From fc5712909efea826906ff609bf1c232e857acf2d Mon Sep 17 00:00:00 2001 From: PrateekDodda Date: Wed, 5 Aug 2020 13:37:33 -0500 Subject: [PATCH] Add missing security context to Keystone pods/containers This updates the Keystone chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true Change-Id: I0e00571d4060cca914d1bdb4f36e736fa8501130 --- keystone/templates/job-domain-manage.yaml | 1 + keystone/values.yaml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/keystone/templates/job-domain-manage.yaml b/keystone/templates/job-domain-manage.yaml index 3e8f8827ce..3b8b62aaee 100644 --- a/keystone/templates/job-domain-manage.yaml +++ b/keystone/templates/job-domain-manage.yaml @@ -46,6 +46,7 @@ spec: - name: keystone-domain-manage-init {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} diff --git a/keystone/values.yaml b/keystone/values.yaml index 82b71f0cdd..840ba316cc 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -197,6 +197,9 @@ pod: pod: runAsUser: 42424 container: + keystone_domain_manage_init: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false keystone_domain_manage: readOnlyRootFilesystem: true allowPrivilegeEscalation: false