openstack/openstack-helm-infra
Code Issues Proposed changes

Calico: Fix security context

Browse Source 
This PS fixes the use of the security context macros for the
calico chart.

Change-Id: I2ed8a5e994726b625d76a2c308895441c7d174a9
Signed-off-by: Pete Birley <pete@port.direct>
This commit is contained in:
Pete Birley 2019-04-21 07:15:46 -05:00 committed by Pete Birley
parent 4e3359a931
commit eb58abb880
5 changed files with 39 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
calico/templates/daemonset-calico-etcd.yaml
View File

@ -51,7 +51,7 @@ spec:
# a failure. This annotation works in tandem with the toleration below. # a failure. This annotation works in tandem with the toleration below.
scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/critical-pod: ''
spec: spec:
{{ dict "envAll" $envAll "application" "calico" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "etcd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}
tolerations: tolerations:
# This taint is set by all kubelets running `--cloud-provider=external` # This taint is set by all kubelets running `--cloud-provider=external`
@ -76,7 +76,7 @@ spec:
- name: calico-etcd - name: calico-etcd
{{ tuple $envAll "calico_etcd" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "calico_etcd" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_etcd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.calico_etcd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "calico" "container" "calico_etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "application" "etcd" "container" "calico_etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env: env:
- name: CALICO_ETCD_IP - name: CALICO_ETCD_IP
valueFrom: valueFrom:

14
calico/templates/daemonset-calico-node.yaml
View File

@ -119,8 +119,7 @@ spec:
{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }} {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
{{- end }} {{- end }}
spec: spec:
securityContext: {{ dict "envAll" $envAll "application" "calico_node" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
readOnlyRootFilesystem: true
nodeSelector: nodeSelector:
beta.kubernetes.io/os: linux beta.kubernetes.io/os: linux
hostNetwork: true hostNetwork: true
@ -144,6 +143,7 @@ spec:
- name: install-calicoctl - name: install-calicoctl
{{ tuple $envAll "calico_ctl" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "calico_ctl" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_ctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.calico_ctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_ctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command: command:
- /tmp/install-calicoctl.sh - /tmp/install-calicoctl.sh
env: env:
@ -206,6 +206,7 @@ spec:
# and CNI network config file on each node. # and CNI network config file on each node.
- name: install-cni - name: install-cni
{{ tuple $envAll "calico_cni" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "calico_cni" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "calico_node" "container" "install_cni" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command: ["/install-cni.sh"] command: ["/install-cni.sh"]
env: env:
# Prevents the container from sleeping forever. # Prevents the container from sleeping forever.
@ -310,6 +311,7 @@ spec:
- name: calico-node - name: calico-node
{{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_node" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env: env:
# Values expanded explicitly from conf.node (some of which # Values expanded explicitly from conf.node (some of which
# might be derived from elsewhere, see values.yaml for an # might be derived from elsewhere, see values.yaml for an
@ -348,14 +350,6 @@ spec:
fieldRef: fieldRef:
fieldPath: spec.nodeName fieldPath: spec.nodeName
securityContext:
capabilities:
add:
- 'NET_ADMIN'
- 'SYS_ADMIN'
resources:
requests:
cpu: 250m
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /liveness path: /liveness

4
calico/templates/deployment-calico-kube-controllers.yaml
View File

@ -93,8 +93,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
spec: spec:
securityContext: {{ dict "envAll" $envAll "application" "kube_controllers" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
readOnlyRootFilesystem: true
nodeSelector: nodeSelector:
beta.kubernetes.io/os: linux beta.kubernetes.io/os: linux
# The controllers must run in the host network namespace so that # The controllers must run in the host network namespace so that
@ -117,6 +116,7 @@ spec:
- name: calico-kube-controllers - name: calico-kube-controllers
{{ tuple $envAll "calico_kube_controllers" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "calico_kube_controllers" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_kube_controllers | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.calico_kube_controllers | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "kube_controllers" "container" "kube_controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env: env:
# The location of the Calico etcd cluster. # The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS - name: ETCD_ENDPOINTS

2
calico/templates/job-calico-settings.yaml
View File

@ -39,6 +39,7 @@ spec:
labels: labels:
{{ tuple $envAll "calico" "calico_settings" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "calico" "calico_settings" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec: spec:
{{ dict "envAll" $envAll "application" "calico_settings" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
hostNetwork: true hostNetwork: true
tolerations: tolerations:
- key: node-role.kubernetes.io/master - key: node-role.kubernetes.io/master
@ -55,6 +56,7 @@ spec:
- name: calico-settings - name: calico-settings
{{ tuple $envAll "calico_settings" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "calico_settings" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_settings | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.calico_settings | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "calico_settings" "container" "calico_settings" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env: env:
- name: ETCD_ENDPOINTS - name: ETCD_ENDPOINTS
valueFrom: valueFrom:

32
calico/values.yaml
View File

@ -38,12 +38,38 @@ images:
pod: pod:
security_context: security_context:
calico: etcd:
pod: pod:
runAsUser: 0 runAsUser: 0
container: container:
calico_etcd: calico_etcd:
readOnlyRootFilesystem: true readOnlyRootFilesystem: false
calico_node:
pod:
runAsUser: 0
container:
calico_ctl:
readOnlyRootFilesystem: false
install_cni:
readOnlyRootFilesystem: false
calico_node:
readOnlyRootFilesystem: false
capabilities:
add:
- 'NET_ADMIN'
- 'SYS_ADMIN'
kube_controllers:
pod:
runAsUser: 0
container:
kube_controller:
readOnlyRootFilesystem: false
calico_settings:
pod:
runAsUser: 0
container:
calico_settings:
readOnlyRootFilesystem: false
resources: resources:
enabled: false enabled: false
jobs: jobs:
@ -71,7 +97,7 @@ pod:
calico_node: calico_node:
requests: requests:
memory: "128Mi" memory: "128Mi"
cpu: "100m" cpu: "250m"
limits: limits:
memory: "1024Mi" memory: "1024Mi"
cpu: "2000m" cpu: "2000m"