From 27864cec04cf16609b2abece5bc4f2bb6129797b Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Thu, 24 Aug 2017 22:03:51 -0500 Subject: [PATCH] Security: Container user for support openstack services This PS adds user control for the service user for support openstack services. Change-Id: I132511bfc09d20a2f155bb9498a7fe8eeee8b6f9 --- glance/templates/deployment-api.yaml | 4 ++++ glance/templates/deployment-registry.yaml | 2 ++ glance/values.yaml | 3 +++ heat/templates/deployment-api.yaml | 2 ++ heat/templates/deployment-cfn.yaml | 2 ++ heat/templates/deployment-cloudwatch.yaml | 2 ++ heat/templates/statefulset-engine.yaml | 2 ++ heat/values.yaml | 3 +++ magnum/templates/deployment-api.yaml | 2 ++ magnum/templates/statefulset-conductor.yaml | 2 ++ magnum/values.yaml | 3 +++ mistral/values.yaml | 3 +++ senlin/templates/deployment-api.yaml | 2 ++ senlin/templates/statefulset-engine.yaml | 2 ++ senlin/values.yaml | 3 +++ 15 files changed, 37 insertions(+) diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml index 740a8246d3..d7d3d4ad88 100644 --- a/glance/templates/deployment-api.yaml +++ b/glance/templates/deployment-api.yaml @@ -62,6 +62,8 @@ spec: - name: ceph-keyring-placement image: {{ .Values.images.api }} imagePullPolicy: {{ .Values.images.pull_policy }} + securityContext: + runAsUser: {{ .Values.pod.user.glance.uid }} command: - /tmp/ceph-keyring.sh volumeMounts: @@ -81,6 +83,8 @@ spec: image: {{ .Values.images.api }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.glance.uid }} command: - /tmp/glance-api.sh - start diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml index ce6b2062c3..5d97754265 100644 --- a/glance/templates/deployment-registry.yaml +++ b/glance/templates/deployment-registry.yaml @@ -47,6 +47,8 @@ spec: image: {{ .Values.images.registry }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.registry | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.glance.uid }} command: - /tmp/glance-registry.sh - start diff --git a/glance/values.yaml b/glance/values.yaml index a2449d0f39..a24110896c 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -318,6 +318,9 @@ endpoints: default: 5672 pod: + user: + glance: + uid: 1000 affinity: anti: type: diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml index 7624b33beb..353f47c6a8 100644 --- a/heat/templates/deployment-api.yaml +++ b/heat/templates/deployment-api.yaml @@ -47,6 +47,8 @@ spec: image: {{ .Values.images.api }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.heat.uid }} command: - /tmp/heat-api.sh - start diff --git a/heat/templates/deployment-cfn.yaml b/heat/templates/deployment-cfn.yaml index b9f22c311c..92b3bea88e 100644 --- a/heat/templates/deployment-cfn.yaml +++ b/heat/templates/deployment-cfn.yaml @@ -47,6 +47,8 @@ spec: image: {{ .Values.images.cfn }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.cfn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.heat.uid }} command: - /tmp/heat-cfn.sh - start diff --git a/heat/templates/deployment-cloudwatch.yaml b/heat/templates/deployment-cloudwatch.yaml index 2618c16e70..3e86100be5 100644 --- a/heat/templates/deployment-cloudwatch.yaml +++ b/heat/templates/deployment-cloudwatch.yaml @@ -47,6 +47,8 @@ spec: image: {{ .Values.images.cloudwatch }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.cloudwatch | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.heat.uid }} command: - /tmp/heat-cloudwatch.sh - start diff --git a/heat/templates/statefulset-engine.yaml b/heat/templates/statefulset-engine.yaml index f55980d67e..1fa82454dc 100644 --- a/heat/templates/statefulset-engine.yaml +++ b/heat/templates/statefulset-engine.yaml @@ -43,6 +43,8 @@ spec: image: {{ .Values.images.engine }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.heat.uid }} command: - /tmp/heat-engine.sh volumeMounts: diff --git a/heat/values.yaml b/heat/values.yaml index bc4addab9f..d647f28d99 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -333,6 +333,9 @@ endpoints: default: 5672 pod: + user: + heat: + uid: 1000 affinity: anti: type: diff --git a/magnum/templates/deployment-api.yaml b/magnum/templates/deployment-api.yaml index dec66ce254..dce937f1f2 100644 --- a/magnum/templates/deployment-api.yaml +++ b/magnum/templates/deployment-api.yaml @@ -47,6 +47,8 @@ spec: image: {{ .Values.images.api }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.magnum.uid }} command: - /tmp/magnum-api.sh - start diff --git a/magnum/templates/statefulset-conductor.yaml b/magnum/templates/statefulset-conductor.yaml index 87d5870d36..5944b39395 100644 --- a/magnum/templates/statefulset-conductor.yaml +++ b/magnum/templates/statefulset-conductor.yaml @@ -43,6 +43,8 @@ spec: image: {{ .Values.images.conductor }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.magnum.uid }} command: - /tmp/magnum-conductor.sh volumeMounts: diff --git a/magnum/values.yaml b/magnum/values.yaml index a13333c73e..a06725a537 100644 --- a/magnum/values.yaml +++ b/magnum/values.yaml @@ -209,6 +209,9 @@ endpoints: default: 5672 pod: + user: + magnum: + uid: 1000 affinity: anti: type: diff --git a/mistral/values.yaml b/mistral/values.yaml index ed514067f9..80bf8bdea9 100644 --- a/mistral/values.yaml +++ b/mistral/values.yaml @@ -240,6 +240,9 @@ conf: memcache_security_strategy: ENCRYPT pod: + user: + mistral: + uid: 1000 affinity: anti: type: diff --git a/senlin/templates/deployment-api.yaml b/senlin/templates/deployment-api.yaml index 136efe1e54..8da4d80aaa 100644 --- a/senlin/templates/deployment-api.yaml +++ b/senlin/templates/deployment-api.yaml @@ -47,6 +47,8 @@ spec: image: {{ .Values.images.api }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.senlin.uid }} command: - /tmp/senlin-api.sh - start diff --git a/senlin/templates/statefulset-engine.yaml b/senlin/templates/statefulset-engine.yaml index 65b958c698..61e7546f8e 100644 --- a/senlin/templates/statefulset-engine.yaml +++ b/senlin/templates/statefulset-engine.yaml @@ -43,6 +43,8 @@ spec: image: {{ .Values.images.engine }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.senlin.uid }} command: - /tmp/senlin-engine.sh volumeMounts: diff --git a/senlin/values.yaml b/senlin/values.yaml index 1208e69a9f..7760872859 100644 --- a/senlin/values.yaml +++ b/senlin/values.yaml @@ -209,6 +209,9 @@ endpoints: default: 5672 pod: + user: + senlin: + uid: 1000 affinity: anti: type: