openstack/openstack-helm
Code Issues Proposed changes

Using HTK for cinder security policies

Browse Source 
Overriding the values in values.yaml

Change-Id: Ib7cd343b4b95cae088a4fe564524448af79de785
This commit is contained in:
pd2839 2019-07-03 21:51:30 -05:00 committed by PRATEEK REDDY DODDA
parent 69d5c4c1e1
commit 77dfdc99c9
5 changed files with 62 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
cinder/templates/deployment-api.yaml
View File

@ -47,7 +47,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
{{ dict "envAll" $envAll "application" "cinder_api" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@ -58,8 +58,7 @@ spec:
{{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
- name: ceph-coordination-volume-perms
{{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext:
runAsUser: 0
{{ dict "envAll" $envAll "application" "cinder_api" "container" "ceph_coordination_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- chown
- -R
@ -75,7 +74,7 @@ spec:
- name: cinder-api
{{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "cinder" "container" "cinder-api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
{{ dict "envAll" $envAll "application" "cinder_api" "container" "cinder_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/cinder-api.sh
- start

20
cinder/templates/deployment-backup.yaml
View File

@ -47,7 +47,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
{{ dict "envAll" $envAll "application" "cinder_backup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "cinder" "backup" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@ -57,8 +57,7 @@ spec:
{{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
- name: ceph-backup-keyring-placement
{{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext:
runAsUser: 0
{{ dict "envAll" $envAll "application" "cinder_backup" "container" "ceph_backup_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/ceph-keyring.sh
env:
@ -81,8 +80,7 @@ spec:
{{- if include "cinder.utils.has_ceph_backend" $envAll }}
- name: ceph-keyring-placement
{{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext:
runAsUser: 0
{{ dict "envAll" $envAll "application" "cinder_backup" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/ceph-keyring.sh
env:
@ -105,8 +103,7 @@ spec:
{{- if (contains "cinder.backup.drivers.posix" .Values.conf.cinder.DEFAULT.backup_driver) }}
- name: ceph-backup-volume-perms
{{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext:
runAsUser: 0
{{ dict "envAll" $envAll "application" "cinder_backup" "container" "ceph_backup_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- chown
- -R
@ -121,8 +118,7 @@ spec:
{{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
- name: ceph-coordination-volume-perms
{{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext:
runAsUser: 0
{{ dict "envAll" $envAll "application" "cinder_backup" "container" "ceph_coordination_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- chown
- -R
@ -138,11 +134,7 @@ spec:
- name: cinder-backup
{{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.backup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "cinder" "container" "cinder-backup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
securityContext:
capabilities:
add:
- SYS_ADMIN
{{ dict "envAll" $envAll "application" "cinder_backup" "container" "cinder_backup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/cinder-backup.sh
volumeMounts:

7
cinder/templates/deployment-scheduler.yaml
View File

@ -47,7 +47,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
{{ dict "envAll" $envAll "application" "cinder_scheduler" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "cinder" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@ -57,8 +57,7 @@ spec:
{{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
- name: ceph-coordination-volume-perms
{{ tuple $envAll "cinder_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext:
runAsUser: 0
{{ dict "envAll" $envAll "application" "cinder_scheduler" "container" "ceph_coordination_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- chown
- -R
@ -74,7 +73,7 @@ spec:
- name: cinder-scheduler
{{ tuple $envAll "cinder_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "cinder" "container" "cinder-scheduler" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
{{ dict "envAll" $envAll "application" "cinder_scheduler" "container" "cinder_scheduler" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/cinder-scheduler.sh
volumeMounts:

14
cinder/templates/deployment-volume.yaml
View File

@ -47,7 +47,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
{{ dict "envAll" $envAll "application" "cinder_volume" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@ -57,8 +57,7 @@ spec:
{{- if include "cinder.utils.has_ceph_backend" $envAll }}
- name: ceph-keyring-placement
{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext:
runAsUser: 0
{{ dict "envAll" $envAll "application" "cinder_volume" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/ceph-keyring.sh
env:
@ -81,8 +80,7 @@ spec:
{{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
- name: ceph-coordination-volume-perms
{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext:
runAsUser: 0
{{ dict "envAll" $envAll "application" "cinder_volume" "container" "ceph_coordination_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- chown
- -R
@ -95,10 +93,10 @@ spec:
mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
{{ end }}
- name: init-cinder-conf
{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "cinder_volume" "container" "init_cinder_conf" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
image: {{ .Values.images.tags.ks_user }}
imagePullPolicy: {{ .Values.images.pull_policy }}
securityContext:
runAsUser: 0
command:
- /tmp/retrieve-internal-tenant.sh
volumeMounts:
@ -127,7 +125,7 @@ spec:
- name: cinder-volume
{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.volume | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "cinder" "container" "cinder-volume" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
{{ dict "envAll" $envAll "application" "cinder_volume" "container" "cinder_volume" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/cinder-volume.sh
volumeMounts:

46
cinder/values.yaml
View File

@ -78,19 +78,61 @@ jobs:
pod:
security_context:
cinder:
cinder_api:
pod:
runAsUser: 42424
container:
ceph_coordination_volume_perms:
runAsUser: 0
readOnlyRootFilesystem: true
cinder_api:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
cinder_backup:
pod:
runAsUser: 42424
container:
ceph_backup_keyring_placement:
runAsUser: 0
readOnlyRootFilesystem: true
ceph_keyring_placement:
runAsUser: 0
readOnlyRootFilesystem: true
ceph_backup_volume_perms:
runAsUser: 0
readOnlyRootFilesystem: true
ceph_coordination_volume_perms:
runAsUser: 0
readOnlyRootFilesystem: true
cinder_backup:
capabilities:
add:
- SYS_ADMIN
redOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsUser: 0
cinder_scheduler:
pod:
runAsUser: 42424
container:
ceph_coordination_volume_perms:
runAsUser: 0
readOnlyRootFilesystem: true
cinder_scheduler:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
cinder_volume:
pod:
runAsUser: 42424
container:
ceph_keyring_placement:
runAsUser: 0
readOnlyRootFilesystem: true
ceph_coordination_volume_perms:
runAsUser: 0
readOnlyRootFilesystem: true
init_cinder_conf:
runAsUser: 0
readOnlyRootFilesystem: true
cinder_volume:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false