Merge "Ceph-osd: Fix security context for pod/container"

2019-06-06 11:53:10 +00:00 · 2019-06-06 11:53:10 +00:00 · 82291cfe0e
parent 3ba03ed8ea c9a1c412e7
commit 82291cfe0e
2 changed files with 14 additions and 4 deletions
--- a/ceph-osd/templates/daemonset-osd.yaml
+++ b/ceph-osd/templates/daemonset-osd.yaml
@ -265,6 +265,8 @@ spec:
              mountPath: /run
            - name: pod-etc-ceph
              mountPath: /etc/ceph
+            - name: pod-forego
+              mountPath: /etc/forego
            - name: ceph-osd-bin
              mountPath: /tmp/osd-start.sh
              subPath: osd-start.sh
@ -335,6 +337,8 @@ spec:
            medium: "Memory"
        - name: pod-etc-ceph
          emptyDir: {}
+        - name: pod-forego
+          emptyDir: {}
        - name: devices
          hostPath:
            path: /dev
--- a/ceph-osd/values.yaml
+++ b/ceph-osd/values.yaml
@ -43,29 +43,35 @@ pod:
  security_context:
    osd:
      pod:
-        runAsUser: 0
+        runAsUser: 65534
      container:
        ceph_init_dirs:
+          runAsUser: 0
          readOnlyRootFilesystem: true
        ceph_log_ownership:
+          runAsUser: 0
          readOnlyRootFilesystem: true
        osd_init:
+          runAsUser: 0
          privileged: true
          readOnlyRootFilesystem: true
        osd_pod:
+          runAsUser: 0
          privileged: true
-          readOnlyRootFilesystem: false
+          readOnlyRootFilesystem: true
    bootstrap:
      pod:
-        runAsUser: 0
+        runAsUser: 65534
      container:
        ceph_osd_bootstrap:
+          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
    test:
      pod:
-        runAsUser: 0
+        runAsUser: 65534
      container:
        ceph_cluster_helm_test:
+          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
  dns_policy: "ClusterFirstWithHostNet"
  affinity: