[installer]: fix incorrectly configured pod security policies

This now makes Gitpod work in a cluster with pod security policies enabled.

Author: Simon Emms

installer/pkg/common/constants.go

@@ -34,7 +34,7 @@ const (
 	RegistryAuthSecret          = "builtin-registry-auth"
 	RegistryTLSCertSecret       = "builtin-registry-certs"
 	RegistryFacadeComponent     = "registry-facade"
-	RegistryFacadeServicePort   = 3000
+	RegistryFacadeServicePort   = 30000
 	RegistryFacadeTLSCertSecret = "builtin-registry-facade-cert"
 	ServerComponent             = "server"
 	SystemNodeCritical          = "system-node-critical"

installer/pkg/components/components.go

@@ -38,6 +38,7 @@ var MetaObjects = common.CompositeRenderFunc(
 	database.Objects,
 	imagebuildermk3.Objects,
 	migrations.Objects,
+	minio.Objects,
 	openvsxproxy.Objects,
 	rabbitmq.Objects,
 	server.Objects,

installer/pkg/components/database/cloudsql/objects.go

@@ -12,6 +12,7 @@ import (
 var Objects = common.CompositeRenderFunc(
 	deployment,
 	dbinit.Objects,
+	rolebinding,
 	common.DefaultServiceAccount(Component),
 	common.GenerateService(Component, map[string]common.ServicePort{
 		Component: {

installer/pkg/components/database/cloudsql/rolebinding.go

@@ -0,0 +1,33 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License-AGPL.txt in the project root for license information.
+
+package cloudsql
+
+import (
+	"fmt"
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
+	return []runtime.Object{&rbacv1.RoleBinding{
+		TypeMeta: common.TypeMetaRoleBinding,
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      Component,
+			Namespace: ctx.Namespace,
+			Labels:    common.DefaultLabels(Component),
+		},
+		RoleRef: rbacv1.RoleRef{
+			Kind:     "ClusterRole",
+			Name:     fmt.Sprintf("%s-ns-psp:restricted-root-user", ctx.Namespace),
+			APIGroup: "rbac.authorization.k8s.io",
+		},
+		Subjects: []rbacv1.Subject{{
+			Kind: "ServiceAccount",
+			Name: Component,
+		}},
+	}}, nil
+}

installer/pkg/components/database/incluster/objects.go

@@ -10,6 +10,7 @@ import (
 
 var Objects = common.CompositeRenderFunc(
 	configmap,
+	rolebinding,
 	secrets,
 	service,
 	common.DefaultServiceAccount(Component),

installer/pkg/components/database/incluster/rolebinding.go

@@ -0,0 +1,37 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License-AGPL.txt in the project root for license information.
+
+package incluster
+
+import (
+	"fmt"
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
+	return []runtime.Object{
+		&rbacv1.RoleBinding{
+			TypeMeta: common.TypeMetaRoleBinding,
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      Component,
+				Namespace: ctx.Namespace,
+				Labels:    common.DefaultLabels(Component),
+			},
+			RoleRef: rbacv1.RoleRef{
+				Kind:     "ClusterRole",
+				Name:     fmt.Sprintf("%s-ns-psp:restricted-root-user", ctx.Namespace),
+				APIGroup: "rbac.authorization.k8s.io",
+			},
+			Subjects: []rbacv1.Subject{
+				{
+					Kind: "ServiceAccount",
+					Name: Component,
+				},
+			},
+		},
+	}, nil
+}

installer/pkg/components/database/init/objects.go

@@ -11,5 +11,6 @@ import (
 var Objects = common.CompositeRenderFunc(
 	configmap,
 	job,
+	rolebinding,
 	common.DefaultServiceAccount(Component),
 )

installer/pkg/components/database/init/rolebinding.go

@@ -0,0 +1,33 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License-AGPL.txt in the project root for license information.
+
+package init
+
+import (
+	"fmt"
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
+	return []runtime.Object{&rbacv1.RoleBinding{
+		TypeMeta: common.TypeMetaRoleBinding,
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      Component,
+			Namespace: ctx.Namespace,
+			Labels:    common.DefaultLabels(Component),
+		},
+		RoleRef: rbacv1.RoleRef{
+			Kind:     "ClusterRole",
+			Name:     fmt.Sprintf("%s-ns-psp:restricted-root-user", ctx.Namespace),
+			APIGroup: "rbac.authorization.k8s.io",
+		},
+		Subjects: []rbacv1.Subject{{
+			Kind: "ServiceAccount",
+			Name: Component,
+		}},
+	}}, nil
+}

installer/pkg/components/image-builder-mk3/clusterrole.go

@@ -18,7 +18,7 @@ func clusterrole(ctx *common.RenderContext) ([]runtime.Object, error) {
 	return []runtime.Object{&rbacv1.ClusterRole{
 		TypeMeta: common.TypeMetaClusterRole,
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      Component,
+			Name:      fmt.Sprintf("%s-ns-%s", ctx.Namespace, Component),
 			Namespace: ctx.Namespace,
 			Labels:    common.DefaultLabels(Component),
 		},

