Mariadb: Add security policy functions

This PS adds security policy functions to mariadb. Change-Id: Ic0f035e0281281fb3f2977ea130385f65c9a04e4 Signed-off-by: Pete Birley <pete@port.direct>
2019-04-03 16:09:47 -05:00 · 2019-04-03 16:09:47 -05:00 · 3478106e56
commit 3478106e56
parent 63b61b86eb
6 changed files with 57 additions and 7 deletions
--- a/mariadb/templates/deployment-error.yaml
+++ b/mariadb/templates/deployment-error.yaml
@ -45,6 +45,7 @@ spec:
    spec:
      shareProcessNamespace: true
      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "error_pages" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      affinity:
 {{ tuple $envAll "mariadb" "ingress-error-pages" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
      nodeSelector:
@ -55,6 +56,7 @@ spec:
      containers:
        - name: ingress-error-pages
 {{ tuple $envAll "error_pages" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "error_pages" "container" "server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.error_pages | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          livenessProbe:
            httpGet:
--- a/mariadb/templates/deployment-ingress.yaml
+++ b/mariadb/templates/deployment-ingress.yaml
@ -140,6 +140,7 @@ spec:
    spec:
      shareProcessNamespace: true
      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "ingress" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      affinity:
 {{ tuple $envAll "mariadb" "ingress" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
      nodeSelector:
@ -150,6 +151,7 @@ spec:
      containers:
        - name: ingress
 {{ tuple $envAll "ingress" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ingress" "container" "server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          readinessProbe:
            tcpSocket:
--- a/mariadb/templates/monitoring/prometheus/exporter-deployment.yaml
+++ b/mariadb/templates/monitoring/prometheus/exporter-deployment.yaml
@ -41,6 +41,7 @@ spec:
 {{ dict "envAll" $envAll "application" "mysql_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      shareProcessNamespace: true
      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "prometheus_mysql_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      nodeSelector:
        {{ .Values.labels.prometheus_mysql_exporter.node_selector_key }}: {{ .Values.labels.prometheus_mysql_exporter.node_selector_value }}
      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.prometheus_mysql_exporter.timeout | default "30" }}
@ -49,9 +50,8 @@ spec:
      containers:
        - name: mysql-exporter
 {{ tuple $envAll "prometheus_mysql_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "prometheus_mysql_exporter" "container" "exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.prometheus_mysql_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            allowPrivilegeEscalation: false
          command:
            - /tmp/mysqld-exporter.sh
            - start
--- a/mariadb/templates/monitoring/prometheus/exporter-job-create-user.yaml
+++ b/mariadb/templates/monitoring/prometheus/exporter-job-create-user.yaml
@ -33,6 +33,7 @@ spec:
    spec:
      shareProcessNamespace: true
      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "prometheus_create_mysql_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      activeDeadlineSeconds: {{ .Values.jobs.exporter_create_sql_user.activeDeadlineSeconds }}
      restartPolicy: OnFailure
      nodeSelector:
@ -42,6 +43,7 @@ spec:
      containers:
        - name: exporter-create-sql-user
 {{ tuple $envAll "prometheus_create_mysql_user" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "prometheus_create_mysql_user" "container" "main" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.prometheus_create_mysql_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - /tmp/create-mysql-user.sh
--- a/mariadb/templates/statefulset.yaml
+++ b/mariadb/templates/statefulset.yaml
@ -97,6 +97,7 @@ spec:
    spec:
      shareProcessNamespace: true
      serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      affinity:
 {{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
      nodeSelector:
@ -106,8 +107,7 @@ spec:
 {{- if .Values.volume.chown_on_start }}
        - name: mariadb-perms
 {{ tuple $envAll "mariadb" | include "helm-toolkit.snippets.image" | indent 10 }}
-          securityContext:
-            runAsUser: 0
+{{ dict "envAll" $envAll "application" "server" "container" "perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - chown
@ -121,6 +121,7 @@ spec:
      containers:
        - name: mariadb
 {{ tuple $envAll "mariadb" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "server" "container" "mariadb" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          env:
            - name: POD_NAMESPACE
@ -175,6 +176,10 @@ spec:
              command:
                - /tmp/readiness.sh
          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+            - name: var-run
+              mountPath: /var/run/mysqld
            - name: mycnfd
              mountPath: /etc/mysql/conf.d
            - name: mariadb-bin
@ -214,6 +219,10 @@ spec:
      volumes:
        - name: mycnfd
          emptyDir: {}
+        - name: tmp
+          emptyDir: {}
+        - name: var-run
+          emptyDir: {}
        - name: mariadb-bin
          configMap:
            name: mariadb-bin
--- a/mariadb/values.yaml
+++ b/mariadb/values.yaml
@ -55,9 +55,44 @@ labels:
    node_selector_value: enabled

 pod:
-  user:
-    mysql_exporter:
-      uid: 99
+  security_context:
+    server:
+      pod:
+        runAsUser: 999
+      container:
+        perms:
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        mariadb:
+          runAsUser: 999
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+    ingress:
+      pod:
+        runAsUser: 65534
+      container:
+        server:
+          runAsUser: 0
+    error_pages:
+      pod:
+        runAsUser: 1000
+      container:
+        server:
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+    prometheus_mysql_exporter:
+      pod:
+        runAsUser: 99
+      container:
+        exporter:
+          runAsUser: 99
+          allowPrivilegeEscalation: false
+    prometheus_create_mysql_user:
+      pod:
+        runAsUser: 0
+      container:
+        main:
+          allowPrivilegeEscalation: false
  affinity:
    anti:
      type: