From f569cf0d5ce07bee5296c00ebd74d3508951db2e Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Sun, 21 Apr 2019 07:30:45 -0500 Subject: [PATCH] Ceph-Client: Add security context to chart and read-only-fs This PS adds the security context macros to the ceph-client chart, and moves the default to read-only-rootfs for all containers. Change-Id: I2fe03f31cc59e1cda2bf0396ae6e3aca5c440a16 Signed-off-by: Pete Birley --- .../templates/deployment-checkdns.yaml | 2 + ceph-client/templates/deployment-mds.yaml | 3 ++ ceph-client/templates/deployment-mgr.yaml | 3 ++ ceph-client/templates/job-bootstrap.yaml | 2 + ceph-client/templates/job-rbd-pool.yaml | 2 + ceph-client/templates/pod-helm-tests.yaml | 2 + ceph-client/values.yaml | 41 +++++++++++++++++++ 7 files changed, 55 insertions(+) diff --git a/ceph-client/templates/deployment-checkdns.yaml b/ceph-client/templates/deployment-checkdns.yaml index 44dc69ace..4189d7969 100644 --- a/ceph-client/templates/deployment-checkdns.yaml +++ b/ceph-client/templates/deployment-checkdns.yaml @@ -69,6 +69,7 @@ spec: annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "checkdns" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "ceph" "checkdns" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} @@ -82,6 +83,7 @@ spec: - name: ceph-checkdns {{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.checkdns | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "checkdns" "container" "checkdns" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: CLUSTER value: "ceph" diff --git a/ceph-client/templates/deployment-mds.yaml b/ceph-client/templates/deployment-mds.yaml index 49bbc56b1..debc83aad 100644 --- a/ceph-client/templates/deployment-mds.yaml +++ b/ceph-client/templates/deployment-mds.yaml @@ -43,6 +43,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-client-hash: {{ tuple "configmap-etc-client.yaml" . | include "helm-toolkit.utils.hash" }} spec: +{{ dict "envAll" $envAll "application" "mds" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "ceph" "mds" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} @@ -52,6 +53,7 @@ spec: {{ tuple $envAll "mds" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: ceph-init-dirs {{ tuple $envAll "ceph_mds" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ dict "envAll" $envAll "application" "mds" "container" "init_dirs" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/init-dirs.sh env: @@ -75,6 +77,7 @@ spec: - name: ceph-mds {{ tuple $envAll "ceph_mds" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.mds | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "mds" "container" "mds" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/mds-start.sh env: diff --git a/ceph-client/templates/deployment-mgr.yaml b/ceph-client/templates/deployment-mgr.yaml index de6102d1b..f7e17c057 100644 --- a/ceph-client/templates/deployment-mgr.yaml +++ b/ceph-client/templates/deployment-mgr.yaml @@ -44,6 +44,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-client-hash: {{ tuple "configmap-etc-client.yaml" . | include "helm-toolkit.utils.hash" }} spec: +{{ dict "envAll" $envAll "application" "mgr" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "ceph" "mgr" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} @@ -55,6 +56,7 @@ spec: {{ tuple $envAll "mgr" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: ceph-init-dirs {{ tuple $envAll "ceph_mds" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ dict "envAll" $envAll "application" "mgr" "container" "init_dirs" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/init-dirs.sh env: @@ -78,6 +80,7 @@ spec: - name: ceph-mgr {{ tuple $envAll "ceph_mgr" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.mgr | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "mgr" "container" "mgr" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: CLUSTER value: "ceph" diff --git a/ceph-client/templates/job-bootstrap.yaml b/ceph-client/templates/job-bootstrap.yaml index 5c5b86f03..d1ac0ffc2 100644 --- a/ceph-client/templates/job-bootstrap.yaml +++ b/ceph-client/templates/job-bootstrap.yaml @@ -32,6 +32,7 @@ spec: labels: {{ tuple $envAll "ceph" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "bootstrap" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: @@ -42,6 +43,7 @@ spec: - name: ceph-client-bootstrap {{ tuple $envAll "ceph_bootstrap" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "bootstrap" "container" "bootstrap" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/bootstrap.sh volumeMounts: diff --git a/ceph-client/templates/job-rbd-pool.yaml b/ceph-client/templates/job-rbd-pool.yaml index ab96e5723..735de44b5 100644 --- a/ceph-client/templates/job-rbd-pool.yaml +++ b/ceph-client/templates/job-rbd-pool.yaml @@ -33,6 +33,7 @@ spec: labels: {{ tuple $envAll "ceph" "rbd-pool" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "rbd_pool" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure affinity: @@ -45,6 +46,7 @@ spec: - name: ceph-rbd-pool {{ tuple $envAll "ceph_rbd_pool" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.mgr | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "rbd_pool" "container" "rbd_pool" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: CLUSTER value: "ceph" diff --git a/ceph-client/templates/pod-helm-tests.yaml b/ceph-client/templates/pod-helm-tests.yaml index b94f1d4cd..ead219086 100644 --- a/ceph-client/templates/pod-helm-tests.yaml +++ b/ceph-client/templates/pod-helm-tests.yaml @@ -28,6 +28,7 @@ metadata: annotations: "helm.sh/hook": test-success spec: +{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }} restartPolicy: Never serviceAccountName: {{ $serviceAccountName }} initContainers: @@ -36,6 +37,7 @@ spec: - name: ceph-cluster-helm-test {{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} +{{ dict "envAll" $envAll "application" "test" "container" "test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }} env: - name: CEPH_DEPLOYMENT_NAMESPACE value: {{ .Release.Namespace }} diff --git a/ceph-client/values.yaml b/ceph-client/values.yaml index 3fecfc526..c1e5cd9d2 100644 --- a/ceph-client/values.yaml +++ b/ceph-client/values.yaml @@ -53,6 +53,47 @@ labels: node_selector_value: enabled pod: + security_context: + checkdns: + pod: + runAsUser: 0 + container: + checkdns: + readOnlyRootFilesystem: true + mds: + pod: + runAsUser: 0 + container: + init_dirs: + readOnlyRootFilesystem: true + mds: + readOnlyRootFilesystem: true + mgr: + pod: + runAsUser: 0 + container: + init_dirs: + readOnlyRootFilesystem: true + mgr: + readOnlyRootFilesystem: true + bootstrap: + pod: + runAsUser: 0 + container: + bootstrap: + readOnlyRootFilesystem: true + rbd_pool: + pod: + runAsUser: 0 + container: + rbd_pool: + readOnlyRootFilesystem: true + test: + pod: + runAsUser: 0 + container: + test: + readOnlyRootFilesystem: true dns_policy: "ClusterFirstWithHostNet" replicas: mds: 2