openstack/openstack-helm
Code Issues Proposed changes

Add missing security context to Keystone pods/containers

Browse Source 
This updates the Keystone chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to true

Change-Id: I0e00571d4060cca914d1bdb4f36e736fa8501130
This commit is contained in:
PrateekDodda 2020-08-05 13:37:33 -05:00
parent b7667a5507
commit fc5712909e
2 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
keystone/templates/job-domain-manage.yaml
View File

@ -46,6 +46,7 @@ spec:
- name: keystone-domain-manage-init
{{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}

3
keystone/values.yaml
View File

@ -197,6 +197,9 @@ pod:
pod:
runAsUser: 42424
container:
keystone_domain_manage_init:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
keystone_domain_manage:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false