Merge "Implement Security Context for Cinder"

2019-03-22 21:18:29 +00:00 · 2019-03-22 21:18:29 +00:00 · ee477d4562
commit ee477d4562
parent 46ff6c3037 ba593e1a6b
5 changed files with 20 additions and 8 deletions
--- a/cinder/templates/deployment-api.yaml
+++ b/cinder/templates/deployment-api.yaml
@ -73,8 +73,7 @@ spec:
        - name: cinder-api
 {{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
+{{ dict "envAll" $envAll "application" "cinder" "container" "cinder-api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
            allowPrivilegeEscalation: false
          command:
            - /tmp/cinder-api.sh
            - start
--- a/cinder/templates/deployment-backup.yaml
+++ b/cinder/templates/deployment-backup.yaml
@ -130,6 +130,7 @@ spec:
        - name: cinder-backup
 {{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.backup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "cinder" "container" "cinder-backup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          securityContext:
            capabilities:
              add:
--- a/cinder/templates/deployment-scheduler.yaml
+++ b/cinder/templates/deployment-scheduler.yaml
@ -72,8 +72,7 @@ spec:
        - name: cinder-scheduler
 {{ tuple $envAll "cinder_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
+{{ dict "envAll" $envAll "application" "cinder" "container" "cinder-scheduler" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
            allowPrivilegeEscalation: false
          command:
            - /tmp/cinder-scheduler.sh
          volumeMounts:
--- a/cinder/templates/deployment-volume.yaml
+++ b/cinder/templates/deployment-volume.yaml
@ -94,8 +94,7 @@ spec:
        - name: cinder-volume
 {{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.volume | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
+{{ dict "envAll" $envAll "application" "cinder" "container" "cinder-volume" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
            allowPrivilegeEscalation: true
          command:
            - /tmp/cinder-volume.sh
          volumeMounts:
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@ -77,9 +77,23 @@ jobs:
      failed: 1
 pod:
-  user:
+  security_context:
    cinder:
-      uid: 42424
+      pod:
        runAsUser: 42424
      container:
        cinder_api:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        cinder_backup:
          redOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        cinder_scheduler:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        cinder_volume:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
  affinity:
    anti:
      type: