From 6e3c3a2eb46ae0731e5c941bcfecbc83a3a5db86 Mon Sep 17 00:00:00 2001 From: "DODDA, PRATEEK REDDY (PD2839)" Date: Wed, 1 Jul 2020 11:57:13 -0500 Subject: [PATCH] Add missing security context to Cinder pods/containers This updates the Cinder chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true Change-Id: If17af3e3dba188a43ed11a0d5757fcae9f5358e8 --- .../cron-job-cinder-volume-usage-audit.yaml | 2 ++ cinder/templates/job-backup-storage-init.yaml | 6 ++--- .../templates/job-create-internal-tenant.yaml | 2 ++ cinder/values.yaml | 24 +++++++++++++++++++ 4 files changed, 31 insertions(+), 3 deletions(-) diff --git a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml index a8b7a46a24..fdab9ba1df 100644 --- a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml +++ b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml @@ -45,6 +45,7 @@ spec: labels: {{ tuple $envAll "cinder" "volume-usage-audit" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }} spec: +{{ dict "envAll" $envAll "application" "volume_usage_audit" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }} serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: @@ -55,6 +56,7 @@ spec: - name: cinder-volume-usage-audit {{ tuple $envAll "cinder_volume_usage_audit" | include "helm-toolkit.snippets.image" | indent 14 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.volume_usage_audit | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }} +{{ dict "envAll" $envAll "application" "volume_usage_audit" "container" "cinder_volume_usage_audit" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }} command: - /tmp/volume-usage-audit.sh volumeMounts: diff --git a/cinder/templates/job-backup-storage-init.yaml b/cinder/templates/job-backup-storage-init.yaml index c6090a81b9..f53fd1b8a6 100644 --- a/cinder/templates/job-backup-storage-init.yaml +++ b/cinder/templates/job-backup-storage-init.yaml @@ -61,7 +61,7 @@ spec: {{ dict "envAll" $envAll "podName" "cinder-backup-storage-init" "containerNames" (list "cinder-backup-storage-init" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} -{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} +{{ dict "envAll" $envAll "application" "storage_init" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} @@ -70,8 +70,7 @@ spec: {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }} - name: ceph-keyring-placement {{ tuple $envAll "cinder_backup_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: 0 +{{ dict "envAll" $envAll "application" "storage_init" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/ceph-admin-keyring.sh volumeMounts: @@ -101,6 +100,7 @@ spec: - name: cinder-backup-storage-init {{ tuple $envAll "cinder_backup_storage_init" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.backup_storage_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "storage_init" "container" "cinder_backup_storage_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: NAMESPACE valueFrom: diff --git a/cinder/templates/job-create-internal-tenant.yaml b/cinder/templates/job-create-internal-tenant.yaml index 2cb722e242..d0ded6441d 100644 --- a/cinder/templates/job-create-internal-tenant.yaml +++ b/cinder/templates/job-create-internal-tenant.yaml @@ -34,6 +34,7 @@ spec: labels: {{ tuple $envAll $serviceName "create-internal-tenant" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "create_internal_tenant" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName | quote }} restartPolicy: OnFailure nodeSelector: @@ -45,6 +46,7 @@ spec: image: {{ $envAll.Values.images.tags.ks_user }} imagePullPolicy: {{ $envAll.Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "create_internal_tenant" "container" "create_internal_tenant" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/create-internal-tenant.sh volumeMounts: diff --git a/cinder/values.yaml b/cinder/values.yaml index c1f75e2ffe..51671c9bbb 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -77,6 +77,13 @@ jobs: pod: security_context: + volume_usage_audit: + pod: + runAsUser: 42424 + container: + cinder_volume_usage_audit: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false cinder_api: pod: runAsUser: 42424 @@ -134,6 +141,23 @@ pod: readOnlyRootFilesystem: true cinder_volume: readOnlyRootFilesystem: true + storage_init: + pod: + runAsUser: 42424 + container: + ceph_keyring_placement: + runAsUser: 0 + readOnlyRootFilesystem: true + cinder_backup_storage_init: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + create_internal_tenant: + pod: + runAsUser: 42424 + container: + create_internal_tenant: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false affinity: anti: type: