ceph-provisioners: Add pod/container security context

This updates the ceph-provisioners  chart to include the pod
security context on the pod template

This also adds the container security context to set allowPrivilegeEscalation
to false and readOnlyRootFilesystem to true

Change-Id: Iee49ffe17f2cd08fc978461269b654d3b2cb4406
This commit is contained in:
Rahul Khiyani 2019-03-25 13:36:08 -04:00
parent 6b17525b93
commit c8b6b4b073
3 changed files with 19 additions and 0 deletions

View File

@ -149,6 +149,7 @@ spec:
annotations: annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec: spec:
{{ dict "envAll" $envAll "application" "cephfs" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}
affinity: affinity:
{{ tuple $envAll "cephfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} {{ tuple $envAll "cephfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
@ -160,6 +161,7 @@ spec:
- name: ceph-cephfs-provisioner - name: ceph-cephfs-provisioner
{{ tuple $envAll "ceph_cephfs_provisioner" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "ceph_cephfs_provisioner" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.cephfs_provisioner | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.cephfs_provisioner | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "cephfs" "container" "ceph_cephfs_provisioner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env: env:
- name: PROVISIONER_NAME - name: PROVISIONER_NAME
value: {{ .Values.storageclass.cephfs.provisioner }} value: {{ .Values.storageclass.cephfs.provisioner }}

View File

@ -139,6 +139,7 @@ spec:
annotations: annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec: spec:
{{ dict "envAll" $envAll "application" "rbd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}
affinity: affinity:
{{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} {{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
@ -150,6 +151,7 @@ spec:
- name: ceph-rbd-provisioner - name: ceph-rbd-provisioner
{{ tuple $envAll "ceph_rbd_provisioner" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "ceph_rbd_provisioner" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.rbd_provisioner | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.rbd_provisioner | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "rbd" "container" "ceph_rbd_provisioner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env: env:
- name: PROVISIONER_NAME - name: PROVISIONER_NAME
value: {{ .Values.storageclass.rbd.provisioner }} value: {{ .Values.storageclass.rbd.provisioner }}

View File

@ -49,6 +49,21 @@ labels:
node_selector_value: enabled node_selector_value: enabled
pod: pod:
security_context:
cephfs:
pod:
runAsUser: 99
container:
ceph_cephfs_provisioner:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
rbd:
pod:
runAsUser: 99
container:
ceph_rbd_provisioner:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
dns_policy: "ClusterFirstWithHostNet" dns_policy: "ClusterFirstWithHostNet"
replicas: replicas:
cephfs_provisioner: 2 cephfs_provisioner: 2