elastic · krichter722 · May 22, 2020
diff --git a/filebeat/README.md b/filebeat/README.md
@@ -132,7 +132,8 @@ as a reference. They are also used in the automated testing of this chart.
 | `readinessProbe`         | Parameters to pass to readiness [probe][] checks for values such as timeouts and thresholds                                                                                     | see [values.yaml][]                |
 | `resources`              | Allows you to set the [resources][] for the `DaemonSet`                                                                                                                         | see [values.yaml][]                |
 | `secretMounts`           | Allows you easily mount a secret as a file inside the `DaemonSet`. Useful for mounting certificates and other secrets. See [values.yaml][] for an example                       | `[]`                               |
-| `serviceAccount`         | Custom [serviceAccount][] that Filebeat will use during execution. By default will use the service account created by this chart                                                | `""`                               |
+| `rbac`                   | Allows control over creation of RBAC-related objects and the [serviceAccount][] that Filebeat will use during execution. See [values.yaml][] for details                        | see [values.yaml][]                |
+| `podSecurityPolicy`      | Allows control over pod permission policy-related objects. See [values.yaml][] for details                                                                                      | see [values.yaml][]                |
 | `terminationGracePeriod` | Termination period (in seconds) to wait before killing Filebeat pod process on pod shutdown                                                                                     | `30`                               |
 | `tolerations`            | Configurable [tolerations][]                                                                                                                                                    | `[]`                               |
 | `updateStrategy`         | The [updateStrategy][] for the `DaemonSet`. By default Kubernetes will kill and recreate pods on updates. Setting this to `OnDelete` will require that pods be deleted manually | `RollingUpdate`                    |

diff --git a/filebeat/templates/_helpers.tpl b/filebeat/templates/_helpers.tpl
@@ -23,8 +23,8 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 Use the fullname if the serviceAccount value is not set
 */}}
 {{- define "filebeat.serviceAccount" -}}
-{{- if .Values.serviceAccount }}
-{{- .Values.serviceAccount -}}
+{{- if and .Values.rbac.serviceAccountName not eq .Values.podSecurityPolicy.name "" -}}
+{{- .Values.rbac.serviceAccountName -}}
 {{- else }}
 {{- $name := default .Chart.Name .Values.nameOverride -}}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}

diff --git a/filebeat/templates/podsecuritypolicy.yaml b/filebeat/templates/podsecuritypolicy.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.podSecurityPolicy.create -}}
+{{- $fullName := include "filebeat.fullname" . -}}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ default $fullName .Values.podSecurityPolicy.name | quote }}
+  labels:
+    heritage: {{ .Release.Service | quote }}
+    release: {{ .Release.Name | quote }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    app: {{ $fullName | quote }}
+spec:
+{{ toYaml .Values.podSecurityPolicy.spec | indent 2 }}
+{{- end -}}
diff --git a/filebeat/values.yaml b/filebeat/values.yaml
@@ -107,8 +107,29 @@ resources:
     cpu: "1000m"
     memory: "200Mi"
 
-# Custom service account override that the pod will use
-serviceAccount: ""
+rbac:
+  create: false
+  serviceAccountName: ""
+
+podSecurityPolicy:
+  create: false
+  name: ""
+  spec:
+    privileged: true
+    fsGroup:
+      rule: RunAsAny
+    runAsUser:
+      rule: RunAsAny
+    seLinux:
+      rule: RunAsAny
+    supplementalGroups:
+      rule: RunAsAny
+    volumes:
+      - secret
+      - configMap
+      - persistentVolumeClaim
+      - projected
+      - emptyDir
 
 # A list of secrets and their paths to mount inside the pod
 # This is useful for mounting certificates for security other sensitive values