openstack/openstack-helm
Code Issues Proposed changes

Add missing security context to Neutron pods/containers

Browse Source 
This updates the Neutron chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to true

Change-Id: I50ccec785eb3b18d6c00df2ad5f566a72db4604d
This commit is contained in:
DODDA, PRATEEK REDDY (PD2839) 2020-07-02 12:35:36 -05:00 committed by Prateek Dodda
parent a955108d1a
commit f742ebd6ae
2 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
neutron/templates/daemonset-l2gw-agent.yaml
View File

@ -95,8 +95,7 @@ spec:
- name: neutron-l2gw-agent - name: neutron-l2gw-agent
{{ tuple $envAll "neutron_l2gw" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "neutron_l2gw" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.agent.l2gw | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.agent.l2gw | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext: {{ dict "envAll" $envAll "application" "neutron_l2gw_agent" "container" "neutron_l2gw_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
privileged: true
env: env:
- name: RPC_PROBE_TIMEOUT - name: RPC_PROBE_TIMEOUT
value: "{{ .Values.pod.probes.rpc_timeout }}" value: "{{ .Values.pod.probes.rpc_timeout }}"

4
neutron/values.yaml
View File

@ -451,6 +451,10 @@ pod:
neutron_l2gw_agent: neutron_l2gw_agent:
pod: pod:
runAsUser: 42424 runAsUser: 42424
container:
neutron_l2gw_agent:
readOnlyRootFilesystem: true
privileged: true
neutron_bagpipe_bgp: neutron_bagpipe_bgp:
pod: pod:
runAsUser: 42424 runAsUser: 42424