From 77f20875b50f92dada40ef2b87ef4e2691d4f728 Mon Sep 17 00:00:00 2001 From: RAHUL KHIYANI Date: Sun, 21 Apr 2019 21:43:16 -0500 Subject: [PATCH] Libvirt: Fix security context This PS fixes the use of the security context macros for the libvirt chart. Change-Id: I3340742a0eaf9cffa9263642fd2b987363128ed5 --- libvirt/templates/daemonset-libvirt.yaml | 11 ++++------- libvirt/values.yaml | 12 ++++++++++++ 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/libvirt/templates/daemonset-libvirt.yaml b/libvirt/templates/daemonset-libvirt.yaml index e8bca78bb..70c174fc4 100644 --- a/libvirt/templates/daemonset-libvirt.yaml +++ b/libvirt/templates/daemonset-libvirt.yaml @@ -48,6 +48,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: +{{ dict "envAll" $envAll "application" "libvirt" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.agent.libvirt.node_selector_key }}: {{ .Values.labels.agent.libvirt.node_selector_value }} @@ -62,8 +63,7 @@ spec: {{- if empty .Values.conf.ceph.cinder.keyring }} - name: ceph-admin-keyring-placement {{ tuple $envAll "libvirt" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: 0 +{{ dict "envAll" $envAll "application" "libvirt" "container" "ceph_admin_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/ceph-admin-keyring.sh volumeMounts: @@ -84,8 +84,7 @@ spec: {{ end }} - name: ceph-keyring-placement {{ tuple $envAll "libvirt" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: 0 +{{ dict "envAll" $envAll "application" "libvirt" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: CEPH_CINDER_USER value: "{{ .Values.conf.ceph.cinder.user }}" @@ -115,9 +114,7 @@ spec: - name: libvirt {{ tuple $envAll "libvirt" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.libvirt | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - privileged: true - runAsUser: 0 +{{ dict "envAll" $envAll "application" "libvirt" "container" "libvirt" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{- if .Values.conf.ceph.enabled }} env: - name: CEPH_CINDER_USER diff --git a/libvirt/values.yaml b/libvirt/values.yaml index a2cde5ba0..e7c28900b 100644 --- a/libvirt/values.yaml +++ b/libvirt/values.yaml @@ -91,6 +91,18 @@ conf: cgroup: "kubepods" pod: + security_context: + libvirt: + pod: + runAsUser: 0 + container: + ceph_admin_keyring_placement: + readOnlyRootFilesystem: false + ceph_keyring_placement: + readOnlyRootFilesystem: false + libvirt: + privileged: true + readOnlyRootFilesystem: false affinity: anti: type: