Implement Security Context for Divingbell
Change-Id: Ibc93ccac6d6015faff3491211f5f8cb752a0328f
This commit is contained in:
parent
32da2fbd4b
commit
30200a54d9
@ -39,6 +39,7 @@ spec:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "podName" "divingbell-apparmor" "containerNames" (list "apparmor") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
hostIPC: true
|
||||
@ -47,20 +48,21 @@ spec:
|
||||
image: {{ .Values.images.divingbell }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.apparmor | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "application" "divingbell" "container" "apparmor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
|
||||
command:
|
||||
- /tmp/{{ $daemonset }}.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: rootfs-{{ $daemonset }}
|
||||
mountPath: {{ .Values.conf.chroot_mnt_path }}
|
||||
- name: {{ $secretName }}
|
||||
mountPath: /tmp/{{ $daemonset }}.sh
|
||||
subPath: {{ $daemonset }}
|
||||
readOnly: true
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- 'MAC_ADMIN'
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: rootfs-{{ $daemonset }}
|
||||
hostPath:
|
||||
path: /
|
||||
|
@ -39,6 +39,7 @@ spec:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "podName" "divingbell-apt" "containerNames" (list "apt") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
hostIPC: true
|
||||
@ -47,18 +48,21 @@ spec:
|
||||
image: {{ .Values.images.divingbell }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.apt | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "application" "divingbell" "container" "apt" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
|
||||
command:
|
||||
- /tmp/{{ $daemonset }}.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: rootfs-{{ $daemonset }}
|
||||
mountPath: {{ .Values.conf.chroot_mnt_path }}
|
||||
- name: {{ $secretName }}
|
||||
mountPath: /tmp/{{ $daemonset }}.sh
|
||||
subPath: {{ $daemonset }}
|
||||
readOnly: true
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: rootfs-{{ $daemonset }}
|
||||
hostPath:
|
||||
path: /
|
||||
|
@ -39,6 +39,7 @@ spec:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "podName" "divingbell-ethtool" "containerNames" (list "ethtool") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
hostIPC: true
|
||||
@ -47,20 +48,21 @@ spec:
|
||||
image: {{ .Values.images.divingbell }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.ethtool | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "application" "divingbell" "container" "ethtool" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
|
||||
command:
|
||||
- /tmp/{{ $daemonset }}.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: rootfs-{{ $daemonset }}
|
||||
mountPath: {{ .Values.conf.chroot_mnt_path }}
|
||||
- name: {{ $secretName }}
|
||||
mountPath: /tmp/{{ $daemonset }}.sh
|
||||
subPath: {{ $daemonset }}
|
||||
readOnly: true
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- 'NET_ADMIN'
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: rootfs-{{ $daemonset }}
|
||||
hostPath:
|
||||
path: /
|
||||
|
@ -39,6 +39,7 @@ spec:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "podName" "divingbell-exec" "containerNames" (list "exec") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
hostIPC: true
|
||||
@ -47,18 +48,21 @@ spec:
|
||||
image: {{ .Values.images.divingbell }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.exec | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "application" "divingbell" "container" "exec" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
|
||||
command:
|
||||
- /tmp/{{ $daemonset }}.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: rootfs-{{ $daemonset }}
|
||||
mountPath: {{ .Values.conf.chroot_mnt_path }}
|
||||
- name: {{ $secretName }}
|
||||
mountPath: /tmp/{{ $daemonset }}.sh
|
||||
subPath: {{ $daemonset }}
|
||||
readOnly: true
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: rootfs-{{ $daemonset }}
|
||||
hostPath:
|
||||
path: /
|
||||
|
@ -39,6 +39,7 @@ spec:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "podName" "divingbell-limits" "containerNames" (list "limits") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
hostIPC: true
|
||||
@ -47,9 +48,12 @@ spec:
|
||||
image: {{ .Values.images.divingbell }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.limits | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "application" "divingbell" "container" "limits" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
|
||||
command:
|
||||
- /tmp/{{ $daemonset }}.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: rootfs-{{ $daemonset }}
|
||||
mountPath: {{ .Values.conf.chroot_mnt_path }}
|
||||
- name: {{ $secretName }}
|
||||
@ -57,6 +61,8 @@ spec:
|
||||
subPath: {{ $daemonset }}
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: rootfs-{{ $daemonset }}
|
||||
hostPath:
|
||||
path: /
|
||||
|
@ -39,6 +39,7 @@ spec:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "podName" "divingbell-mounts" "containerNames" (list "mounts") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
hostIPC: true
|
||||
@ -47,9 +48,12 @@ spec:
|
||||
image: {{ .Values.images.divingbell }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.mounts | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "application" "divingbell" "container" "mounts" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
|
||||
command:
|
||||
- /tmp/{{ $daemonset }}.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: rootfs-{{ $daemonset }}
|
||||
mountPath: {{ .Values.conf.chroot_mnt_path }}
|
||||
- name: {{ $secretName }}
|
||||
@ -57,6 +61,8 @@ spec:
|
||||
subPath: {{ $daemonset }}
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: rootfs-{{ $daemonset }}
|
||||
hostPath:
|
||||
path: /
|
||||
|
@ -39,6 +39,7 @@ spec:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "podName" "divingbell-perm" "containerNames" (list "perm") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
hostIPC: true
|
||||
@ -47,9 +48,12 @@ spec:
|
||||
image: {{ .Values.images.divingbell }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.perm | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "application" "divingbell" "container" "perm" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
|
||||
command:
|
||||
- /tmp/{{ $daemonset }}.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: rootfs-{{ $daemonset }}
|
||||
mountPath: {{ .Values.conf.chroot_mnt_path }}
|
||||
- name: {{ $secretName }}
|
||||
@ -57,6 +61,8 @@ spec:
|
||||
subPath: {{ $daemonset }}
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: rootfs-{{ $daemonset }}
|
||||
hostPath:
|
||||
path: /
|
||||
|
@ -39,6 +39,7 @@ spec:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "podName" "divingbell-sysctl" "containerNames" (list "sysctl") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
hostIPC: true
|
||||
@ -47,22 +48,21 @@ spec:
|
||||
image: {{ .Values.images.divingbell }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.sysctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "application" "divingbell" "container" "sysctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
|
||||
command:
|
||||
- /tmp/{{ $daemonset }}.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: rootfs-{{ $daemonset }}
|
||||
mountPath: {{ .Values.conf.chroot_mnt_path }}
|
||||
- name: {{ $secretName }}
|
||||
mountPath: /tmp/{{ $daemonset }}.sh
|
||||
subPath: {{ $daemonset }}
|
||||
readOnly: true
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- 'SYS_PTRACE'
|
||||
- 'SYS_ADMIN'
|
||||
- 'SYS_RAWIO'
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: rootfs-{{ $daemonset }}
|
||||
hostPath:
|
||||
path: /
|
||||
|
@ -116,6 +116,48 @@ pod:
|
||||
sysctl: runtime/default
|
||||
divingbell-uamlite:
|
||||
uamlite: runtime/default
|
||||
security_context:
|
||||
divingbell:
|
||||
pod:
|
||||
runAsUser: 65534
|
||||
container:
|
||||
apt:
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 0
|
||||
privileged: true
|
||||
apparmor:
|
||||
capabilities:
|
||||
add:
|
||||
- 'MAC_ADMIN'
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser : 0
|
||||
ethtool:
|
||||
capabilities:
|
||||
add:
|
||||
- 'NET_ADMIN'
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser : 0
|
||||
exec:
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 0
|
||||
privileged: true
|
||||
limits:
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 0
|
||||
mounts:
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 0
|
||||
perm:
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 0
|
||||
sysctl:
|
||||
capabilities:
|
||||
add:
|
||||
- 'SYS_PTRACE'
|
||||
- 'SYS_ADMIN'
|
||||
- 'SYS_RAWIO'
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 0
|
||||
lifecycle:
|
||||
upgrades:
|
||||
daemonsets:
|
||||
|
Loading…
x
Reference in New Issue
Block a user