airship
/
promenade
Code Issues Proposed changes

Add security context template for promenade charts 

This changes adds security context template at pod level to
set run as user value

This also adds security context template at container level to
set readOnly-fs flag

Change-Id: Iba720e687218987cfefe7a9f08630fb11e8eac12
This commit is contained in:
KHIYANI, RAHUL (rk0850) 2020-07-21 12:38:38 -05:00 committed by Rahul Khiyani
parent d44084664e
commit 880c6503c8
8 changed files with 31 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
View File

@ -50,12 +50,14 @@ metadata:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
{{- dict "envAll" $envAll "podName" "apiserver" "containerNames" (list "apiserver") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} {{- dict "envAll" $envAll "podName" "apiserver" "containerNames" (list "apiserver") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
spec: spec:
{{ dict "envAll" $envAll "application" "apiserver" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
hostNetwork: true hostNetwork: true
shareProcessNamespace: true shareProcessNamespace: true
containers: containers:
- name: apiserver - name: apiserver
image: {{ .Values.images.tags.apiserver }} image: {{ .Values.images.tags.apiserver }}
{{ tuple $envAll $envAll.Values.pod.resources.kubernetes_apiserver | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.kubernetes_apiserver | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
{{ dict "envAll" $envAll "application" "apiserver" "container" "apiserver" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
env: env:
- name: POD_IP - name: POD_IP
valueFrom: valueFrom:

7
charts/apiserver/values.yaml
View File

@ -287,6 +287,13 @@ pod:
apiserver_key_rotate: apiserver_key_rotate:
runAsUser: 0 runAsUser: 0
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
apiserver:
pod:
runAsUser: 65534
container:
apiserver:
runAsUser: 0
readOnlyRootFilesystem: false
mounts: mounts:
kubernetes_apiserver: kubernetes_apiserver:
init_container: null init_container: null

2
charts/controller_manager/templates/etc/_kubernetes-controller-manager.yaml.tpl
View File

@ -26,11 +26,13 @@ metadata:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
{{ dict "envAll" $envAll "podName" "controller-manager" "containerNames" (list "controller-manager") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} {{ dict "envAll" $envAll "podName" "controller-manager" "containerNames" (list "controller-manager") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
spec: spec:
{{ dict "envAll" $envAll "application" "controller_manager" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
hostNetwork: true hostNetwork: true
containers: containers:
- name: controller-manager - name: controller-manager
image: {{ .Values.images.tags.controller_manager }} image: {{ .Values.images.tags.controller_manager }}
{{ tuple $envAll $envAll.Values.pod.resources.controller_manager | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.controller_manager | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
{{ dict "envAll" $envAll "application" "controller_manager" "container" "controller_manager" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
env: env:
- name: POD_IP - name: POD_IP
valueFrom: valueFrom:

6
charts/controller_manager/values.yaml
View File

@ -98,6 +98,12 @@ pod:
container: container:
anchor: anchor:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
controller_manager:
pod:
runAsUser: 0
container:
controller_manager:
readOnlyRootFilesystem: true
mounts: mounts:
controller_manager: controller_manager:
init_container: null init_container: null

2
charts/haproxy/templates/etc/_haproxy.yaml.tpl
View File

@ -27,12 +27,14 @@ metadata:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
{{ dict "envAll" $envAll "podName" "haproxy" "containerNames" (list "haproxy") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} {{ dict "envAll" $envAll "podName" "haproxy" "containerNames" (list "haproxy") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
spec: spec:
{{ dict "envAll" $envAll "application" "server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
hostNetwork: true hostNetwork: true
containers: containers:
- name: haproxy - name: haproxy
image: {{ .Values.images.tags.haproxy }} image: {{ .Values.images.tags.haproxy }}
imagePullPolicy: {{ .Values.images.pull_policy }} imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple . .Values.pod.resources.haproxy_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} {{ tuple . .Values.pod.resources.haproxy_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
{{ dict "envAll" $envAll "application" "server" "container" "haproxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
hostNetwork: true hostNetwork: true
env: env:
- name: HAPROXY_CONF - name: HAPROXY_CONF

7
charts/haproxy/values.yaml
View File

@ -108,6 +108,13 @@ pod:
haproxy_haproxy_test: haproxy_haproxy_test:
runAsUser: 0 runAsUser: 0
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
server:
pod:
runAsUser: 65534
container:
haproxy:
runAsUser: 0
readOnlyRootFilesystem: false
lifecycle: lifecycle:
upgrades: upgrades:
daemonsets: daemonsets:

2
charts/scheduler/templates/etc/_kubernetes-scheduler.yaml.tpl
View File

@ -28,11 +28,13 @@ metadata:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
{{ dict "envAll" $envAll "podName" "scheduler" "containerNames" (list "scheduler") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} {{ dict "envAll" $envAll "podName" "scheduler" "containerNames" (list "scheduler") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
spec: spec:
{{ dict "envAll" $envAll "application" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
hostNetwork: true hostNetwork: true
containers: containers:
- name: scheduler - name: scheduler
image: {{ .Values.images.tags.scheduler }} image: {{ .Values.images.tags.scheduler }}
{{ tuple $envAll $envAll.Values.pod.resources.scheduler_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.scheduler_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
{{ dict "envAll" $envAll "application" "scheduler" "container" "scheduler" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
env: env:
- name: POD_IP - name: POD_IP
valueFrom: valueFrom:

3
charts/scheduler/values.yaml
View File

@ -38,6 +38,9 @@ pod:
anchor: anchor:
runAsUser: 0 runAsUser: 0
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
scheduler:
runAsUser: 0
readOnlyRootFilesystem: false
lifecycle: lifecycle:
upgrades: upgrades:
daemonsets: daemonsets: