openstack/openstack-helm
Code Issues Proposed changes

Implement Security Context for Neutron

Browse Source 
Implement container security context for the following Neutron resources:
 - Neutron server deployment

Change-Id: Ic2600c2301bd9d7c91bc72c22a7813d07e3a8ef6
This commit is contained in:
pd2839 2019-06-19 18:01:07 -05:00 committed by PRATEEK REDDY DODDA
parent a8c8b74f69
commit 7d64eea10e
6 changed files with 50 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
neutron/templates/daemonset-dhcp-agent.yaml
View File

@ -64,8 +64,7 @@ spec:
- name: neutron-dhcp-agent - name: neutron-dhcp-agent
{{ tuple $envAll "neutron_dhcp" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "neutron_dhcp" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.agent.dhcp | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.agent.dhcp | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext: {{ dict "envAll" $envAll "application" "neutron" "container" "neutron_dhcp_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
privileged: true
readinessProbe: readinessProbe:
exec: exec:
command: command:
@ -100,6 +99,8 @@ spec:
volumeMounts: volumeMounts:
- name: pod-tmp - name: pod-tmp
mountPath: /tmp mountPath: /tmp
- name: pod-var-neutron
mountPath: /var/lib/neutron
- name: neutron-bin - name: neutron-bin
mountPath: /tmp/neutron-dhcp-agent.sh mountPath: /tmp/neutron-dhcp-agent.sh
subPath: neutron-dhcp-agent.sh subPath: neutron-dhcp-agent.sh
@ -172,6 +173,8 @@ spec:
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
- name: pod-var-neutron
emptyDir: {}
- name: neutron-bin - name: neutron-bin
configMap: configMap:
name: neutron-bin name: neutron-bin

7
neutron/templates/daemonset-l3-agent.yaml
View File

@ -64,8 +64,7 @@ spec:
- name: neutron-l3-agent - name: neutron-l3-agent
{{ tuple $envAll "neutron_l3" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "neutron_l3" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.agent.l3 | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.agent.l3 | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext: {{ dict "envAll" $envAll "application" "neutron" "container" "neutron_l3_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
privileged: true
readinessProbe: readinessProbe:
exec: exec:
command: command:
@ -100,6 +99,8 @@ spec:
volumeMounts: volumeMounts:
- name: pod-tmp - name: pod-tmp
mountPath: /tmp mountPath: /tmp
- name: pod-var-neutron
mountPath: /var/lib/neutron
- name: neutron-bin - name: neutron-bin
mountPath: /tmp/neutron-l3-agent.sh mountPath: /tmp/neutron-l3-agent.sh
subPath: neutron-l3-agent.sh subPath: neutron-l3-agent.sh
@ -171,6 +172,8 @@ spec:
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
- name: pod-var-neutron
emptyDir: {}
- name: neutron-bin - name: neutron-bin
configMap: configMap:
name: neutron-bin name: neutron-bin

13
neutron/templates/daemonset-lb-agent.yaml
View File

@ -62,11 +62,7 @@ spec:
{{ tuple $envAll "pod_dependency" $mounts_neutron_lb_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} {{ tuple $envAll "pod_dependency" $mounts_neutron_lb_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
- name: neutron-lb-agent-kernel-modules - name: neutron-lb-agent-kernel-modules
{{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext: {{ dict "envAll" $envAll "application" "neutron" "container" "neutron_lb_agent_kernel_modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
capabilities:
add:
- SYS_MODULE
runAsUser: 0
command: command:
- /tmp/neutron-linuxbridge-agent-init-modules.sh - /tmp/neutron-linuxbridge-agent-init-modules.sh
volumeMounts: volumeMounts:
@ -80,9 +76,7 @@ spec:
- name: neutron-lb-agent-init - name: neutron-lb-agent-init
{{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.agent.lb | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.agent.lb | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext: {{ dict "envAll" $envAll "application" "neutron" "container" "neutron_lb_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
privileged: true
runAsUser: 0
command: command:
- /tmp/neutron-linuxbridge-agent-init.sh - /tmp/neutron-linuxbridge-agent-init.sh
volumeMounts: volumeMounts:
@ -138,8 +132,7 @@ spec:
- name: neutron-lb-agent - name: neutron-lb-agent
{{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.agent.lb | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.agent.lb | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext: {{ dict "envAll" $envAll "application" "neutron" "container" "neutron_lb_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
privileged: true
command: command:
- /tmp/neutron-linuxbridge-agent.sh - /tmp/neutron-linuxbridge-agent.sh
readinessProbe: readinessProbe:

7
neutron/templates/daemonset-sriov-agent.yaml
View File

@ -63,9 +63,7 @@ spec:
- name: neutron-sriov-agent-init - name: neutron-sriov-agent-init
{{ tuple $envAll "neutron_sriov_agent_init" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "neutron_sriov_agent_init" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.agent.sriov | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.agent.sriov | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext: {{ dict "envAll" $envAll "application" "neutron" "container" "neutron_sriov_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
privileged: true
runAsUser: 0
command: command:
- /tmp/neutron-sriov-agent-init.sh - /tmp/neutron-sriov-agent-init.sh
volumeMounts: volumeMounts:
@ -127,8 +125,7 @@ spec:
- name: neutron-sriov-agent - name: neutron-sriov-agent
{{ tuple $envAll "neutron_sriov_agent" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "neutron_sriov_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.agent.sriov | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.agent.sriov | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext: {{ dict "envAll" $envAll "application" "neutron" "container" "neutron_sriov_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
privileged: true
command: command:
- /tmp/neutron-sriov-agent.sh - /tmp/neutron-sriov-agent.sh
readinessProbe: readinessProbe:

3
neutron/templates/deployment-server.yaml
View File

@ -62,8 +62,7 @@ spec:
- name: neutron-server - name: neutron-server
{{ tuple $envAll "neutron_server" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "neutron_server" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext: {{ dict "envAll" $envAll "application" "neutron" "container" "neutron_server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
allowPrivilegeEscalation: false
command: command:
- /tmp/neutron-server.sh - /tmp/neutron-server.sh
- start - start

34
neutron/values.yaml
View File

@ -304,6 +304,40 @@ pod:
user: user:
neutron: neutron:
uid: 42424 uid: 42424
security_context:
neutron:
pod:
runAsUser: 42424
container:
neutron_dhcp_agent:
readOnlyRootFilesystem: true
privileged: true
neutron_l3_agent:
readOnlyRootFilesystem: true
privileged: true
neutron_lb_agent_kernel_modules:
capabilities:
add:
- SYS_MODULE
runAsUser: 0
readOnlyRootFilesystem: true
neutron_lb_agent_init:
privileged: true
runAsUser: 0
readOnlyRootFilesystem: true
neutron_lb_agent:
readOnlyRootFilesystem: true
privileged: true
neutron_sriov_agent_init:
privileged: true
runAsUser: 0
readOnlyRootFilesystem: true
neutron_sriov_agent:
readOnlyRootFilesystem: true
privileged: true
neutron_server:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
affinity: affinity:
anti: anti:
type: type: