From dc422f6d8831b68ac3a2653c746999925eccce0b Mon Sep 17 00:00:00 2001
From: Nathan Coleman <nathan.coleman@hashicorp.com>
Date: Tue, 1 Nov 2022 17:28:56 -0400
Subject: [PATCH 1/6] Add PodSecurityPolicy for all Gateway Deployments

---
 .../api-gateway-podsecuritypolicy.yaml        | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 charts/consul/templates/api-gateway-podsecuritypolicy.yaml

diff --git a/charts/consul/templates/api-gateway-podsecuritypolicy.yaml b/charts/consul/templates/api-gateway-podsecuritypolicy.yaml
new file mode 100644
index 0000000000..48f826f995
--- /dev/null
+++ b/charts/consul/templates/api-gateway-podsecuritypolicy.yaml
@@ -0,0 +1,45 @@
+{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "consul.fullname" . }}-api-gateway
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+    component: api-gateway-controller
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  # This is redundant with non-root + disallow privilege escalation,
+  # but we can provide it for defense in depth.
+  requiredDropCapabilities:
+    - ALL
+  # Allow core volume types.
+  volumes:
+    - 'configMap'
+    - 'emptyDir'
+    - 'projected'
+    - 'secret'
+    - 'downwardAPI'
+  allowedCapabilities:
+    - NET_BIND_SERVICE
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  hostPorts:
+    - max: 65535
+      min: 1025
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: true
+{{- end }}

From 706fa9410d19270f37fa05d1fd869fc1bc179ec2 Mon Sep 17 00:00:00 2001
From: Nathan Coleman <nathan.coleman@hashicorp.com>
Date: Tue, 1 Nov 2022 17:32:54 -0400
Subject: [PATCH 2/6] Allow API gateway controller to manage roles + bindings

---
 .../api-gateway-controller-clusterrole.yaml    | 18 ++++++++++++++++++
 .../api-gateway-gatewayclassconfig.yaml        |  3 +++
 2 files changed, 21 insertions(+)

diff --git a/charts/consul/templates/api-gateway-controller-clusterrole.yaml b/charts/consul/templates/api-gateway-controller-clusterrole.yaml
index f84c5561c2..0d71b61bef 100644
--- a/charts/consul/templates/api-gateway-controller-clusterrole.yaml
+++ b/charts/consul/templates/api-gateway-controller-clusterrole.yaml
@@ -11,6 +11,24 @@ metadata:
     release: {{ .Release.Name }}
     component: api-gateway-controller
 rules:
+{{- if .Values.global.enablePodSecurityPolicies }}
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  - rolebindings
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+{{- end}}
 - apiGroups:
   - api-gateway.consul.hashicorp.com
   resources:
diff --git a/charts/consul/templates/api-gateway-gatewayclassconfig.yaml b/charts/consul/templates/api-gateway-gatewayclassconfig.yaml
index 450357a773..f2fecba47e 100644
--- a/charts/consul/templates/api-gateway-gatewayclassconfig.yaml
+++ b/charts/consul/templates/api-gateway-gatewayclassconfig.yaml
@@ -15,6 +15,9 @@ spec:
       {{- if .Values.global.acls.manageSystemACLs }}
       managed: true
       method: {{ template "consul.fullname" . }}-k8s-auth-method
+      {{- if .Values.global.enablePodSecurityPolicies }}
+      podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway
+      {{- end }}
       {{- end }}
     {{- if .Values.global.tls.enabled }}
     scheme: https

From 71045d93aaf839f95468bff77f76aef3a49436bc Mon Sep 17 00:00:00 2001
From: Nathan Coleman <nathan.coleman@hashicorp.com>
Date: Wed, 2 Nov 2022 15:39:48 -0400
Subject: [PATCH 3/6] Add entry to CHANGELOG

