Ingress: Add pod/container security context

This PS fixes the use of the security context macros for the ingress chart. Change-Id: I28171d529a27c3f203b02c031a6cf289fcc5f3e6
2019-04-18 10:40:15 -05:00 · 2019-04-18 10:40:15 -05:00 · befb8b65e8
commit befb8b65e8
parent 010faee9d5
3 changed files with 35 additions and 17 deletions
--- a/ingress/templates/deployment-error.yaml
+++ b/ingress/templates/deployment-error.yaml
@ -43,6 +43,7 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-hash: {{ tuple "configmap-conf.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
+{{ dict "envAll" $envAll "application" "error_pages" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      shareProcessNamespace: true
      serviceAccountName: {{ $serviceAccountName }}
      affinity:
@ -56,6 +57,7 @@ spec:
        - name: ingress-error-pages
 {{ tuple $envAll "error_pages" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.error_pages | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "error_pages" "container" "ingress_error_pages" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          livenessProbe:
            httpGet:
              path: /healthz
--- a/ingress/templates/deployment-ingress.yaml
+++ b/ingress/templates/deployment-ingress.yaml
@ -179,8 +179,7 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-hash: {{ tuple "configmap-conf.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
-      securityContext:
-        readOnlyRootFilesystem: true
+{{ dict "envAll" $envAll "application" "server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      shareProcessNamespace: true
      serviceAccountName: {{ $serviceAccountName }}
 {{- if eq .Values.deployment.type "Deployment" }}
@ -199,11 +198,7 @@ spec:
 {{- if and .Values.network.host_namespace .Values.network.vip.manage }}
        - name: ingress-vip-kernel-modules
 {{ tuple $envAll "ingress_module_init" | include "helm-toolkit.snippets.image" | indent 10 }}
-          securityContext:
-            capabilities:
-              add:
-                - SYS_MODULE
-            runAsUser: 0
+{{ dict "envAll" $envAll "application" "server" "container" "ingress_vip_kernel_modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/ingress-vip.sh
            - kernel_modules
@ -219,11 +214,7 @@ spec:
              readOnly: true
        - name: ingress-vip-init
 {{ tuple $envAll "ingress_routed_vip" | include "helm-toolkit.snippets.image" | indent 10 }}
-          securityContext:
-            capabilities:
-              add:
-                - NET_ADMIN
-            runAsUser: 0
+{{ dict "envAll" $envAll "application" "server" "container" "ingress_vip_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
 {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }}
          command:
@ -241,6 +232,7 @@ spec:
        - name: ingress
 {{ tuple $envAll "ingress" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "server" "container" "ingress" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          readinessProbe:
            httpGet:
              path: /healthz
@ -316,13 +308,9 @@ spec:
              readOnly: true
 {{- if and .Values.network.host_namespace .Values.network.vip.manage }}
        - name: ingress-vip
-          securityContext:
-            capabilities:
-              add:
-                - NET_ADMIN
-            runAsUser: 0
 {{- if eq .Values.network.vip.mode "routed" }}
 {{ tuple $envAll "ingress_routed_vip" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "server" "container" "ingress_vip" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
 {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }}
          command:
--- a/ingress/values.yaml
+++ b/ingress/values.yaml
@ -41,6 +41,34 @@ images:
      - image_repo_sync

 pod:
+  security_context:
+    error_pages:
+      pod:
+        runAsUser: 0
+      container:
+        ingress_error_pages:
+          readOnlyRootFilesystem: true
+    server:
+      pod:
+        runAsUser: 0
+      container:
+        ingress_vip_kernel_modules:
+          capabilities:
+            add:
+              - SYS_MODULE
+          readOnlyRootFilesystem: false
+        ingress_vip_init:
+          capabilities:
+            add:
+              - NET_ADMIN
+          readOnlyRootFilesystem: false
+        ingress:
+          readOnlyRootFilesystem: false
+        ingress_vip:
+          capabilities:
+            add:
+              - NET_ADMIN
+          readOnlyRootFilesystem: false
  affinity:
    anti:
      type: