enabled
-	if config.PSPEnabled != nil {
+	// do not overwrite if it's set to false before, otherwise use the value from the config
+	if globalConfig.Psp.Enabled && config.PSPEnabled != nil {
 		globalConfig.Psp.Enabled = *config.PSPEnabled
 	}