feat(psp): kubernetes pod security policy EE-1577 (#6553)

* docs(github): fix slack link [EE-2438] (#6541) Co-authored-by: Chaim Lev-Ari <chiptus@users.noreply.github.com> Co-authored-by: cheloRydel <marcelorydel26@gmail.com> Co-authored-by: Chao Geng <93526589+chaogeng77977@users.noreply.github.com> Co-authored-by: chaogeng77977 <chao.geng@portainer.io>
2022-06-20 15:48:41 +08:00 · 2022-06-20 15:48:41 +08:00 · 912250732a
parent ae731b5496
commit 912250732a
6 changed files with 85 additions and 1 deletions
--- a/app/kubernetes/__module.js
+++ b/app/kubernetes/__module.js
@ -321,6 +321,17 @@ angular.module('portainer.kubernetes', ['portainer.app', registriesModule, custo
      },
    };

+    const endpointKubernetesSecurityConstraint = {
+      name: 'portainer.k8sendpoint.securityConstraint',
+      url: '/securityConstraint',
+      views: {
+        'content@': {
+          templateUrl: '../kubernetes/views/security-constraint/constraint.html',
+          controller: 'KubernetesSecurityConstraintController',
+        },
+      },
+    };
+
    $stateRegistryProvider.register(kubernetes);
    $stateRegistryProvider.register(helmApplication);
    $stateRegistryProvider.register(helmTemplates);
@ -350,5 +361,6 @@ angular.module('portainer.kubernetes', ['portainer.app', registriesModule, custo
    $stateRegistryProvider.register(volume);
    $stateRegistryProvider.register(registries);
    $stateRegistryProvider.register(registriesAccess);
+    $stateRegistryProvider.register(endpointKubernetesSecurityConstraint);
  },
 ]);
--- a/app/kubernetes/components/kubernetes-sidebar/kubernetes-sidebar.html
+++ b/app/kubernetes/components/kubernetes-sidebar/kubernetes-sidebar.html
@ -81,7 +81,7 @@
  path="kubernetes.cluster"
  path-params="{ endpointId: $ctrl.endpointId }"
  is-sidebar-open="$ctrl.isSidebarOpen"
-  children-paths="['kubernetes.cluster', 'portainer.k8sendpoint.kubernetesConfig', 'kubernetes.registries', 'kubernetes.registries.access']"
+  children-paths="['kubernetes.cluster', 'portainer.k8sendpoint.kubernetesConfig', 'portainer.k8sendpoint.securityConstraint', 'kubernetes.registries', 'kubernetes.registries.access']"
  data-cy="k8sSidebar-cluster"
 >
  <sidebar-menu-item
@ -96,6 +96,17 @@
    Setup
  </sidebar-menu-item>

+  <sidebar-menu-item
+    authorization="K8sClusterSetupRW"
+    path="portainer.k8sendpoint.securityConstraint"
+    path-params="{ id: $ctrl.endpointId }"
+    class-name="sidebar-sublist"
+    data-cy="k8sSidebar-security-constraints"
+    title="Security constraints"
+  >
+    Security constraints
+  </sidebar-menu-item>
+
  <sidebar-menu-item
    authorization="PortainerRegistryList"
    path="kubernetes.registries"
--- a/app/kubernetes/views/security-constraint/constraint.html
+++ b/app/kubernetes/views/security-constraint/constraint.html
@ -0,0 +1,34 @@
+<kubernetes-view-header title="Kubernetes security constraints" state="portainer.k8sendpoint.securityConstraint" view-ready="state.viewReady">
+  <a ui-sref="portainer.endpoints">Environments</a> &gt; <a ui-sref="portainer.endpoints.endpoint({id: endpoint.Id})">{{ endpoint.Name }}</a> &gt; Security constraints
+</kubernetes-view-header>
+
+<kubernetes-view-loading view-ready="state.viewReady"></kubernetes-view-loading>
+
+<div ng-if="state.viewReady">
+  <div class="row">
+    <div class="col-sm-12 space-left">
+      <i class="fas fa-shield-alt"></i>
+      Pod security constraints</div
+    >
+    <div class="col-sm-12">
+      <rd-widget>
+        <rd-widget-body>
+          <form class="form-horizontal" name="kubernetesSecurityConstraintForm">
+            <!--  main toggle  -->
+            <div class="form-group">
+              <div class="col-sm-12">
+                <por-switch-field
+                  checked="formValues.enabled"
+                  name="'disableSysctlSettingForRegularUsers'"
+                  label="'Enable pod security constraints'"
+                  feature-id="limitedFeaturePodSecurityPolicy"
+                >
+                </por-switch-field>
+              </div>
+            </div>
+          </form>
+        </rd-widget-body>
+      </rd-widget>
+    </div>
+  </div>
+</div>
--- a/app/kubernetes/views/security-constraint/constraintController.js
+++ b/app/kubernetes/views/security-constraint/constraintController.js
@ -0,0 +1,25 @@
+import angular from 'angular';
+import { FeatureId } from 'Portainer/feature-flags/enums';
+
+angular.module('portainer.kubernetes').controller('KubernetesSecurityConstraintController', [
+  '$scope',
+  'EndpointProvider',
+  'EndpointService',
+  function ($scope, EndpointProvider, EndpointService) {
+    $scope.limitedFeaturePodSecurityPolicy = FeatureId.POD_SECURITY_POLICY_CONSTRAINT;
+    $scope.state = {
+      viewReady: false,
+      actionInProgress: false,
+    };
+
+    async function initView() {
+      const endpointID = EndpointProvider.endpointID();
+      EndpointService.endpoint(endpointID).then((endpoint) => {
+        $scope.endpoint = endpoint;
+        $scope.state.viewReady = true;
+      });
+    }
+
+    initView();
+  },
+]);
--- a/app/portainer/feature-flags/enums.ts
+++ b/app/portainer/feature-flags/enums.ts
@ -29,4 +29,5 @@ export enum FeatureId {
  STACK_PULL_IMAGE = 'stack-pull-image',
  STACK_WEBHOOK = 'stack-webhook',
  CONTAINER_WEBHOOK = 'container-webhook',
+  POD_SECURITY_POLICY_CONSTRAINT = 'pod-security-policy-constraint',
 }
--- a/app/portainer/feature-flags/feature-flags.service.ts
+++ b/app/portainer/feature-flags/feature-flags.service.ts
@ -34,6 +34,7 @@ export async function init(edition: Edition) {
    [FeatureId.STACK_PULL_IMAGE]: Edition.BE,
    [FeatureId.STACK_WEBHOOK]: Edition.BE,
    [FeatureId.CONTAINER_WEBHOOK]: Edition.BE,
+    [FeatureId.POD_SECURITY_POLICY_CONSTRAINT]: Edition.BE,
  };

  state.currentEdition = currentEdition;