diff --git a/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl new file mode 100644 index 000000000..27b8ac0a2 --- /dev/null +++ b/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +abstract: | + Renders securityContext for a Kubernetes container. + For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core +examples: + - values: | + pod: + security_context: + myApp: + container: + foo: + runAsUser: 34356 + readOnlyRootFilesystem: true + usage: | + {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }} + return: | + securityContext: + readOnlyRootFilesystem: true + runAsUser: 34356 +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}} +{{- $envAll := index . "envAll" -}} +{{- $application := index . "application" -}} +{{- $container := index . "container" -}} +{{- if hasKey $envAll.Values.pod "security_context" }} +{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }} +{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }} +securityContext: +{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl index fbf48d6d5..386553ef4 100644 --- a/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl +++ b/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl @@ -17,34 +17,53 @@ limitations under the License. {{/* abstract: | Renders securityContext for a Kubernetes pod. -values: | - pod: - user: - myApp: - uid: 34356 - security_context: - myApp: - readOnlyRootFilesystem: true - seLinuxOptions: - level: "s0:c123,c456" -usage: | - {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }} -return: | - securityContext: - runAsUser: 34356 - readOnlyRootFilesystem: true - seLinuxOptions: - level: s0:c123,c456 + For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core +examples: + - values: | + pod: + # NOTE: The 'user' key is deprecated, and will be removed shortly. + user: + myApp: + uid: 34356 + security_context: + myApp: + pod: + runAsNonRoot: true + usage: | + {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }} + return: | + securityContext: + runAsUser: 34356 + runAsNonRoot: true + - values: | + pod: + security_context: + myApp: + pod: + runAsUser: 34356 + runAsNonRoot: true + usage: | + {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }} + return: | + securityContext: + runAsNonRoot: true + runAsUser: 34356 */}} {{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}} {{- $envAll := index . "envAll" -}} {{- $application := index . "application" -}} securityContext: +{{- if hasKey $envAll.Values.pod "user" }} +{{- if hasKey $envAll.Values.pod.user $application }} +{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }} runAsUser: {{ index $envAll.Values.pod.user $application "uid" }} +{{- end -}} +{{- end -}} +{{- end -}} {{- if hasKey $envAll.Values.pod "security_context" }} {{- if hasKey ( index $envAll.Values.pod.security_context ) $application }} -{{ toYaml ( index $envAll.Values.pod.security_context $application ) | indent 2 }} +{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }} {{- end -}} {{- end -}} {{- end -}}