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6812e7360e..b4467de2eb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,7 +31,7 @@ IMPROVEMENTS:
   * Add `tolerations` and `nodeSelector` to Server ACL init jobs and `nodeSelector` to Webhook cert manager. [[GH-1581](https://github.com/hashicorp/consul-k8s/pull/1581)]
   * API Gateway: Add `tolerations` to `apiGateway.managedGatewayClass` and `apiGateway.controller` [[GH-1650](https://github.com/hashicorp/consul-k8s/pull/1650)]
   * API Gateway: Create PodSecurityPolicy for controller when `global.enablePodSecurityPolicies=true`. [[GH-1656](https://github.com/hashicorp/consul-k8s/pull/1656)]
-
+  * API Gateway: Create PodSecurityPolicy and allow controller to bind it to ServiceAccounts that it creates for Gateway Deployments when `global.enablePodSecurityPolicies=true`. [[GH-1672](https://github.com/hashicorp/consul-k8s/pull/1672)]
 
 ## 1.0.0-beta4 (October 28, 2022)
 

From d247baa7935e964c0b21aaf8821430a78e7140c7 Mon Sep 17 00:00:00 2001
From: Nathan Coleman <nathan.coleman@hashicorp.com>
Date: Thu, 3 Nov 2022 12:27:17 -0400
Subject: [PATCH 4/6] Consolidate controller ClusterRole mods for
 enablePodSecurityPolicies

---
 .../api-gateway-controller-clusterrole.yaml   | 38 ++++++++-----------
 .../api-gateway-controller-clusterrole.bats   | 12 ++++++
 2 files changed, 27 insertions(+), 23 deletions(-)

diff --git a/charts/consul/templates/api-gateway-controller-clusterrole.yaml b/charts/consul/templates/api-gateway-controller-clusterrole.yaml
index 0d71b61bef..eac2bd1f69 100644
--- a/charts/consul/templates/api-gateway-controller-clusterrole.yaml
+++ b/charts/consul/templates/api-gateway-controller-clusterrole.yaml
@@ -11,24 +11,6 @@ metadata:
     release: {{ .Release.Name }}
     component: api-gateway-controller
 rules:
-{{- if .Values.global.enablePodSecurityPolicies }}
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - roles
-  - rolebindings
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-- apiGroups:
-  - policy
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
-{{- end}}
 - apiGroups:
   - api-gateway.consul.hashicorp.com
   resources:
@@ -263,11 +245,21 @@ rules:
   - patch
   - update
 {{- if .Values.global.enablePodSecurityPolicies }}
-- apiGroups: ["policy"]
-  resources: ["podsecuritypolicies"]
-  resourceNames:
-    - {{ template "consul.fullname" . }}-api-gateway-controller
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  - rolebindings
   verbs:
-    - use
+  - create
+  - get
+  - list
+  - watch
 {{- end }}
 {{- end }}
diff --git a/charts/consul/test/unit/api-gateway-controller-clusterrole.bats b/charts/consul/test/unit/api-gateway-controller-clusterrole.bats
index b69b6ac966..a933a541cd 100644
--- a/charts/consul/test/unit/api-gateway-controller-clusterrole.bats
+++ b/charts/consul/test/unit/api-gateway-controller-clusterrole.bats
@@ -31,3 +31,15 @@ load _helpers
       yq '.rules[] | select((.resourceNames[0] == "release-name-consul-api-gateway-controller") and (.resources[0] == "podsecuritypolicies")) | length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+
+@test "apiGateway/ClusterRole: uses PodSecurityPolicy with apiGateway.enabled=true and global.enablePodSecurityPolicies=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/api-gateway-controller-clusterrole.yaml \
+      --set 'global.enablePodSecurityPolicies=true' \
+      --set 'apiGateway.enabled=true' \
+      --set 'apiGateway.image=foo' \
+      . | tee /dev/stderr |
+      yq '.rules[] | select((.resourceNames[0] == "release-name-consul-api-gateway-controller") and (.resources[0] == "podsecuritypolicies")) | length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}