installer/pkg/components/image-builder-mk3/rolebinding.go

@@ -27,7 +27,7 @@ func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
 			},
 			RoleRef: rbacv1.RoleRef{
 				Kind:     "ClusterRole",
-				Name:     fmt.Sprintf("%s-ns-image-builder-mk3", ctx.Namespace),
+				Name:     fmt.Sprintf("%s-ns-%s", ctx.Namespace, Component),
 				APIGroup: "rbac.authorization.k8s.io",
 			},
 			Subjects: []rbacv1.Subject{{

installer/pkg/components/minio/objects.go

@@ -0,0 +1,15 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License-AGPL.txt in the project root for license information.
+
+package minio
+
+import (
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+)
+
+const Component = "minio"
+
+var Objects = common.CompositeRenderFunc(
+	rolebinding,
+)

installer/pkg/components/minio/rolebinding.go

@@ -0,0 +1,35 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License-AGPL.txt in the project root for license information.
+
+package minio
+
+import (
+	"fmt"
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
+	return []runtime.Object{
+		&rbacv1.RoleBinding{
+			TypeMeta: common.TypeMetaRoleBinding,
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      Component,
+				Namespace: ctx.Namespace,
+				Labels:    common.DefaultLabels(Component),
+			},
+			RoleRef: rbacv1.RoleRef{
+				Kind:     "ClusterRole",
+				Name:     fmt.Sprintf("%s-ns-psp:unprivileged", ctx.Namespace),
+				APIGroup: "rbac.authorization.k8s.io",
+			},
+			Subjects: []rbacv1.Subject{{
+				Kind: "ServiceAccount",
+				Name: Component,
+			}},
+		},
+	}, nil
+}

installer/pkg/components/rabbitmq/helm.go

@@ -277,6 +277,7 @@ var Helm = common.CompositeHelmFunc(
 					helm.KeyValue("rabbitmq.auth.password", password),
 					helm.KeyValue("rabbitmq.auth.existingErlangSecret", CookieSecret),
 					helm.KeyValue("rabbitmq.auth.tls.existingSecret", TLSSecret),
+					helm.KeyValue("rabbitmq.serviceAccount.name", Component),
 					helm.KeyValue(fmt.Sprintf("rabbitmq.extraSecrets.%s.username", InClusterDbSecret), username),
 					helm.KeyValue(fmt.Sprintf("rabbitmq.extraSecrets.%s.password", InClusterDbSecret), password),
 					helm.ImagePullSecrets("rabbitmq.image.pullSecrets", cfg),

installer/pkg/components/registry-facade/clusterrole.go

@@ -19,15 +19,15 @@ func clusterrole(ctx *common.RenderContext) ([]runtime.Object, error) {
 		&rbacv1.ClusterRole{
 			TypeMeta: common.TypeMetaClusterRole,
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      Component,
+				Name:      fmt.Sprintf("%s-ns-%s", ctx.Namespace, Component),
 				Namespace: ctx.Namespace,
 				Labels:    common.DefaultLabels(Component),
 			},
 			Rules: []rbacv1.PolicyRule{{
 				APIGroups:     []string{"policy"},
 				Resources:     []string{"podsecuritypolicies"},
 				Verbs:         []string{"use"},
-				ResourceNames: []string{fmt.Sprintf("%s-ns-registry-facade", ctx.Namespace)},
+				ResourceNames: []string{fmt.Sprintf("%s-ns-%s", ctx.Namespace, Component)},
 			}},
 		},
 	}, nil

installer/pkg/components/registry-facade/rolebinding.go

@@ -27,7 +27,7 @@ func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
 			},
 			RoleRef: rbacv1.RoleRef{
 				Kind:     "ClusterRole",
-				Name:     fmt.Sprintf("%s-ns-registry-facade", ctx.Namespace),
+				Name:     fmt.Sprintf("%s-ns-%s", ctx.Namespace, Component),
 				APIGroup: "rbac.authorization.k8s.io",
 			},
 			Subjects: []rbacv1.Subject{{

installer/pkg/components/server/rolebinding.go

@@ -61,7 +61,7 @@ func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
 			},
 			RoleRef: rbacv1.RoleRef{
 				Kind:     "ClusterRole",
-				Name:     Component,
+				Name:     fmt.Sprintf("%s-ns-psp:unprivileged", ctx.Namespace),
 				APIGroup: "rbac.authorization.k8s.io",
 			},
 			Subjects: []rbacv1.Subject{{

installer/third_party/charts/jaeger-operator/values.yaml

@@ -2,4 +2,6 @@
 # Licensed under the GNU Affero General Public License (AGPL).
 # See License-AGPL.txt in the project root for license information.
 
-jaeger-operator: {}
+jaeger-operator:
+  rbac:
+    pspEnabled: true