diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml index 9db68412f6..4363b7441f 100644 --- a/nova/templates/daemonset-compute.yaml +++ b/nova/templates/daemonset-compute.yaml @@ -58,8 +58,7 @@ spec: {{ tuple $envAll "pod_dependency" $mounts_nova_compute_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: nova-compute-init {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: 0 +{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: NOVA_USER_UID value: "{{ .Values.pod.user.nova.uid }}" @@ -79,8 +78,7 @@ spec: {{- if .Values.conf.ceph.enabled }} - name: ceph-perms {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: 0 +{{ dict "envAll" $envAll "application" "nova" "container" "ceph_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - chown - -R @@ -94,6 +92,7 @@ spec: {{- if empty .Values.conf.ceph.cinder.keyring }} - name: ceph-admin-keyring-placement {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ dict "envAll" $envAll "application" "nova" "container" "ceph_admin_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/ceph-admin-keyring.sh volumeMounts: @@ -114,8 +113,7 @@ spec: {{ end }} - name: ceph-keyring-placement {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - allowPrivilegeEscalation: false +{{ dict "envAll" $envAll "application" "nova" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: CEPH_CINDER_USER value: "{{ .Values.conf.ceph.cinder.user }}" @@ -144,8 +142,7 @@ spec: - name: nova-compute-vnc-init {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - allowPrivilegeEscalation: false +{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_vnc_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/nova-console-compute-init.sh volumeMounts: @@ -162,8 +159,7 @@ spec: - name: nova-compute-spice-init {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - allowPrivilegeEscalation: false +{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_spice_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/nova-console-compute-init.sh volumeMounts: @@ -180,6 +176,7 @@ spec: - name: nova-compute {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "nova_compute" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} securityContext: privileged: true {{- if .Values.conf.ceph.enabled }} @@ -316,6 +313,7 @@ spec: - name: nova-compute-ssh {{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "nova_compute" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} securityContext: privileged: true env: diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml index 8a125a5afb..fb2e56316f 100644 --- a/nova/templates/deployment-api-metadata.yaml +++ b/nova/templates/deployment-api-metadata.yaml @@ -58,8 +58,7 @@ spec: - name: nova-api-metadata-init {{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - allowPrivilegeEscalation: false +{{ dict "envAll" $envAll "application" "nova" "container" "nova_api_metadata_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/nova-api-metadata-init.sh volumeMounts: @@ -79,8 +78,7 @@ spec: - name: nova-api {{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - allowPrivilegeEscalation: false +{{ dict "envAll" $envAll "application" "nova" "container" "nova_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/nova-api-metadata.sh - start diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml index 0f6ea37178..552201ea12 100644 --- a/nova/templates/deployment-api-osapi.yaml +++ b/nova/templates/deployment-api-osapi.yaml @@ -59,8 +59,7 @@ spec: - name: nova-osapi {{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - allowPrivilegeEscalation: false +{{ dict "envAll" $envAll "application" "nova" "container" "nova_osapi" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/nova-api.sh - start @@ -83,6 +82,8 @@ spec: volumeMounts: - name: pod-tmp mountPath: /tmp + - name: pod-var-nova + mountPath: /var/lib/nova - name: nova-bin mountPath: /tmp/nova-api.sh subPath: nova-api.sh @@ -111,6 +112,8 @@ spec: volumes: - name: pod-tmp emptyDir: {} + - name: pod-var-nova + emptyDir: {} - name: nova-bin configMap: name: nova-bin diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml index 900ff238a4..d47b6420d5 100644 --- a/nova/templates/deployment-conductor.yaml +++ b/nova/templates/deployment-conductor.yaml @@ -58,8 +58,7 @@ spec: - name: nova-conductor {{ tuple $envAll "nova_conductor" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - allowPrivilegeEscalation: false +{{ dict "envAll" $envAll "application" "nova" "container" "nova_conductor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} readinessProbe: exec: command: diff --git a/nova/templates/deployment-consoleauth.yaml b/nova/templates/deployment-consoleauth.yaml index 2aaa820023..0ecf60bdf7 100644 --- a/nova/templates/deployment-consoleauth.yaml +++ b/nova/templates/deployment-consoleauth.yaml @@ -58,8 +58,7 @@ spec: - name: nova-consoleauth {{ tuple $envAll "nova_consoleauth" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.consoleauth | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - allowPrivilegeEscalation: false +{{ dict "envAll" $envAll "application" "nova" "container" "nova_consoleauth" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} readinessProbe: exec: command: diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml index 943156de10..e828a42f32 100644 --- a/nova/templates/deployment-novncproxy.yaml +++ b/nova/templates/deployment-novncproxy.yaml @@ -59,8 +59,7 @@ spec: - name: nova-novncproxy-init {{ tuple $envAll "nova_novncproxy" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.novncproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - allowPrivilegeEscalation: false +{{ dict "envAll" $envAll "application" "nova" "container" "nova_novncproxy_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/nova-console-proxy-init.sh volumeMounts: @@ -83,6 +82,7 @@ spec: - name: nova-novncproxy-init-assets {{ tuple $envAll "nova_novncproxy_assets" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.novncproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "nova" "container" "nova_novncproxy_init_assests" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/nova-console-proxy-init-assets.sh volumeMounts: @@ -98,6 +98,7 @@ spec: - name: nova-novncproxy {{ tuple $envAll "nova_novncproxy" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.novncproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "nova" "container" "nova_novncproxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} readinessProbe: tcpSocket: port: {{ tuple "compute_novnc_proxy" "internal" "novnc_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml index 0fb54a4bb8..c3ee761beb 100644 --- a/nova/templates/deployment-scheduler.yaml +++ b/nova/templates/deployment-scheduler.yaml @@ -58,8 +58,7 @@ spec: - name: nova-scheduler {{ tuple $envAll "nova_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - allowPrivilegeEscalation: false +{{ dict "envAll" $envAll "application" "nova" "container" "nova_scheduler" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} readinessProbe: exec: command: diff --git a/nova/templates/deployment-spiceproxy.yaml b/nova/templates/deployment-spiceproxy.yaml index 396dfef732..402b03d68e 100644 --- a/nova/templates/deployment-spiceproxy.yaml +++ b/nova/templates/deployment-spiceproxy.yaml @@ -59,8 +59,7 @@ spec: - name: nova-spiceproxy-init {{ tuple $envAll "nova_spiceproxy" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.spiceproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - allowPrivilegeEscalation: false +{{ dict "envAll" $envAll "application" "nova" "container" "nova_spiceproxy_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/nova-console-proxy-init.sh volumeMounts: @@ -83,6 +82,7 @@ spec: - name: nova-spiceproxy-init-assets {{ tuple $envAll "nova_spiceproxy_assets" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.spiceproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "nova" "container" "nova_spiceproxy_init_assets" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/nova-console-proxy-init-assets.sh volumeMounts: @@ -98,6 +98,7 @@ spec: - name: nova-spiceproxy {{ tuple $envAll "nova_spiceproxy" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.spiceproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "nova" "container" "nova_spiceproxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} readinessProbe: tcpSocket: port: {{ tuple "compute_spice_proxy" "internal" "spice_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} diff --git a/nova/values.yaml b/nova/values.yaml index b6f701f859..b989702ee0 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -2114,6 +2114,70 @@ pod: user: nova: uid: 42424 + security_context: + nova: + pod: + runAsUser: 42424 + container: + nova_compute_init: + readOnlyRootFilesystem: true + runAsUser: 0 + ceph_perms: + readOnlyRootFilesystem: true + runAsUser: 0 + ceph_admin_keyring_placement: + readOnlyRootFilesystem: true + ceph_keyring_placement: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + nova_compute_vnc_init: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + nova_compute_spice_init: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + nova_compute: + readOnlyRootFilesystem: true + privileged: true + nova_compute_ssh: + readOnlyRootFilesystem: true + privileged: true + nova_api_metadata_init: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + nova_api: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + nova_osapi: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + nova_conductor: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + nova_consoleauth: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + nova_novncproxy_init: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + nova_novncproxy_init_assests: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + nova_novncproxy: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + nova_scheduler: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + nova_spiceproxy_init: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + nova_spiceproxy_init_assets: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + nova_spiceproxy: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false affinity: anti: type: