openstack/openstack-helm-infra
Code Issues Proposed changes

Ingress: Add pod/container security context

Browse Source 
This PS fixes the use of the security context macros for the
ingress chart.

Change-Id: I28171d529a27c3f203b02c031a6cf289fcc5f3e6
This commit is contained in:
RAHUL KHIYANI 2019-04-18 10:40:15 -05:00 committed by Rahul Khiyani
parent 010faee9d5
commit befb8b65e8
3 changed files with 35 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ingress/templates/deployment-error.yaml
View File

@ -43,6 +43,7 @@ spec:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-conf.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-conf.yaml" . | include "helm-toolkit.utils.hash" }}
spec: spec:
{{ dict "envAll" $envAll "application" "error_pages" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
shareProcessNamespace: true shareProcessNamespace: true
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}
affinity: affinity:
@ -56,6 +57,7 @@ spec:
- name: ingress-error-pages - name: ingress-error-pages
{{ tuple $envAll "error_pages" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "error_pages" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.error_pages | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.error_pages | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "error_pages" "container" "ingress_error_pages" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz

22
ingress/templates/deployment-ingress.yaml
View File

@ -179,8 +179,7 @@ spec:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-conf.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-conf.yaml" . | include "helm-toolkit.utils.hash" }}
spec: spec:
securityContext: {{ dict "envAll" $envAll "application" "server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
readOnlyRootFilesystem: true
shareProcessNamespace: true shareProcessNamespace: true
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}
{{- if eq .Values.deployment.type "Deployment" }} {{- if eq .Values.deployment.type "Deployment" }}
@ -199,11 +198,7 @@ spec:
{{- if and .Values.network.host_namespace .Values.network.vip.manage }} {{- if and .Values.network.host_namespace .Values.network.vip.manage }}
- name: ingress-vip-kernel-modules - name: ingress-vip-kernel-modules
{{ tuple $envAll "ingress_module_init" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "ingress_module_init" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext: {{ dict "envAll" $envAll "application" "server" "container" "ingress_vip_kernel_modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
capabilities:
add:
- SYS_MODULE
runAsUser: 0
command: command:
- /tmp/ingress-vip.sh - /tmp/ingress-vip.sh
- kernel_modules - kernel_modules
@ -219,11 +214,7 @@ spec:
readOnly: true readOnly: true
- name: ingress-vip-init - name: ingress-vip-init
{{ tuple $envAll "ingress_routed_vip" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "ingress_routed_vip" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext: {{ dict "envAll" $envAll "application" "server" "container" "ingress_vip_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
capabilities:
add:
- NET_ADMIN
runAsUser: 0
env: env:
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }} {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }}
command: command:
@ -241,6 +232,7 @@ spec:
- name: ingress - name: ingress
{{ tuple $envAll "ingress" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "ingress" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "server" "container" "ingress" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
readinessProbe: readinessProbe:
httpGet: httpGet:
path: /healthz path: /healthz
@ -316,13 +308,9 @@ spec:
readOnly: true readOnly: true
{{- if and .Values.network.host_namespace .Values.network.vip.manage }} {{- if and .Values.network.host_namespace .Values.network.vip.manage }}
- name: ingress-vip - name: ingress-vip
securityContext:
capabilities:
add:
- NET_ADMIN
runAsUser: 0
{{- if eq .Values.network.vip.mode "routed" }} {{- if eq .Values.network.vip.mode "routed" }}
{{ tuple $envAll "ingress_routed_vip" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "ingress_routed_vip" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "server" "container" "ingress_vip" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env: env:
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }} {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }}
command: command:

28
ingress/values.yaml
View File

@ -41,6 +41,34 @@ images:
- image_repo_sync - image_repo_sync
pod: pod:
security_context:
error_pages:
pod:
runAsUser: 0
container:
ingress_error_pages:
readOnlyRootFilesystem: true
server:
pod:
runAsUser: 0
container:
ingress_vip_kernel_modules:
capabilities:
add:
- SYS_MODULE
readOnlyRootFilesystem: false
ingress_vip_init:
capabilities:
add:
- NET_ADMIN
readOnlyRootFilesystem: false
ingress:
readOnlyRootFilesystem: false
ingress_vip:
capabilities:
add:
- NET_ADMIN
readOnlyRootFilesystem: false
affinity: affinity:
anti: anti:
type: type: