Add missing security context to Nova pods/containers
This updates the Nova chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true Change-Id: I10b12db8019beb42005764430711694a61c8d17b
This commit is contained in:
PrateekDodda
Prateek Dodda
parent
fc5712909e
commit
27dac1d2c1
@ -46,6 +46,7 @@ spec:
|
|||||||
{{- if $envAll.Values.bootstrap.wait_for_computes.enabled }}
|
{{- if $envAll.Values.bootstrap.wait_for_computes.enabled }}
|
||||||
- name: nova-wait-for-computes-init
|
- name: nova-wait-for-computes-init
|
||||||
{{ tuple $envAll "nova_wait_for_computes_init" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "nova_wait_for_computes_init" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
{{ dict "envAll" $envAll "application" "bootstrap" "container" "nova_wait_for_computes_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
command:
|
command:
|
||||||
- /bin/bash
|
- /bin/bash
|
||||||
- -c
|
- -c
|
||||||
|
|||||||
@ -41,6 +41,7 @@ spec:
|
|||||||
- name: nova-cell-setup-init
|
- name: nova-cell-setup-init
|
||||||
{{ tuple $envAll "nova_cell_setup_init" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "nova_cell_setup_init" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
{{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||||
@ -59,6 +60,7 @@ spec:
|
|||||||
- name: nova-cell-setup
|
- name: nova-cell-setup
|
||||||
{{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
{{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
command:
|
command:
|
||||||
- /tmp/cell-setup.sh
|
- /tmp/cell-setup.sh
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
|
|||||||
@ -2412,9 +2412,22 @@ pod:
|
|||||||
pod:
|
pod:
|
||||||
runAsUser: 42424
|
runAsUser: 42424
|
||||||
container:
|
container:
|
||||||
|
nova_wait_for_computes_init:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
bootstrap:
|
bootstrap:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
allowPrivilegeEscalation: false
|
allowPrivilegeEscalation: false
|
||||||
|
nova_cell_setup:
|
||||||
|
pod:
|
||||||
|
runAsUser: 42424
|
||||||
|
container:
|
||||||
|
nova_cell_setup_init:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
nova_cell_setup:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
cell_setup:
|
cell_setup:
|
||||||
pod:
|
pod:
|
||||||
runAsUser: 42424
|
runAsUser: 42424
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user