Implement Security Context for Neutron

Implement container security context for the following Neutron resources: - Neutron server deployment Change-Id: Ic2600c2301bd9d7c91bc72c22a7813d07e3a8ef6
2019-06-19 18:01:07 -05:00 · 2019-06-19 18:01:07 -05:00 · 7d64eea10e
commit 7d64eea10e
parent a8c8b74f69
6 changed files with 50 additions and 21 deletions
--- a/neutron/templates/daemonset-dhcp-agent.yaml
+++ b/neutron/templates/daemonset-dhcp-agent.yaml
@ -64,8 +64,7 @@ spec:
        - name: neutron-dhcp-agent
 {{ tuple $envAll "neutron_dhcp" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.agent.dhcp | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            privileged: true
+{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_dhcp_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          readinessProbe:
            exec:
              command:
@ -100,6 +99,8 @@ spec:
          volumeMounts:
            - name: pod-tmp
              mountPath: /tmp
+            - name: pod-var-neutron
+              mountPath: /var/lib/neutron
            - name: neutron-bin
              mountPath: /tmp/neutron-dhcp-agent.sh
              subPath: neutron-dhcp-agent.sh
@ -172,6 +173,8 @@ spec:
      volumes:
        - name: pod-tmp
          emptyDir: {}
+        - name: pod-var-neutron
+          emptyDir: {}
        - name: neutron-bin
          configMap:
            name: neutron-bin
--- a/neutron/templates/daemonset-l3-agent.yaml
+++ b/neutron/templates/daemonset-l3-agent.yaml
@ -64,8 +64,7 @@ spec:
        - name: neutron-l3-agent
 {{ tuple $envAll "neutron_l3" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.agent.l3 | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            privileged: true
+{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_l3_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          readinessProbe:
            exec:
              command:
@ -100,6 +99,8 @@ spec:
          volumeMounts:
            - name: pod-tmp
              mountPath: /tmp
+            - name: pod-var-neutron
+              mountPath: /var/lib/neutron
            - name: neutron-bin
              mountPath: /tmp/neutron-l3-agent.sh
              subPath: neutron-l3-agent.sh
@ -171,6 +172,8 @@ spec:
      volumes:
        - name: pod-tmp
          emptyDir: {}
+        - name: pod-var-neutron
+          emptyDir: {}
        - name: neutron-bin
          configMap:
            name: neutron-bin
--- a/neutron/templates/daemonset-lb-agent.yaml
+++ b/neutron/templates/daemonset-lb-agent.yaml
@ -62,11 +62,7 @@ spec:
 {{ tuple $envAll "pod_dependency" $mounts_neutron_lb_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
        - name: neutron-lb-agent-kernel-modules
 {{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
-          securityContext:
-            capabilities:
-              add:
-                - SYS_MODULE
-            runAsUser: 0
+{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_lb_agent_kernel_modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/neutron-linuxbridge-agent-init-modules.sh
          volumeMounts:
@ -80,9 +76,7 @@ spec:
        - name: neutron-lb-agent-init
 {{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.agent.lb | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            privileged: true
-            runAsUser: 0
+{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_lb_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/neutron-linuxbridge-agent-init.sh
          volumeMounts:
@ -138,8 +132,7 @@ spec:
        - name: neutron-lb-agent
 {{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.agent.lb | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            privileged: true
+{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_lb_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/neutron-linuxbridge-agent.sh
          readinessProbe:
--- a/neutron/templates/daemonset-sriov-agent.yaml
+++ b/neutron/templates/daemonset-sriov-agent.yaml
@ -63,9 +63,7 @@ spec:
        - name: neutron-sriov-agent-init
 {{ tuple $envAll "neutron_sriov_agent_init" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.agent.sriov | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            privileged: true
-            runAsUser: 0
+{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_sriov_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/neutron-sriov-agent-init.sh
          volumeMounts:
@ -127,8 +125,7 @@ spec:
        - name: neutron-sriov-agent
 {{ tuple $envAll "neutron_sriov_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.agent.sriov | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            privileged: true
+{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_sriov_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/neutron-sriov-agent.sh
          readinessProbe:
--- a/neutron/templates/deployment-server.yaml
+++ b/neutron/templates/deployment-server.yaml
@ -62,8 +62,7 @@ spec:
        - name: neutron-server
 {{ tuple $envAll "neutron_server" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            allowPrivilegeEscalation: false
+{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/neutron-server.sh
            - start
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@ -304,6 +304,40 @@ pod:
  user:
    neutron:
      uid: 42424
+  security_context:
+    neutron:
+      pod:
+        runAsUser: 42424
+      container:
+        neutron_dhcp_agent:
+          readOnlyRootFilesystem: true
+          privileged: true
+        neutron_l3_agent:
+          readOnlyRootFilesystem: true
+          privileged: true
+        neutron_lb_agent_kernel_modules:
+          capabilities:
+            add:
+              - SYS_MODULE
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        neutron_lb_agent_init:
+          privileged: true
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        neutron_lb_agent:
+          readOnlyRootFilesystem: true
+          privileged: true
+        neutron_sriov_agent_init:
+          privileged: true
+          runAsUser: 0
+          readOnlyRootFilesystem: true
+        neutron_sriov_agent:
+          readOnlyRootFilesystem: true
+          privileged: true
+        neutron_server:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
  affinity:
    anti:
      type: