diff --git a/filebeat/README.md b/filebeat/README.md index 7ba37ee22..9991b8f30 100644 --- a/filebeat/README.md +++ b/filebeat/README.md @@ -132,7 +132,8 @@ as a reference. They are also used in the automated testing of this chart. | `readinessProbe` | Parameters to pass to readiness [probe][] checks for values such as timeouts and thresholds | see [values.yaml][] | | `resources` | Allows you to set the [resources][] for the `DaemonSet` | see [values.yaml][] | | `secretMounts` | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` | -| `serviceAccount` | Custom [serviceAccount][] that Filebeat will use during execution. By default will use the service account created by this chart | `""` | +| `rbac` | Allows control over creation of RBAC-related objects and the [serviceAccount][] that Filebeat will use during execution. See [values.yaml][] for details | see [values.yaml][] | +| `podSecurityPolicy` | Allows control over pod permission policy-related objects. See [values.yaml][] for details | see [values.yaml][] | | `terminationGracePeriod` | Termination period (in seconds) to wait before killing Filebeat pod process on pod shutdown | `30` | | `tolerations` | Configurable [tolerations][] | `[]` | | `updateStrategy` | The [updateStrategy][] for the `DaemonSet`. By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually | `RollingUpdate` | diff --git a/filebeat/templates/_helpers.tpl b/filebeat/templates/_helpers.tpl index a52a93788..98efa7938 100755 --- a/filebeat/templates/_helpers.tpl +++ b/filebeat/templates/_helpers.tpl @@ -23,8 +23,8 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this Use the fullname if the serviceAccount value is not set */}} {{- define "filebeat.serviceAccount" -}} -{{- if .Values.serviceAccount }} -{{- .Values.serviceAccount -}} +{{- if and .Values.rbac.serviceAccountName not eq .Values.podSecurityPolicy.name "" -}} +{{- .Values.rbac.serviceAccountName -}} {{- else }} {{- $name := default .Chart.Name .Values.nameOverride -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} diff --git a/filebeat/templates/podsecuritypolicy.yaml b/filebeat/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000..86c74c213 --- /dev/null +++ b/filebeat/templates/podsecuritypolicy.yaml @@ -0,0 +1,14 @@ +{{- if .Values.podSecurityPolicy.create -}} +{{- $fullName := include "filebeat.fullname" . -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ default $fullName .Values.podSecurityPolicy.name | quote }} + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + app: {{ $fullName | quote }} +spec: +{{ toYaml .Values.podSecurityPolicy.spec | indent 2 }} +{{- end -}} diff --git a/filebeat/values.yaml b/filebeat/values.yaml index 1b396af79..21769aead 100755 --- a/filebeat/values.yaml +++ b/filebeat/values.yaml @@ -107,8 +107,29 @@ resources: cpu: "1000m" memory: "200Mi" -# Custom service account override that the pod will use -serviceAccount: "" +rbac: + create: false + serviceAccountName: "" + +podSecurityPolicy: + create: false + name: "" + spec: + privileged: true + fsGroup: + rule: RunAsAny + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - secret + - configMap + - persistentVolumeClaim + - projected + - emptyDir # A list of secrets and their paths to mount inside the pod # This is useful for mounting certificates for security other sensitive values