From 860fc3188a1726a42c229b1d517c3afe23948c20 Mon Sep 17 00:00:00 2001
From: Nathan Coleman <nathan.coleman@hashicorp.com>
Date: Thu, 3 Nov 2022 12:41:32 -0400
Subject: [PATCH 5/6] Update/add unit test coverage for controller ClusterRole

---
 .../test/unit/api-gateway-controller-clusterrole.bats     | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/charts/consul/test/unit/api-gateway-controller-clusterrole.bats b/charts/consul/test/unit/api-gateway-controller-clusterrole.bats
index a933a541cd..4dab228798 100644
--- a/charts/consul/test/unit/api-gateway-controller-clusterrole.bats
+++ b/charts/consul/test/unit/api-gateway-controller-clusterrole.bats
@@ -20,7 +20,7 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
-@test "apiGateway/ClusterRole: uses PodSecurityPolicy with apiGateway.enabled=true and global.enablePodSecurityPolicies=true" {
+@test "apiGateway/ClusterRole: can use podsecuritypolicies with apiGateway.enabled=true and global.enablePodSecurityPolicies=true" {
   cd `chart_dir`
   local actual=$(helm template \
       -s templates/api-gateway-controller-clusterrole.yaml \
@@ -28,11 +28,11 @@ load _helpers
       --set 'apiGateway.enabled=true' \
       --set 'apiGateway.image=foo' \
       . | tee /dev/stderr |
-      yq '.rules[] | select((.resourceNames[0] == "release-name-consul-api-gateway-controller") and (.resources[0] == "podsecuritypolicies")) | length > 0' | tee /dev/stderr)
+      yq '.rules[] | select((.resources[0] == "podsecuritypolicies") and (.verbs[0] == "use")) | length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
 
-@test "apiGateway/ClusterRole: uses PodSecurityPolicy with apiGateway.enabled=true and global.enablePodSecurityPolicies=true" {
+@test "apiGateway/ClusterRole: can create roles and rolebindings with apiGateway.enabled=true and global.enablePodSecurityPolicies=true" {
   cd `chart_dir`
   local actual=$(helm template \
       -s templates/api-gateway-controller-clusterrole.yaml \
@@ -40,6 +40,6 @@ load _helpers
       --set 'apiGateway.enabled=true' \
       --set 'apiGateway.image=foo' \
       . | tee /dev/stderr |
-      yq '.rules[] | select((.resourceNames[0] == "release-name-consul-api-gateway-controller") and (.resources[0] == "podsecuritypolicies")) | length > 0' | tee /dev/stderr)
+      yq '.rules[] | select((.resources[0] == "roles") and (.resources[1] == "rolebindings") and (.verbs[0] == "create")) | length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }

From d92bc7ea5a48e68f6ced53e9dae80eda4321bb3e Mon Sep 17 00:00:00 2001
From: Nathan Coleman <nathan.coleman@hashicorp.com>
Date: Fri, 4 Nov 2022 16:52:03 -0400
Subject: [PATCH 6/6] Check for additional verbs on cluster role

---
 charts/consul/test/unit/api-gateway-controller-clusterrole.bats | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/consul/test/unit/api-gateway-controller-clusterrole.bats b/charts/consul/test/unit/api-gateway-controller-clusterrole.bats
index 4dab228798..f26fdfeebd 100644
--- a/charts/consul/test/unit/api-gateway-controller-clusterrole.bats
+++ b/charts/consul/test/unit/api-gateway-controller-clusterrole.bats
@@ -40,6 +40,6 @@ load _helpers
       --set 'apiGateway.enabled=true' \
       --set 'apiGateway.image=foo' \
       . | tee /dev/stderr |
-      yq '.rules[] | select((.resources[0] == "roles") and (.resources[1] == "rolebindings") and (.verbs[0] == "create")) | length > 0' | tee /dev/stderr)
+      yq '.rules[] | select((.resources[0] == "roles") and (.resources[1] == "rolebindings") and (.verbs | contains(["create","get","list","watch"]))) | length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }