[kibana] Add pod security policy to template

[krichter722]

This is necessary in order to be able to make the chart work on a cluster with pod security policy enabled.

• Chart version not bumped (the versions are all bumped and released at the same time)
• README.md updated with any new values or changes
• Updated template tests in ${CHART}/tests/*.py
• Updated integration tests in ${CHART}/examples/*/test/goss.yaml

[elasticmachine]

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

[elasticmachine]

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

[jmlrt]

jenkins test this please

[jmlrt]

Hi @krichter722, thanks for this PR 👍

helm lint --strict is failing because managedServiceAccount is missing from default values (see elastic+helm-charts+pull-request+template-testing/616/CHART=kibana). You should add it like in

helm-charts/filebeat/values.yaml

Lines 85 to 86 in b6054f0

	# Whether this chart should self-manage its service account, role, and associated role binding.
	managedServiceAccount: true

[jmlrt]

jenkins test this please

[jmlrt]

helm-charts/kibana/tests/kibana_test.py

Line 283 in acb4f51

def test_setting_a_custom_service_account():

This test is failling in elastic+helm-charts+pull-request+template-testing/637/CHART=kibana. Can you fix it?

[jmlrt]

jenkins test this please

[jmlrt]

@krichter722, thanks for this PR.
Some changed are required to make it more consistent with the way PSP is done in other charts.

As you are adding new values to the chart, please don't forget to document them on the README page.

It would also be great if you could add the python tests we have in Logstash chart

helm-charts/logstash/tests/logstash_test.py

Lines 583 to 672 in 4f40f6d

	def test_pod_security_policy():
	## Make sure the default config is not creating any resources
	config = ""
	resources = ("role", "rolebinding", "serviceaccount", "podsecuritypolicy")
	r = helm_template(config)
	for resource in resources:
	assert resource not in r
	assert (
	"serviceAccountName" not in r["statefulset"][name]["spec"]["template"]["spec"]
	)
	## Make sure all the resources are created with default values
	config = """
	rbac:
	create: true
	serviceAccountName: ""
	podSecurityPolicy:
	create: true
	name: ""
	"""
	r = helm_template(config)
	for resource in resources:
	assert resource in r
	assert r["role"][name]["rules"][0] == {
	"apiGroups": ["extensions"],
	"verbs": ["use"],
	"resources": ["podsecuritypolicies"],
	"resourceNames": [name],
	}
	assert r["rolebinding"][name]["subjects"] == [
	{"kind": "ServiceAccount", "namespace": "default", "name": name}
	]
	assert r["rolebinding"][name]["roleRef"] == {
	"apiGroup": "rbac.authorization.k8s.io",
	"kind": "Role",
	"name": name,
	}
	assert (
	r["statefulset"][name]["spec"]["template"]["spec"]["serviceAccountName"] == name
	)
	psp_spec = r["podsecuritypolicy"][name]["spec"]
	assert psp_spec["privileged"] is True
	def test_external_pod_security_policy():
	## Make sure we can use an externally defined pod security policy
	config = """
	rbac:
	create: true
	serviceAccountName: ""
	podSecurityPolicy:
	create: false
	name: "customPodSecurityPolicy"
	"""
	resources = ("role", "rolebinding")
	r = helm_template(config)
	for resource in resources:
	assert resource in r
	assert r["role"][name]["rules"][0] == {
	"apiGroups": ["extensions"],
	"verbs": ["use"],
	"resources": ["podsecuritypolicies"],
	"resourceNames": ["customPodSecurityPolicy"],
	}
	def test_external_service_account():
	## Make sure we can use an externally defined service account
	config = """
	rbac:
	create: false
	serviceAccountName: "customServiceAccountName"
	podSecurityPolicy:
	create: false
	name: ""
	"""
	resources = ("role", "rolebinding", "serviceaccount")
	r = helm_template(config)
	assert (
	r["statefulset"][name]["spec"]["template"]["spec"]["serviceAccountName"]
	== "customServiceAccountName"
	)
	# When referencing an external service account we do not want any resources to be created.
	for resource in resources:
	assert resource not in r

[jmlrt]

I don't think we need ClusterRole and ClusterRoleBinding for Kibana chart, using a Role and RoleBinding should be enough

[jmlrt]

a default ServiceAccount name should be used if serviceAccountName isn't defined. Here is an example from Logstash chart:

Suggested change

	{{- if .Values.rbac.serviceAccountName }}
	serviceAccount: {{ .Values.rbac.serviceAccountName }}
	{{- if .Values.rbac.create }}
	serviceAccountName: "{{ template "kibana.fullname" . }}"
	{{- else if not (eq .Values.rbac.serviceAccountName "") }}
	serviceAccountName: {{ .Values.rbac.serviceAccountName | quote }}

[jmlrt]

Why are you checking podSecurityPolicy.name value if you're not using kibana.serviceAccount in kibana/templates/podsecuritypolicy.yaml?

[jmlrt]

I would prefer removing kibana.serviceAccount template and keeping ClusterRole, ClusterRoleBinding and ServiceAccount name consistent with what we have in most other charts (you can check Logstash chart for that).

[jmlrt]

Let's add downwardAPI and emptyDir like in #496 (comment)

[jmlrt]

privileged: true isn't required for kibana

[jmlrt]

a specific rule for podsecuritypolicies resource is required similar to #496 (review)

[botelastic]

This PR has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. To track this PR (even if closed), please open a corresponding issue if one does not already exist.

[botelastic]

This PR has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. To track this PR (even if closed), please open a corresponding issue if one does not already exist.

[jmlrt]

closing as stale