Calico: Fix security context

This PS fixes the use of the security context macros for the calico chart. Change-Id: I2ed8a5e994726b625d76a2c308895441c7d174a9 Signed-off-by: Pete Birley <pete@port.direct>
2019-04-21 07:15:46 -05:00 · 2019-04-21 07:15:46 -05:00 · eb58abb880
commit eb58abb880
parent 4e3359a931
5 changed files with 39 additions and 17 deletions
--- a/calico/templates/daemonset-calico-etcd.yaml
+++ b/calico/templates/daemonset-calico-etcd.yaml
@ -51,7 +51,7 @@ spec:
        # a failure.  This annotation works in tandem with the toleration below.
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
-{{ dict "envAll" $envAll "application" "calico" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+{{ dict "envAll" $envAll "application" "etcd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
      tolerations:
        # This taint is set by all kubelets running `--cloud-provider=external`
@ -76,7 +76,7 @@ spec:
        - name: calico-etcd
 {{ tuple $envAll "calico_etcd" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.calico_etcd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "calico" "container" "calico_etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "application" "etcd" "container" "calico_etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
            - name: CALICO_ETCD_IP
              valueFrom:
--- a/calico/templates/daemonset-calico-node.yaml
+++ b/calico/templates/daemonset-calico-node.yaml
@ -119,8 +119,7 @@ spec:
 {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
 {{- end }}
    spec:
-      securityContext:
-        readOnlyRootFilesystem: true
+{{ dict "envAll" $envAll "application" "calico_node" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      nodeSelector:
        beta.kubernetes.io/os: linux
      hostNetwork: true
@ -144,6 +143,7 @@ spec:
        - name: install-calicoctl
 {{ tuple $envAll "calico_ctl" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.calico_ctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_ctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/install-calicoctl.sh
          env:
@ -206,6 +206,7 @@ spec:
        # and CNI network config file on each node.
        - name: install-cni
 {{ tuple $envAll "calico_cni" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "calico_node" "container" "install_cni" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command: ["/install-cni.sh"]
          env:
            # Prevents the container from sleeping forever.
@ -310,6 +311,7 @@ spec:
        - name: calico-node
 {{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_node" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
            # Values expanded explicitly from conf.node (some of which
            # might be derived from elsewhere, see values.yaml for an
@ -348,14 +350,6 @@ spec:
                fieldRef:
                  fieldPath: spec.nodeName

-          securityContext:
-            capabilities:
-              add:
-                - 'NET_ADMIN'
-                - 'SYS_ADMIN'
-          resources:
-            requests:
-              cpu: 250m
          livenessProbe:
            httpGet:
              path: /liveness
--- a/calico/templates/deployment-calico-kube-controllers.yaml
+++ b/calico/templates/deployment-calico-kube-controllers.yaml
@ -93,8 +93,7 @@ spec:
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
-      securityContext:
-        readOnlyRootFilesystem: true
+{{ dict "envAll" $envAll "application" "kube_controllers" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      nodeSelector:
        beta.kubernetes.io/os: linux
      # The controllers must run in the host network namespace so that
@ -117,6 +116,7 @@ spec:
        - name: calico-kube-controllers
 {{ tuple $envAll "calico_kube_controllers" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.calico_kube_controllers | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "kube_controllers" "container" "kube_controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
            # The location of the Calico etcd cluster.
            - name: ETCD_ENDPOINTS
--- a/calico/templates/job-calico-settings.yaml
+++ b/calico/templates/job-calico-settings.yaml
@ -39,6 +39,7 @@ spec:
      labels:
 {{ tuple $envAll "calico" "calico_settings" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "calico_settings" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      hostNetwork: true
      tolerations:
        - key: node-role.kubernetes.io/master
@ -55,6 +56,7 @@ spec:
        - name: calico-settings
 {{ tuple $envAll "calico_settings" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.calico_settings | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "calico_settings" "container" "calico_settings" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
            - name: ETCD_ENDPOINTS
              valueFrom:
--- a/calico/values.yaml
+++ b/calico/values.yaml
@ -38,12 +38,38 @@ images:

 pod:
  security_context:
-    calico:
+    etcd:
      pod:
        runAsUser: 0
      container:
        calico_etcd:
-          readOnlyRootFilesystem: true
+          readOnlyRootFilesystem: false
+    calico_node:
+      pod:
+        runAsUser: 0
+      container:
+        calico_ctl:
+          readOnlyRootFilesystem: false
+        install_cni:
+          readOnlyRootFilesystem: false
+        calico_node:
+          readOnlyRootFilesystem: false
+          capabilities:
+            add:
+              - 'NET_ADMIN'
+              - 'SYS_ADMIN'
+    kube_controllers:
+      pod:
+        runAsUser: 0
+      container:
+        kube_controller:
+          readOnlyRootFilesystem: false
+    calico_settings:
+      pod:
+        runAsUser: 0
+      container:
+        calico_settings:
+          readOnlyRootFilesystem: false
  resources:
    enabled: false
    jobs:
@ -71,7 +97,7 @@ pod:
    calico_node:
      requests:
        memory: "128Mi"
-        cpu: "100m"
+        cpu: "250m"
      limits:
        memory: "1024Mi"
        cpu: "2000m"