Add missing security context to ceph-rgw and ceph-osd pods/containers

This updates the ceph-rgw and ceph-osd chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true Change-Id: I1b78b7a0fc413acdb5ea2dc295a0026616d7cac1
2020-07-06 18:58:27 -05:00 · 2020-07-06 18:58:27 -05:00 · 00a64aa807
commit 00a64aa807
parent 41f02d3c98
4 changed files with 18 additions and 2 deletions
--- a/ceph-osd/templates/job-post-apply.yaml
+++ b/ceph-osd/templates/job-post-apply.yaml
@ -76,7 +76,7 @@ spec:
      labels:
 {{ tuple $envAll "ceph-upgrade" "post-apply" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
-{{ dict "envAll" $envAll "application" "post-apply" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+{{ dict "envAll" $envAll "application" "post_apply" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
@ -87,7 +87,7 @@ spec:
        - name: ceph-osd-post-apply
 {{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "post-apply" "container" "ceph_osd_post_apply" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "application" "post_apply" "container" "ceph_osd_post_apply" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
            - name: CLUSTER
              value: "ceph"
--- a/ceph-osd/values.yaml
+++ b/ceph-osd/values.yaml
@ -78,6 +78,13 @@ pod:
        ceph_osd_bootstrap:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
+    post_apply:
+      pod:
+        runAsUser: 65534
+      container:
+        ceph_osd_post_apply:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
    test:
      pod:
        runAsUser: 65534
--- a/ceph-rgw/templates/pod-helm-tests.yaml
+++ b/ceph-rgw/templates/pod-helm-tests.yaml
@ -27,6 +27,7 @@ metadata:
    "helm.sh/hook": test-success
 {{ dict "envAll" $envAll "podName" "ceph-rgw-test" "containerNames" (list "ceph-rgw-ks-validation" "ceph-rgw-s3-validation") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
+{{ dict "envAll" $envAll "application" "rgw_test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
  restartPolicy: Never
  serviceAccountName: {{ $serviceAccountName }}
  nodeSelector:
@ -36,6 +37,7 @@ spec:
    - name: ceph-rgw-ks-validation
 {{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "rgw_test" "container" "ceph_rgw_ks_validation" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
      env:
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.user_rgw }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
--- a/ceph-rgw/values.yaml
+++ b/ceph-rgw/values.yaml
@ -92,6 +92,13 @@ pod:
        create_s3_admin:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
+    rgw_test:
+      pod:
+        runAsUser: 64045
+      rgw_test:
+        ceph_rgw_ks_validation:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
    bootstrap:
      pod:
        runAsUser: 65534