feat(psp): kubernetes pod security policy EE-1577 (#6553)

* docs(github): fix slack link [EE-2438] (#6541)

Co-authored-by: Chaim Lev-Ari <chiptus@users.noreply.github.com>
Co-authored-by: cheloRydel <marcelorydel26@gmail.com>
Co-authored-by: Chao Geng <93526589+chaogeng77977@users.noreply.github.com>
Co-authored-by: chaogeng77977 <chao.geng@portainer.io>

app/kubernetes/__module.js

@@ -321,6 +321,17 @@ angular.module('portainer.kubernetes', ['portainer.app', registriesModule, custo
       },
     };
 
+    const endpointKubernetesSecurityConstraint = {
+      name: 'portainer.k8sendpoint.securityConstraint',
+      url: '/securityConstraint',
+      views: {
+        'content@': {
+          templateUrl: '../kubernetes/views/security-constraint/constraint.html',
+          controller: 'KubernetesSecurityConstraintController',
+        },
+      },
+    };
+
     $stateRegistryProvider.register(kubernetes);
     $stateRegistryProvider.register(helmApplication);
     $stateRegistryProvider.register(helmTemplates);
@@ -350,5 +361,6 @@ angular.module('portainer.kubernetes', ['portainer.app', registriesModule, custo
     $stateRegistryProvider.register(volume);
     $stateRegistryProvider.register(registries);
     $stateRegistryProvider.register(registriesAccess);
+    $stateRegistryProvider.register(endpointKubernetesSecurityConstraint);
   },
 ]);

app/kubernetes/components/kubernetes-sidebar/kubernetes-sidebar.html

@@ -81,7 +81,7 @@
   path="kubernetes.cluster"
   path-params="{ endpointId: $ctrl.endpointId }"
   is-sidebar-open="$ctrl.isSidebarOpen"
-  children-paths="['kubernetes.cluster', 'portainer.k8sendpoint.kubernetesConfig', 'kubernetes.registries', 'kubernetes.registries.access']"
+  children-paths="['kubernetes.cluster', 'portainer.k8sendpoint.kubernetesConfig', 'portainer.k8sendpoint.securityConstraint', 'kubernetes.registries', 'kubernetes.registries.access']"
   data-cy="k8sSidebar-cluster"
 >
   <sidebar-menu-item
@@ -96,6 +96,17 @@
     Setup
   </sidebar-menu-item>
 
+  <sidebar-menu-item
+    authorization="K8sClusterSetupRW"
+    path="portainer.k8sendpoint.securityConstraint"
+    path-params="{ id: $ctrl.endpointId }"
+    class-name="sidebar-sublist"
+    data-cy="k8sSidebar-security-constraints"
+    title="Security constraints"
+  >
+    Security constraints
+  </sidebar-menu-item>
+
   <sidebar-menu-item
     authorization="PortainerRegistryList"
     path="kubernetes.registries"

app/kubernetes/views/security-constraint/constraint.html

@@ -0,0 +1,34 @@
+<kubernetes-view-header title="Kubernetes security constraints" state="portainer.k8sendpoint.securityConstraint" view-ready="state.viewReady">
+  <a ui-sref="portainer.endpoints">Environments</a> &gt; <a ui-sref="portainer.endpoints.endpoint({id: endpoint.Id})">{{ endpoint.Name }}</a> &gt; Security constraints
+</kubernetes-view-header>
+
+<kubernetes-view-loading view-ready="state.viewReady"></kubernetes-view-loading>
+
+<div ng-if="state.viewReady">
+  <div class="row">
+    <div class="col-sm-12 space-left">
+      <i class="fas fa-shield-alt"></i>
+      Pod security constraints</div
+    >
+    <div class="col-sm-12">
+      <rd-widget>
+        <rd-widget-body>
+          <form class="form-horizontal" name="kubernetesSecurityConstraintForm">
+            <!--  main toggle  -->
+            <div class="form-group">
+              <div class="col-sm-12">
+                <por-switch-field
+                  checked="formValues.enabled"
+                  name="'disableSysctlSettingForRegularUsers'"
+                  label="'Enable pod security constraints'"
+                  feature-id="limitedFeaturePodSecurityPolicy"
+                >
+                </por-switch-field>
+              </div>
+            </div>
+          </form>
+        </rd-widget-body>
+      </rd-widget>
+    </div>
+  </div>
+</div>

app/kubernetes/views/security-constraint/constraintController.js

@@ -0,0 +1,25 @@
+import angular from 'angular';
+import { FeatureId } from 'Portainer/feature-flags/enums';
+
+angular.module('portainer.kubernetes').controller('KubernetesSecurityConstraintController', [
+  '$scope',
+  'EndpointProvider',
+  'EndpointService',
+  function ($scope, EndpointProvider, EndpointService) {
+    $scope.limitedFeaturePodSecurityPolicy = FeatureId.POD_SECURITY_POLICY_CONSTRAINT;
+    $scope.state = {
+      viewReady: false,
+      actionInProgress: false,
+    };
+
+    async function initView() {
+      const endpointID = EndpointProvider.endpointID();
+      EndpointService.endpoint(endpointID).then((endpoint) => {
+        $scope.endpoint = endpoint;
+        $scope.state.viewReady = true;
+      });
+    }
+
+    initView();
+  },
+]);

app/portainer/feature-flags/enums.ts

@@ -29,4 +29,5 @@ export enum FeatureId {
   STACK_PULL_IMAGE = 'stack-pull-image',
   STACK_WEBHOOK = 'stack-webhook',
   CONTAINER_WEBHOOK = 'container-webhook',
+  POD_SECURITY_POLICY_CONSTRAINT = 'pod-security-policy-constraint',
 }

app/portainer/feature-flags/feature-flags.service.ts

@@ -34,6 +34,7 @@ export async function init(edition: Edition) {
     [FeatureId.STACK_PULL_IMAGE]: Edition.BE,
     [FeatureId.STACK_WEBHOOK]: Edition.BE,
     [FeatureId.CONTAINER_WEBHOOK]: Edition.BE,
+    [FeatureId.POD_SECURITY_POLICY_CONSTRAINT]: Edition.BE,
   };
 
   state.currentEdition = currentEdition;