From befb8b65e8c88a52058424138bfb8a26e0ce3f9c Mon Sep 17 00:00:00 2001 From: RAHUL KHIYANI Date: Thu, 18 Apr 2019 10:40:15 -0500 Subject: [PATCH] Ingress: Add pod/container security context This PS fixes the use of the security context macros for the ingress chart. Change-Id: I28171d529a27c3f203b02c031a6cf289fcc5f3e6 --- ingress/templates/deployment-error.yaml | 2 ++ ingress/templates/deployment-ingress.yaml | 22 ++++-------------- ingress/values.yaml | 28 +++++++++++++++++++++++ 3 files changed, 35 insertions(+), 17 deletions(-) diff --git a/ingress/templates/deployment-error.yaml b/ingress/templates/deployment-error.yaml index dbf63de35..76b81dc8d 100644 --- a/ingress/templates/deployment-error.yaml +++ b/ingress/templates/deployment-error.yaml @@ -43,6 +43,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-conf.yaml" . | include "helm-toolkit.utils.hash" }} spec: +{{ dict "envAll" $envAll "application" "error_pages" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} shareProcessNamespace: true serviceAccountName: {{ $serviceAccountName }} affinity: @@ -56,6 +57,7 @@ spec: - name: ingress-error-pages {{ tuple $envAll "error_pages" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.error_pages | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "error_pages" "container" "ingress_error_pages" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} livenessProbe: httpGet: path: /healthz diff --git a/ingress/templates/deployment-ingress.yaml b/ingress/templates/deployment-ingress.yaml index 9ffaf1a6e..0c2a4d5b1 100644 --- a/ingress/templates/deployment-ingress.yaml +++ b/ingress/templates/deployment-ingress.yaml @@ -179,8 +179,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-conf.yaml" . | include "helm-toolkit.utils.hash" }} spec: - securityContext: - readOnlyRootFilesystem: true +{{ dict "envAll" $envAll "application" "server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} shareProcessNamespace: true serviceAccountName: {{ $serviceAccountName }} {{- if eq .Values.deployment.type "Deployment" }} @@ -199,11 +198,7 @@ spec: {{- if and .Values.network.host_namespace .Values.network.vip.manage }} - name: ingress-vip-kernel-modules {{ tuple $envAll "ingress_module_init" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - capabilities: - add: - - SYS_MODULE - runAsUser: 0 +{{ dict "envAll" $envAll "application" "server" "container" "ingress_vip_kernel_modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/ingress-vip.sh - kernel_modules @@ -219,11 +214,7 @@ spec: readOnly: true - name: ingress-vip-init {{ tuple $envAll "ingress_routed_vip" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - capabilities: - add: - - NET_ADMIN - runAsUser: 0 +{{ dict "envAll" $envAll "application" "server" "container" "ingress_vip_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }} command: @@ -241,6 +232,7 @@ spec: - name: ingress {{ tuple $envAll "ingress" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "server" "container" "ingress" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} readinessProbe: httpGet: path: /healthz @@ -316,13 +308,9 @@ spec: readOnly: true {{- if and .Values.network.host_namespace .Values.network.vip.manage }} - name: ingress-vip - securityContext: - capabilities: - add: - - NET_ADMIN - runAsUser: 0 {{- if eq .Values.network.vip.mode "routed" }} {{ tuple $envAll "ingress_routed_vip" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ dict "envAll" $envAll "application" "server" "container" "ingress_vip" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }} command: diff --git a/ingress/values.yaml b/ingress/values.yaml index a2bbbf130..5e6f9c313 100644 --- a/ingress/values.yaml +++ b/ingress/values.yaml @@ -41,6 +41,34 @@ images: - image_repo_sync pod: + security_context: + error_pages: + pod: + runAsUser: 0 + container: + ingress_error_pages: + readOnlyRootFilesystem: true + server: + pod: + runAsUser: 0 + container: + ingress_vip_kernel_modules: + capabilities: + add: + - SYS_MODULE + readOnlyRootFilesystem: false + ingress_vip_init: + capabilities: + add: + - NET_ADMIN + readOnlyRootFilesystem: false + ingress: + readOnlyRootFilesystem: false + ingress_vip: + capabilities: + add: + - NET_ADMIN + readOnlyRootFilesystem: false affinity: anti: type: