From e066274b8bff385ffccaa47a2349d15582a7855c Mon Sep 17 00:00:00 2001 From: Prateek Dodda Date: Thu, 16 Apr 2020 05:37:03 -0500 Subject: [PATCH] Implement Security Context for Airflow_Scheduler This adds the container security context to set readOnlyRootFilesystem to true Change-Id: Ia9cad50decfcf9638e8fc1cf5d652ee72d978a40 --- .../templates/configmap-airflow-usr.yaml | 25 ++++++++++++++++++ .../deployment-airflow-scheduler.yaml | 10 +++++++ .../templates/statefulset-airflow-worker.yaml | 26 +++++++++++++++---- charts/shipyard/values.yaml | 13 ++++++++++ 4 files changed, 69 insertions(+), 5 deletions(-) create mode 100644 charts/shipyard/templates/configmap-airflow-usr.yaml diff --git a/charts/shipyard/templates/configmap-airflow-usr.yaml b/charts/shipyard/templates/configmap-airflow-usr.yaml new file mode 100644 index 00000000..584bc11c --- /dev/null +++ b/charts/shipyard/templates/configmap-airflow-usr.yaml @@ -0,0 +1,25 @@ +# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.configmap_airflow_usr }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: airflow-usr +data: + unittests.cfg: |+ +{{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.airflow | indent 4 }} +{{- end }} diff --git a/charts/shipyard/templates/deployment-airflow-scheduler.yaml b/charts/shipyard/templates/deployment-airflow-scheduler.yaml index 9cbd9694..9de44a6b 100644 --- a/charts/shipyard/templates/deployment-airflow-scheduler.yaml +++ b/charts/shipyard/templates/deployment-airflow-scheduler.yaml @@ -53,6 +53,7 @@ spec: spec: serviceAccountName: {{ $serviceAccountName }} affinity: +{{ dict "envAll" $envAll "application" "airflow_scheduler" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ tuple $envAll "airflow" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: {{ .Values.labels.airflow.node_selector_key }}: {{ .Values.labels.airflow.node_selector_value }} @@ -65,6 +66,7 @@ spec: image: {{ .Values.images.tags.airflow }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.airflow.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "airflow_scheduler" "container" "airflow_scheduler" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: AIRFLOW_CONN_AIRFLOWS_OWN_DB valueFrom: @@ -78,6 +80,10 @@ spec: mountPath: {{ .Values.conf.airflow_config_file.path }} subPath: airflow.cfg readOnly: true + - name: airflow-usr + mountPath: {{ .Values.conf.airflow_unittests_file.path }} + subPath: unittests.cfg + readOnly: true - name: shipyard-etc mountPath: /usr/local/airflow/plugins/shipyard.conf subPath: shipyard.conf @@ -90,6 +96,10 @@ spec: configMap: name: airflow-etc defaultMode: 0444 + - name: airflow-usr + configMap: + name: airflow-usr + defaultMode: 0444 - name: shipyard-etc configMap: name: shipyard-etc diff --git a/charts/shipyard/templates/statefulset-airflow-worker.yaml b/charts/shipyard/templates/statefulset-airflow-worker.yaml index 5eb6cc87..ee9a9a33 100644 --- a/charts/shipyard/templates/statefulset-airflow-worker.yaml +++ b/charts/shipyard/templates/statefulset-airflow-worker.yaml @@ -124,14 +124,14 @@ spec: # Set to -1 to stop scheduler from going into crash loops args: ["scheduler", "-n", "-1" ] volumeMounts: - - name: airflow-usr - mountPath: /usr/local/airflow/unittests.cfg - subPath: unittests.cfg - readOnly: false - name: airflow-etc mountPath: {{ .Values.conf.airflow_config_file.path }} subPath: airflow.cfg readOnly: true + - name: airflow-usr + mountPath: {{ .Values.conf.airflow_unittests_file.path }} + subPath: unittests.cfg + readOnly: true - name: shipyard-etc mountPath: /usr/local/airflow/plugins/shipyard.conf subPath: shipyard.conf @@ -142,6 +142,7 @@ spec: image: {{ .Values.images.tags.airflow }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.airflow.worker | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "airflow_worker" "container" "airflow_worker" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: AIRFLOW_CONN_AIRFLOWS_OWN_DB valueFrom: @@ -155,10 +156,16 @@ spec: tcpSocket: port: {{ .Values.network.airflow.worker.port }} volumeMounts: + - name: pod-tmp + mountPath: /tmp - name: airflow-etc mountPath: {{ .Values.conf.airflow_config_file.path }} subPath: airflow.cfg readOnly: true + - name: airflow-usr + mountPath: {{ .Values.conf.airflow_unittests_file.path }} + subPath: unittests.cfg + readOnly: true - name: shipyard-etc mountPath: /usr/local/airflow/plugins/shipyard.conf subPath: shipyard.conf @@ -193,7 +200,7 @@ spec: - name: airflow-logs mountPath: {{ .Values.conf.airflow.core.base_log_folder }} volumes: - - name: airflow-usr + - name: pod-tmp emptyDir: {} - name: airflow-etc projected: @@ -204,6 +211,15 @@ spec: items: - key: airflow.cfg path: airflow.cfg + - name: airflow-usr + projected: + defaultMode: 0444 + sources: + - configMap: + name: airflow-usr + items: + - key: unittests.cfg + path: unittests.cfg - name: shipyard-etc projected: defaultMode: 0444 diff --git a/charts/shipyard/values.yaml b/charts/shipyard/values.yaml index 9adf17bd..4b037428 100644 --- a/charts/shipyard/values.yaml +++ b/charts/shipyard/values.yaml @@ -450,6 +450,8 @@ conf: deployment_version_commit: Skip airflow_config_file: path: /usr/local/airflow/airflow.cfg + airflow_unittests_file: + path: /usr/local/airflow/unittests.cfg airflow: # NOTE: Airflow 1.10 introduces a need to declare all config options: # https://issues.apache.org/jira/browse/AIRFLOW-3099 @@ -736,6 +738,13 @@ pod: allowPrivilegeEscalation: false airflow_web: allowPrivilegeEscalation: false + airflow_scheduler: + pod: + runAsUser: 1000 + container: + airflow_scheduler: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false airflow_worker: pod: runAsUser: 1000 @@ -746,6 +755,9 @@ pod: airflow_scheduler: readOnlyRootFilesystem: true allowPrivilegeEscalation: false + airflow_worker: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false airflow_logrotate: readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -923,6 +935,7 @@ manifests: configmap_shipyard_etc: true configmap_airflow_bin: true configmap_airflow_etc: true + configmap_airflow_usr: true # TODO: Set this to false only if a new deployment, or if the worker pod is # running the scheduler deployment_airflow_scheduler: true