From ce771b28a0375b7d8960fe066e0de99daed6dcc1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charled.breteche@gmail.com>
Date: Mon, 28 Feb 2022 13:38:55 +0100
Subject: [PATCH] feat: add seccomp profile support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
---
 charts/policy-reporter/Chart.yaml                      |  2 +-
 .../charts/kyvernoPlugin/templates/_helpers.tpl        | 10 +++++++++-
 .../charts/kyvernoPlugin/templates/deployment.yaml     |  3 +--
 .../policy-reporter/charts/kyvernoPlugin/values.yaml   |  2 ++
 .../policy-reporter/charts/ui/templates/_helpers.tpl   |  8 ++++++++
 .../charts/ui/templates/deployment.yaml                |  3 +--
 charts/policy-reporter/charts/ui/values.yaml           |  2 ++
 charts/policy-reporter/templates/_helpers.tpl          |  8 ++++++++
 charts/policy-reporter/templates/deployment.yaml       |  3 +--
 charts/policy-reporter/values.yaml                     |  2 ++
 10 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/charts/policy-reporter/Chart.yaml b/charts/policy-reporter/Chart.yaml
index 06b484b4..b6287176 100644
--- a/charts/policy-reporter/Chart.yaml
+++ b/charts/policy-reporter/Chart.yaml
@@ -5,7 +5,7 @@ description: |
   It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord
 
 type: application
-version: 2.5.0
+version: 2.6.0
 appVersion: 2.3.0
 
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
diff --git a/charts/policy-reporter/charts/kyvernoPlugin/templates/_helpers.tpl b/charts/policy-reporter/charts/kyvernoPlugin/templates/_helpers.tpl
index 19e983d5..a6b09e66 100644
--- a/charts/policy-reporter/charts/kyvernoPlugin/templates/_helpers.tpl
+++ b/charts/policy-reporter/charts/kyvernoPlugin/templates/_helpers.tpl
@@ -65,4 +65,12 @@ Selector labels
 {{- define "ui.selectorLabels" -}}
 app.kubernetes.io/name: ui
 app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
\ No newline at end of file
+{{- end }}
+
+{{- define "kyverno.securityContext" -}}
+{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
+{{ toYaml (omit .Values.securityContext "seccompProfile") }}
+{{- else }}
+{{ toYaml .Values.securityContext }}
+{{- end }}
+{{- end }}
diff --git a/charts/policy-reporter/charts/kyvernoPlugin/templates/deployment.yaml b/charts/policy-reporter/charts/kyvernoPlugin/templates/deployment.yaml
index 1fc5e73c..0f0fa88d 100644
--- a/charts/policy-reporter/charts/kyvernoPlugin/templates/deployment.yaml
+++ b/charts/policy-reporter/charts/kyvernoPlugin/templates/deployment.yaml
@@ -41,8 +41,7 @@ spec:
           image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           {{- if .Values.securityContext }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+          securityContext: {{ include "kyverno.securityContext" . | nindent 12 }}
           {{- end }}
           args:
             - --port=8080
diff --git a/charts/policy-reporter/charts/kyvernoPlugin/values.yaml b/charts/policy-reporter/charts/kyvernoPlugin/values.yaml
index 5083ce26..112fc6fb 100644
--- a/charts/policy-reporter/charts/kyvernoPlugin/values.yaml
+++ b/charts/policy-reporter/charts/kyvernoPlugin/values.yaml
@@ -51,6 +51,8 @@ securityContext:
   capabilities:
     drop:
       - ALL
+  seccompProfile:
+    type: RuntimeDefault
 
 # Key/value pairs that are attached to pods.
 podAnnotations: {}
diff --git a/charts/policy-reporter/charts/ui/templates/_helpers.tpl b/charts/policy-reporter/charts/ui/templates/_helpers.tpl
index dc4b0381..4282584d 100644
--- a/charts/policy-reporter/charts/ui/templates/_helpers.tpl
+++ b/charts/policy-reporter/charts/ui/templates/_helpers.tpl
@@ -101,3 +101,11 @@ Create the name of the service account to use
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{- end }}
+
+{{- define "kyverno.securityContext" -}}
+{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
+{{ toYaml (omit .Values.securityContext "seccompProfile") }}
+{{- else }}
+{{ toYaml .Values.securityContext }}
+{{- end }}
+{{- end }}
diff --git a/charts/policy-reporter/charts/ui/templates/deployment.yaml b/charts/policy-reporter/charts/ui/templates/deployment.yaml
index b72f6b7a..a663c0d1 100644
--- a/charts/policy-reporter/charts/ui/templates/deployment.yaml
+++ b/charts/policy-reporter/charts/ui/templates/deployment.yaml
@@ -40,8 +40,7 @@ spec:
           image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           {{- if .Values.securityContext }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+          securityContext: {{ include "kyverno.securityContext" . | nindent 12 }}
           {{- end }}
           args:
             - -config=/app/config.yaml
diff --git a/charts/policy-reporter/charts/ui/values.yaml b/charts/policy-reporter/charts/ui/values.yaml
index d88f1ce9..76368052 100644
--- a/charts/policy-reporter/charts/ui/values.yaml
+++ b/charts/policy-reporter/charts/ui/values.yaml
@@ -35,6 +35,8 @@ securityContext:
   capabilities:
     drop:
       - ALL
+  seccompProfile:
+    type: RuntimeDefault
 
 # Key/value pairs that are attached to pods.
 podAnnotations: {}
diff --git a/charts/policy-reporter/templates/_helpers.tpl b/charts/policy-reporter/templates/_helpers.tpl
index c53595ca..c55ba893 100644
--- a/charts/policy-reporter/templates/_helpers.tpl
+++ b/charts/policy-reporter/templates/_helpers.tpl
@@ -73,3 +73,11 @@ Create UI target host based on configuration
 {{- "" }}
 {{- end }}
 {{- end }}
+
+{{- define "kyverno.securityContext" -}}
+{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
+{{ toYaml (omit .Values.securityContext "seccompProfile") }}
+{{- else }}
+{{ toYaml .Values.securityContext }}
+{{- end }}
+{{- end }}
diff --git a/charts/policy-reporter/templates/deployment.yaml b/charts/policy-reporter/templates/deployment.yaml
index f33e58f0..d7c2b48d 100644
--- a/charts/policy-reporter/templates/deployment.yaml
+++ b/charts/policy-reporter/templates/deployment.yaml
@@ -48,8 +48,7 @@ spec:
           image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           {{- if .Values.securityContext }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+          securityContext: {{ include "kyverno.securityContext" . | nindent 12 }}
           {{- end }}
           args:
             - --config=/app/config.yaml
diff --git a/charts/policy-reporter/values.yaml b/charts/policy-reporter/values.yaml
index 0d6c9a41..1e56ccac 100644
--- a/charts/policy-reporter/values.yaml
+++ b/charts/policy-reporter/values.yaml
@@ -56,6 +56,8 @@ securityContext:
   capabilities:
     drop:
       - ALL
+  seccompProfile:
+    type: RuntimeDefault
 
 # Key/value pairs that are attached to pods.
 podAnnotations: {}