Add PSP for the controller Deployment

george-angel · george-angel · commit 455a260e6fcb · 2020-10-07T10:36:48.000+01:00
diff --git a/deploy/kubernetes/base/controller/cluster_setup.yaml b/deploy/kubernetes/base/controller/cluster_setup.yaml
@@ -152,6 +152,29 @@ roleRef:
   kind: ClusterRole
   name: csi-gce-pd-resizer-role
   apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-gce-pd-controller-deploy
+rules:
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames:
+      - csi-gce-pd-controller-psp
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: csi-gce-pd-controller-deploy
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: csi-gce-pd-controller-deploy
+subjects:
+  - kind: ServiceAccount
+    name: csi-gce-pd-controller-sa
 
 ---
 
diff --git a/deploy/kubernetes/base/controller/kustomization.yaml b/deploy/kubernetes/base/controller/kustomization.yaml
@@ -6,3 +6,4 @@ resources:
 - cluster_setup.yaml
 - controller.yaml
 - csidriver_info.yaml
+- psp.yaml
diff --git a/deploy/kubernetes/base/controller/psp.yaml b/deploy/kubernetes/base/controller/psp.yaml
@@ -0,0 +1,18 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: csi-gce-pd-controller-psp
+spec:
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  fsGroup:
+    rule: RunAsAny
+  volumes:
+    - "configMap"
+    - "emptyDir"
+    - "secret"
+  hostNetwork: true
