Helm template for k8s PodSecurityPolicy

0
votes

I'm having a PodSecurityPolicy in my Helm Charts and would like to dynamically change the rule on runAsUser.

When {{- if .Values.global.psp.enabled }} is enabled and the respectrive values.yaml contains something like: 

runAsUnprivilegedUser: true

I'm expecting the templates to be rendered like that: 

runAsUser:
    # Require the container to run without root privileges.
    rule: 'MustRunAsNonRoot'

and additionally providing a default non-root user with say UID 1000.

If, on the other hand, runAsUnprivilegedUser is set to false, I'd like to have 

runAsUser:
    rule: 'RunAsAny'

employed.

1
kuberneteskubernetes-helm
That seems reasonable; what have you tried so far and what problems are you encountering? - David Maze
@DavidMaze, thx. Acutally I'm pretty stuck about how to do the conditional branching and in particular about how to have the default of the non-root user being enabled - brandshaide

1 Answers

2
votes

I think you can do that with conditional statement

kind: PodSecurityPolicy
apiVersion: policy/v1beta1
metadata:
  name: allow-flex-volumes
spec:
  runAsUser:
    # Require the container to run without root privileges.
    {{- if and .Values.global.psp .Values.podSecurityContext}}
    rule: 'MustRunAsNonRoot'
    {{else }}
    rule: 'RunAsAny'
    {{end}}