diff --git a/charts/maas/templates/deployment-maas-ingress.yaml b/charts/maas/templates/deployment-maas-ingress.yaml index 290e97a..810795a 100644 --- a/charts/maas/templates/deployment-maas-ingress.yaml +++ b/charts/maas/templates/deployment-maas-ingress.yaml @@ -166,6 +166,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} {{ dict "envAll" $envAll "podName" "maas-ingress" "containerNames" (list "init" "maas-ingress-vip-init" "maas-ingress-vip" "maas-ingress") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "ingress" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} affinity: {{- tuple $envAll "maas" "ingress" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} @@ -179,6 +180,7 @@ spec: image: {{ .Values.images.tags.ingress_vip }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_vip | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "ingress" "container" "maas_ingress_vip_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} securityContext: capabilities: add: diff --git a/charts/maas/templates/job-bootstrap-admin-user.yaml b/charts/maas/templates/job-bootstrap-admin-user.yaml index dece8ef..96ab659 100644 --- a/charts/maas/templates/job-bootstrap-admin-user.yaml +++ b/charts/maas/templates/job-bootstrap-admin-user.yaml @@ -33,6 +33,7 @@ spec: annotations: {{ dict "envAll" $envAll "podName" "maas-bootstrap-admin-user" "containerNames" (list "init" "maas-bootstrap-admin-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "bootstrap_admin_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: @@ -44,6 +45,7 @@ spec: image: {{ .Values.images.tags.bootstrap }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap_admin_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "bootstrap_admin_user" "container" "maas_bootstrap_admin_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: ADMIN_USERNAME valueFrom: diff --git a/charts/maas/templates/job-db-init.yaml b/charts/maas/templates/job-db-init.yaml index 7238e03..08736f7 100644 --- a/charts/maas/templates/job-db-init.yaml +++ b/charts/maas/templates/job-db-init.yaml @@ -33,6 +33,7 @@ spec: annotations: {{ dict "envAll" $envAll "podName" "maas-db-init" "containerNames" (list "init" "maas-db-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "db_init" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: @@ -44,6 +45,7 @@ spec: image: {{ .Values.images.tags.db_init | quote }} imagePullPolicy: {{ .Values.images.pull_policy | quote }} {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "db_init" "container" "maas_db_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: DB_ADMIN_USER valueFrom: diff --git a/charts/maas/templates/job-db-sync.yaml b/charts/maas/templates/job-db-sync.yaml index 5f35302..32c5220 100644 --- a/charts/maas/templates/job-db-sync.yaml +++ b/charts/maas/templates/job-db-sync.yaml @@ -33,6 +33,7 @@ spec: annotations: {{ dict "envAll" $envAll "podName" "maas-db-sync" "containerNames" (list "init" "maas-db-sync") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "db_sync" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: @@ -44,6 +45,7 @@ spec: image: {{ .Values.images.tags.db_sync }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "db_sync" "container" "maas_db_sync" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/db-sync.sh volumeMounts: diff --git a/charts/maas/templates/job-export-api-key.yaml b/charts/maas/templates/job-export-api-key.yaml index 4db0b5b..eaf2a93 100644 --- a/charts/maas/templates/job-export-api-key.yaml +++ b/charts/maas/templates/job-export-api-key.yaml @@ -77,6 +77,7 @@ spec: annotations: {{ dict "envAll" $envAll "podName" "maas-export-api-key" "containerNames" (list "init" "exporter") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "export_api_key" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: @@ -87,6 +88,7 @@ spec: - name: exporter image: {{ .Values.images.tags.export_api_key }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.export_api_key | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "export_api_key" "container" "exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} imagePullPolicy: {{ .Values.images.pull_policy }} env: - name: SECRET_NAMESPACE diff --git a/charts/maas/templates/job-import.yaml b/charts/maas/templates/job-import.yaml index cc32ffc..a8709fe 100644 --- a/charts/maas/templates/job-import.yaml +++ b/charts/maas/templates/job-import.yaml @@ -33,6 +33,7 @@ spec: annotations: {{ dict "envAll" $envAll "podName" "maas-import-resources" "containerNames" (list "init" "region-import-resources") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "import_resources" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: @@ -88,6 +89,7 @@ spec: - name: MAAS_DEFAULT_KERNEL value: {{ .Values.conf.maas.images.default_kernel | quote }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.import_resources | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "import_resources" "container" "region_import_resources" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/import-boot-resources.sh readinessProbe: diff --git a/charts/maas/templates/statefulset-maas-syslog.yaml b/charts/maas/templates/statefulset-maas-syslog.yaml index 9e0a18b..875a289 100644 --- a/charts/maas/templates/statefulset-maas-syslog.yaml +++ b/charts/maas/templates/statefulset-maas-syslog.yaml @@ -44,6 +44,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} {{ dict "envAll" $envAll "podName" "maas-syslog" "containerNames" (list "init" "logrotate" "syslog") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "syslog" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} shareProcessNamespace: true affinity: @@ -56,6 +57,7 @@ spec: - name: syslog image: {{ .Values.images.tags.maas_syslog }} imagePullPolicy: {{ .Values.images.pull_policy }} +{{ dict "envAll" $envAll "application" "syslog" "container" "syslog" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/start-syslog.sh env: @@ -81,6 +83,7 @@ spec: image: {{ .Values.images.tags.maas_syslog }} imagePullPolicy: {{ .Values.images.pull_policy }} # Run cron in the foreground and only log failed cronjobs (when logrotate fails) +{{ dict "envAll" $envAll "application" "syslog" "container" "logrotate" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - "cron" - "-f" diff --git a/charts/maas/templates/statefulset-rack.yaml b/charts/maas/templates/statefulset-rack.yaml index 4b7b8ee..7f7e685 100644 --- a/charts/maas/templates/statefulset-rack.yaml +++ b/charts/maas/templates/statefulset-rack.yaml @@ -50,6 +50,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} {{ dict "envAll" $envAll "podName" "maas-rack" "containerNames" (list "init" "maas-rack") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "rack" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} affinity: {{- tuple $envAll "maas" "rack" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} @@ -82,6 +83,7 @@ spec: name: {{ .Values.conf.maas.credentials.secret.name }} key: 'token' {{ tuple $envAll $envAll.Values.pod.resources.maas_rack | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "rack" "container" "maas_rack" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/start.sh securityContext: diff --git a/charts/maas/templates/statefulset-region.yaml b/charts/maas/templates/statefulset-region.yaml index 12db3cd..d57de86 100644 --- a/charts/maas/templates/statefulset-region.yaml +++ b/charts/maas/templates/statefulset-region.yaml @@ -51,6 +51,7 @@ spec: {{- $containers = splitList " " $containers }} {{ dict "envAll" $envAll "podName" "maas-region" "containerNames" $containers | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "region" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} @@ -61,6 +62,7 @@ spec: containers: {{- if .Values.conf.cache.enabled }} - name: maas-cache +{{ dict "envAll" $envAll "application" "region" "container" "maas_cache" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} image: {{ .Values.images.tags.maas_cache }} imagePullPolicy: {{ .Values.images.pull_policy }} {{- end }} @@ -94,6 +96,7 @@ spec: tty: true {{ tuple $envAll $envAll.Values.pod.resources.maas_region | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "region" "container" "maas_region" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} ports: - name: region-api containerPort: {{ tuple "maas_region" "podport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} diff --git a/charts/maas/templates/tests/test-maas-init.yaml b/charts/maas/templates/tests/test-maas-init.yaml index 456340a..790c7c7 100644 --- a/charts/maas/templates/tests/test-maas-init.yaml +++ b/charts/maas/templates/tests/test-maas-init.yaml @@ -30,6 +30,7 @@ metadata: labels: {{ tuple $envAll "maas" "init-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} spec: +{{ dict "envAll" $envAll "application" "api_test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }} restartPolicy: Never nodeSelector: {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} @@ -46,6 +47,7 @@ spec: image: {{ .Values.images.tags.maas_region }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple . .Values.pod.resources.test | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} +{{ dict "envAll" $envAll "application" "api_test" "container" "maas_api_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }} command: ["/tmp/maas-test.sh"] volumeMounts: - name: maas-bin diff --git a/charts/maas/values.yaml b/charts/maas/values.yaml index a5d982b..ae72bf3 100644 --- a/charts/maas/values.yaml +++ b/charts/maas/values.yaml @@ -350,25 +350,81 @@ pod: maas-api-test: maas-api-test: runtime/default security_context: - maas-syslog: - pod: - runAsUser: 99 - container: - syslog: - runAsUser: 99 - readOnlyRootFilesystem: true ingress: + pod: + runAsUser: 0 container: - maas_ingress: - runAsUser: 0 + maas_ingress_vip_init: + readOnlyRootFilesystem: false maas_ingress_vip: - runAsUser: 0 + readOnlyRootFilesystem: false + maas_ingress: + readOnlyRootFilesystem: false ingress_errors: pod: runAsUser: 65534 container: maas_ingress_errors: readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + bootstrap_admin_user: + pod: + runAsUser: 0 + container: + maas_bootstrap_admin_user: + readOnlyRootFilesystem: false + db_init: + pod: + runAsUser: 0 + container: + maas_db_init: + readOnlyRootFilesystem: true + db_sync: + pod: + runAsUser: 0 + container: + maas_db_sync: + readOnlyRootFilesystem: false + export_api_key: + pod: + runAsUser: 0 + container: + exporter: + readOnlyRootFilesystem: false + import_resources: + pod: + runAsUser: 0 + container: + region_import_resources: + readOnlyRootFilesystem: false + syslog: + pod: + runAsUser: 0 + container: + syslog: + readOnlyRootFilesystem: true + logrotate: + readOnlyRootFilesystem: false + rack: + pod: + runAsUser: 0 + container: + maas_rack: + readOnlyRootFilesystem: false + region: + pod: + runAsUser: 0 + container: + maas_cache: + readOnlyRootFilesystem: false + maas_region: + readOnlyRootFilesystem: false + api_test: + pod: + runAsUser: 0 + container: + maas_api_test: + readOnlyRootFilesystem: false affinity: anti: type: