Calico: Fix security context

This PS fixes the use of the security context macros for the
calico chart.

Change-Id: I2ed8a5e994726b625d76a2c308895441c7d174a9
Signed-off-by: Pete Birley <pete@port.direct>
This commit is contained in:
Pete Birley 2019-04-21 07:15:46 -05:00 committed by Pete Birley
parent 4e3359a931
commit eb58abb880
5 changed files with 39 additions and 17 deletions

View File

@ -51,7 +51,7 @@ spec:
# a failure. This annotation works in tandem with the toleration below.
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
{{ dict "envAll" $envAll "application" "calico" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
{{ dict "envAll" $envAll "application" "etcd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
tolerations:
# This taint is set by all kubelets running `--cloud-provider=external`
@ -76,7 +76,7 @@ spec:
- name: calico-etcd
{{ tuple $envAll "calico_etcd" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_etcd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "calico" "container" "calico_etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
{{ dict "envAll" $envAll "application" "etcd" "container" "calico_etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: CALICO_ETCD_IP
valueFrom:

View File

@ -119,8 +119,7 @@ spec:
{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
{{- end }}
spec:
securityContext:
readOnlyRootFilesystem: true
{{ dict "envAll" $envAll "application" "calico_node" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
nodeSelector:
beta.kubernetes.io/os: linux
hostNetwork: true
@ -144,6 +143,7 @@ spec:
- name: install-calicoctl
{{ tuple $envAll "calico_ctl" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_ctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_ctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/install-calicoctl.sh
env:
@ -206,6 +206,7 @@ spec:
# and CNI network config file on each node.
- name: install-cni
{{ tuple $envAll "calico_cni" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "calico_node" "container" "install_cni" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command: ["/install-cni.sh"]
env:
# Prevents the container from sleeping forever.
@ -310,6 +311,7 @@ spec:
- name: calico-node
{{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_node" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
# Values expanded explicitly from conf.node (some of which
# might be derived from elsewhere, see values.yaml for an
@ -348,14 +350,6 @@ spec:
fieldRef:
fieldPath: spec.nodeName
securityContext:
capabilities:
add:
- 'NET_ADMIN'
- 'SYS_ADMIN'
resources:
requests:
cpu: 250m
livenessProbe:
httpGet:
path: /liveness

View File

@ -93,8 +93,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
securityContext:
readOnlyRootFilesystem: true
{{ dict "envAll" $envAll "application" "kube_controllers" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
nodeSelector:
beta.kubernetes.io/os: linux
# The controllers must run in the host network namespace so that
@ -117,6 +116,7 @@ spec:
- name: calico-kube-controllers
{{ tuple $envAll "calico_kube_controllers" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_kube_controllers | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "kube_controllers" "container" "kube_controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS

View File

@ -39,6 +39,7 @@ spec:
labels:
{{ tuple $envAll "calico" "calico_settings" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "calico_settings" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
hostNetwork: true
tolerations:
- key: node-role.kubernetes.io/master
@ -55,6 +56,7 @@ spec:
- name: calico-settings
{{ tuple $envAll "calico_settings" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_settings | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "calico_settings" "container" "calico_settings" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: ETCD_ENDPOINTS
valueFrom:

View File

@ -38,12 +38,38 @@ images:
pod:
security_context:
calico:
etcd:
pod:
runAsUser: 0
container:
calico_etcd:
readOnlyRootFilesystem: true
readOnlyRootFilesystem: false
calico_node:
pod:
runAsUser: 0
container:
calico_ctl:
readOnlyRootFilesystem: false
install_cni:
readOnlyRootFilesystem: false
calico_node:
readOnlyRootFilesystem: false
capabilities:
add:
- 'NET_ADMIN'
- 'SYS_ADMIN'
kube_controllers:
pod:
runAsUser: 0
container:
kube_controller:
readOnlyRootFilesystem: false
calico_settings:
pod:
runAsUser: 0
container:
calico_settings:
readOnlyRootFilesystem: false
resources:
enabled: false
jobs:
@ -71,7 +97,7 @@ pod:
calico_node:
requests:
memory: "128Mi"
cpu: "100m"
cpu: "250m"
limits:
memory: "1024Mi"
cpu: "2000m"