From 7f20bcd938038d9cb6fc27f5fbec118bb4060f94 Mon Sep 17 00:00:00 2001 From: Rahul Khiyani Date: Tue, 12 Mar 2019 18:54:34 -0400 Subject: [PATCH] Rabbitmq: Fix security context This PS fixes the use of the security context macros for the rabbitmq chart Change-Id: I91499757bd7af95132d0aee33a16d642e26439bb --- rabbitmq/templates/job-cluster-wait.yaml | 2 ++ .../prometheus/exporter-deployment.yaml | 2 ++ rabbitmq/templates/pod-test.yaml | 2 ++ rabbitmq/templates/statefulset.yaml | 13 +++----- rabbitmq/values.yaml | 32 +++++++++++++++++++ 5 files changed, 43 insertions(+), 8 deletions(-) diff --git a/rabbitmq/templates/job-cluster-wait.yaml b/rabbitmq/templates/job-cluster-wait.yaml index 12488eb6b..dac994e17 100644 --- a/rabbitmq/templates/job-cluster-wait.yaml +++ b/rabbitmq/templates/job-cluster-wait.yaml @@ -34,6 +34,7 @@ spec: labels: {{ tuple $envAll "rabbitmq" "cluster-wait" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "cluster_wait" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: @@ -43,6 +44,7 @@ spec: containers: - name: {{.Release.Name}}-rabbitmq-cluster-wait {{ tuple $envAll "scripted_test" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ dict "envAll" $envAll "application" "cluster_wait" "container" "rabbitmq_cluster_wait" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: RABBITMQ_ADMIN_CONNECTION value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }} diff --git a/rabbitmq/templates/monitoring/prometheus/exporter-deployment.yaml b/rabbitmq/templates/monitoring/prometheus/exporter-deployment.yaml index 03ed1ea49..86f26de37 100644 --- a/rabbitmq/templates/monitoring/prometheus/exporter-deployment.yaml +++ b/rabbitmq/templates/monitoring/prometheus/exporter-deployment.yaml @@ -38,6 +38,7 @@ spec: {{ tuple $envAll "prometheus_rabbitmq_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} namespace: {{ $envAll.Values.endpoints.prometheus_rabbitmq_exporter.namespace }} spec: +{{ dict "envAll" $envAll "application" "exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $rcControllerName | quote }} nodeSelector: {{ $envAll.Values.labels.prometheus_rabbitmq_exporter.node_selector_key }}: {{ $envAll.Values.labels.prometheus_rabbitmq_exporter.node_selector_value | quote }} @@ -48,6 +49,7 @@ spec: - name: rabbitmq-exporter {{ tuple $envAll "prometheus_rabbitmq_exporter" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.prometheus_rabbitmq_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "exporter" "container" "rabbitmq_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} ports: - name: metrics containerPort: {{ $envAll.Values.network.prometheus_rabbitmq_exporter.port }} diff --git a/rabbitmq/templates/pod-test.yaml b/rabbitmq/templates/pod-test.yaml index 3139455a0..fdd0ab3aa 100644 --- a/rabbitmq/templates/pod-test.yaml +++ b/rabbitmq/templates/pod-test.yaml @@ -36,6 +36,7 @@ metadata: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} "helm.sh/hook": test-success spec: +{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }} serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ $envAll.Values.labels.test.node_selector_key }}: {{ $envAll.Values.labels.test.node_selector_value | quote }} @@ -45,6 +46,7 @@ spec: containers: - name: {{.Release.Name}}-rabbitmq-test {{ tuple $envAll "scripted_test" | include "helm-toolkit.snippets.image" | indent 6 }} +{{ dict "envAll" $envAll "application" "test" "container" "rabbitmq_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }} env: - name: RABBITMQ_ADMIN_CONNECTION value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }} diff --git a/rabbitmq/templates/statefulset.yaml b/rabbitmq/templates/statefulset.yaml index 46681972e..bf48280d8 100644 --- a/rabbitmq/templates/statefulset.yaml +++ b/rabbitmq/templates/statefulset.yaml @@ -82,8 +82,7 @@ spec: secret-rabbit-admin-hash: {{ tuple "secret-rabbit-admin.yaml" . | include "helm-toolkit.utils.hash" }} secret-erlang-cookie-hash: {{ tuple "secret-erlang-cookie.yaml" . | include "helm-toolkit.utils.hash" }} spec: - securityContext: - readOnlyRootFilesystem: true +{{ dict "envAll" $envAll "application" "server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $rcControllerName | quote }} affinity: {{ tuple $envAll "rabbitmq" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} @@ -93,9 +92,8 @@ spec: {{ tuple $envAll "rabbitmq" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: rabbitmq-password {{ tuple $envAll "rabbitmq_init" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: 0 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "server" "container" "rabbitmq_password" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/rabbitmq-password-hash.py env: @@ -122,9 +120,8 @@ spec: readOnly: true - name: rabbitmq-cookie {{ tuple $envAll "rabbitmq" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: 0 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "server" "container" "rabbitmq_cookie" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/rabbitmq-cookie.sh volumeMounts: @@ -143,9 +140,8 @@ spec: {{- if $envAll.Values.volume.chown_on_start }} - name: rabbitmq-perms {{ tuple $envAll "rabbitmq" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: 0 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "server" "container" "rabbitmq_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - chown - -R @@ -161,6 +157,7 @@ spec: - name: rabbitmq {{ tuple $envAll "rabbitmq" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "server" "container" "rabbitmq" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/rabbitmq-start.sh ports: diff --git a/rabbitmq/values.yaml b/rabbitmq/values.yaml index bdc730ab0..2a03d6d25 100644 --- a/rabbitmq/values.yaml +++ b/rabbitmq/values.yaml @@ -48,6 +48,38 @@ images: - image_repo_sync pod: + security_context: + exporter: + pod: + runAsUser: 65534 + container: + rabbitmq_exporter: + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + server: + pod: + runAsUser: 0 + container: + rabbitmq_password: + readOnlyRootFilesystem: false + rabbitmq_cookie: + readOnlyRootFilesystem: false + rabbitmq_perms: + readOnlyRootFilesystem: false + rabbitmq: + readOnlyRootFilesystem: false + cluster_wait: + pod: + runAsUser: 0 + container: + rabbitmq_cluster_wait: + readOnlyRootFilesystem: false + test: + pod: + runAsUser: 0 + container: + rabbitmq_test: + readOnlyRootFilesystem: false affinity: anti: type: