From eb58abb880afb8d5a7ff2b775c08ec88c488b8a9 Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Sun, 21 Apr 2019 07:15:46 -0500 Subject: [PATCH] Calico: Fix security context This PS fixes the use of the security context macros for the calico chart. Change-Id: I2ed8a5e994726b625d76a2c308895441c7d174a9 Signed-off-by: Pete Birley --- calico/templates/daemonset-calico-etcd.yaml | 4 +-- calico/templates/daemonset-calico-node.yaml | 14 +++----- .../deployment-calico-kube-controllers.yaml | 4 +-- calico/templates/job-calico-settings.yaml | 2 ++ calico/values.yaml | 32 +++++++++++++++++-- 5 files changed, 39 insertions(+), 17 deletions(-) diff --git a/calico/templates/daemonset-calico-etcd.yaml b/calico/templates/daemonset-calico-etcd.yaml index 5d937c035..12a873a32 100644 --- a/calico/templates/daemonset-calico-etcd.yaml +++ b/calico/templates/daemonset-calico-etcd.yaml @@ -51,7 +51,7 @@ spec: # a failure. This annotation works in tandem with the toleration below. scheduler.alpha.kubernetes.io/critical-pod: '' spec: -{{ dict "envAll" $envAll "application" "calico" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} +{{ dict "envAll" $envAll "application" "etcd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} tolerations: # This taint is set by all kubelets running `--cloud-provider=external` @@ -76,7 +76,7 @@ spec: - name: calico-etcd {{ tuple $envAll "calico_etcd" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.calico_etcd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "calico" "container" "calico_etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{ dict "envAll" $envAll "application" "etcd" "container" "calico_etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: CALICO_ETCD_IP valueFrom: diff --git a/calico/templates/daemonset-calico-node.yaml b/calico/templates/daemonset-calico-node.yaml index 4913d33fb..915b14085 100644 --- a/calico/templates/daemonset-calico-node.yaml +++ b/calico/templates/daemonset-calico-node.yaml @@ -119,8 +119,7 @@ spec: {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }} {{- end }} spec: - securityContext: - readOnlyRootFilesystem: true +{{ dict "envAll" $envAll "application" "calico_node" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} nodeSelector: beta.kubernetes.io/os: linux hostNetwork: true @@ -144,6 +143,7 @@ spec: - name: install-calicoctl {{ tuple $envAll "calico_ctl" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.calico_ctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_ctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/install-calicoctl.sh env: @@ -206,6 +206,7 @@ spec: # and CNI network config file on each node. - name: install-cni {{ tuple $envAll "calico_cni" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ dict "envAll" $envAll "application" "calico_node" "container" "install_cni" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: ["/install-cni.sh"] env: # Prevents the container from sleeping forever. @@ -310,6 +311,7 @@ spec: - name: calico-node {{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_node" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: # Values expanded explicitly from conf.node (some of which # might be derived from elsewhere, see values.yaml for an @@ -348,14 +350,6 @@ spec: fieldRef: fieldPath: spec.nodeName - securityContext: - capabilities: - add: - - 'NET_ADMIN' - - 'SYS_ADMIN' - resources: - requests: - cpu: 250m livenessProbe: httpGet: path: /liveness diff --git a/calico/templates/deployment-calico-kube-controllers.yaml b/calico/templates/deployment-calico-kube-controllers.yaml index 39478f0de..bbae02d44 100644 --- a/calico/templates/deployment-calico-kube-controllers.yaml +++ b/calico/templates/deployment-calico-kube-controllers.yaml @@ -93,8 +93,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} spec: - securityContext: - readOnlyRootFilesystem: true +{{ dict "envAll" $envAll "application" "kube_controllers" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} nodeSelector: beta.kubernetes.io/os: linux # The controllers must run in the host network namespace so that @@ -117,6 +116,7 @@ spec: - name: calico-kube-controllers {{ tuple $envAll "calico_kube_controllers" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.calico_kube_controllers | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "kube_controllers" "container" "kube_controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: # The location of the Calico etcd cluster. - name: ETCD_ENDPOINTS diff --git a/calico/templates/job-calico-settings.yaml b/calico/templates/job-calico-settings.yaml index fccc40c0c..9c85eebb7 100644 --- a/calico/templates/job-calico-settings.yaml +++ b/calico/templates/job-calico-settings.yaml @@ -39,6 +39,7 @@ spec: labels: {{ tuple $envAll "calico" "calico_settings" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "calico_settings" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} hostNetwork: true tolerations: - key: node-role.kubernetes.io/master @@ -55,6 +56,7 @@ spec: - name: calico-settings {{ tuple $envAll "calico_settings" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.calico_settings | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "calico_settings" "container" "calico_settings" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: ETCD_ENDPOINTS valueFrom: diff --git a/calico/values.yaml b/calico/values.yaml index 29e5ae886..d30be685c 100644 --- a/calico/values.yaml +++ b/calico/values.yaml @@ -38,12 +38,38 @@ images: pod: security_context: - calico: + etcd: pod: runAsUser: 0 container: calico_etcd: - readOnlyRootFilesystem: true + readOnlyRootFilesystem: false + calico_node: + pod: + runAsUser: 0 + container: + calico_ctl: + readOnlyRootFilesystem: false + install_cni: + readOnlyRootFilesystem: false + calico_node: + readOnlyRootFilesystem: false + capabilities: + add: + - 'NET_ADMIN' + - 'SYS_ADMIN' + kube_controllers: + pod: + runAsUser: 0 + container: + kube_controller: + readOnlyRootFilesystem: false + calico_settings: + pod: + runAsUser: 0 + container: + calico_settings: + readOnlyRootFilesystem: false resources: enabled: false jobs: @@ -71,7 +97,7 @@ pod: calico_node: requests: memory: "128Mi" - cpu: "100m" + cpu: "250m" limits: memory: "1024Mi" cpu: "2000m"