Commit Graph

17 Commits

Author SHA1 Message Date
Tin Lam
6d5b84a458 chore(ver): updates the k8s-keystone-auth version
The default value of the kubernetes keystone authorization webhook is
grossly outdated (v0.2). This patch set brings the default up to the
latest of this patch set (v1.19).

Change-Id: Idbf8d027ad6d5f4fb8bdedaf3047c06c66eef27d
Signed-off-by: Tin Lam <tin@irrational.io>
2020-09-24 05:41:44 +00:00
KHIYANI, RAHUL (rk0850)
3332968caa Add apparmor profile to keystone-webhook container
Change-Id: I583c4c01e2c92c16705420fe726e3e7648a16705
2020-08-12 18:57:21 -05:00
KHIYANI, RAHUL (rk0850)
a58a78ff83 Add security context template for keystone-webhook container
This implements security context override at pod level and adds
readOnly-fs to keystone-webhook container

Change-Id: Ia67947b7323e41363a5ee379c0dfb001936b5107
2020-08-11 09:45:08 -05:00
Andrii Ostapenko
731a6b4cfa Enable yamllint checks
- document-end
- document-start
- empty-lines
- hyphens
- indentation
- key-duplicates
- new-line-at-end-of-file
- new-lines
- octal-values

with corresponding code adjustment.

Change-Id: I92d6aa20df82aa0fe198f8ccd535cfcaf613f43a
2020-05-29 19:49:05 +00:00
Gage Hugo
d14d826b26 Remove OSH Authors copyright
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.

This change removes all references to this copyright by the
non-existent group and any blank lines underneath.

Change-Id: I1882738cf9757c5350a8533876fd37b5920b5235
2020-05-07 02:11:15 +00:00
Steve Wilkerson
b50fae62a4 Update kubernetes-entrypoint image reference
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintained

Change-Id: I5bfdc156ae228ab16da57569ac6b05a9a125cb6a
Signed-off-by: Steve Wilkerson <sw5822@att.com>
2019-10-18 18:20:11 +00:00
Jean-Philippe Evrard
5f5e988fb3 Point to OSH-images images
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.

Without this, the osh-images build process is completely not
in use (and completely opaque to deployers), and updating the
osh-images process or patching its code has no impact on OSH.

This should fix it.

Change-Id: Ic00bd98c151669dc2485cd88e0e8c2ab05445959
2019-05-17 08:17:32 +00:00
Roy Tang (rt7380)
85bd731562 Expose Anti-Affinity Weight Setting
This ps exposes the anti-affinity weight value, including
default, that will be consumed by the updated htk function.

Change-Id: Id8eb303674764ef8b0664f62040723aaf77e0a54
2019-05-14 17:04:52 -05:00
Gupta, Sangeet (sg774j)
b1d0fd3699 Kubernetes-keystone-webhook: Add security context
This adds the security context to the
kubernetes-keystone-webhook. This changes the default
user from root to the nobody user.
This also adds the container security context to
explicitly set allowPrivilegeEscalation to false

Change-Id: I54621e94f2866a4b4301baa6b570472c5fcda291
2019-02-21 16:01:09 -06:00
Sangeet Gupta
eac7202774 k8s-keystone create cluster roles and tests
This commit adds roles to kubernetes-keystone-webook policy
which has permissions similar to clusterrols cluster-admin,
edit and view present in kubernetes.

Check.sh script is also modified to test and verify the new
roles.

Change-Id: I43621d2e1036259064c805d97b340589a5b68c93
2018-12-01 19:14:31 +00:00
Tin Lam
93f85d8745 Update k8s-keystone-webhook image
This patch set updates the default docker image to use the official
k8scloudprovider image for the kubernetes-keystone-webhook.

Change-Id: Ib9cc3efaf63569e20d07fa9b3ad9f45b49ab7cc9
Signed-off-by: Tin Lam <tin@irrational.io>
2018-09-20 06:42:00 +00:00
Jean-Philippe Evrard
bf069b2311 Revert "Update OSH Author copyrights to OSF"
This reverts commit 178aa271a4.

Change-Id: I38a52d866527dfff2689b618e055f439bc248c13
2018-08-28 17:25:54 +00:00
Matt McEuen
178aa271a4 Update OSH Author copyrights to OSF
This PS updates the "Openstack-Helm Authors" copyright attribution
to be the "OpenStack Foundation", as decided in the 2018-03-20
team meeting:
http://eavesdrop.openstack.org/meetings/openstack_helm/2018/openstack_helm.2018-03-20-15.00.log.html

No other copyright attributions were changed.

Change-Id: I1137dee2ae5728771835f4b33fcaff60fcc22ca9
2018-08-26 17:17:06 -05:00
Pete Birley
89be3269d6 Keystone: Update endpoints to point to current defaults
This PS updates the keysteone endpoints section used in the
webhook authenticator and the prometheus exporter.

Depends-On: https://review.openstack.org/#/c/588651
Change-Id: Ia2df0ec1b783705f7e2ac164a8729d61962e2bc8
Signed-off-by: Pete Birley <pete@port.direct>
2018-08-04 08:08:51 -05:00
Tin Lam
91fa516951 Update policy
This patch set updates the k8s-keystone-auth policy.

Change-Id: Ia08d393f363ecb49007dc4d4801c61e569b89981
Signed-off-by: Tin Lam <tin@irrational.io>
2018-05-25 19:46:42 -05:00
Pete Birley
39e1f7f9f3 KubeADM: Keystone Kubernetes Webhook
This PS adds the ability to deploy the Keystone Kubernetes Webhook
chart via kubeadm-aio

Change-Id: I18b0477a775de942f940e9c0984559089dca1cdb
Co-Authored-By: Tin Lam <tin@irrational.io>
Co-Authored-By: Gage Hugo <gagehugo@gmail.com>
Signed-off-by: Pete Birley <pete@port.direct>
2018-05-18 00:53:58 -05:00
Tin Lam
d11edaf5be Add kubernetes-keystone-webhook chart
This patch set adds a kubernetes keystone webhook authorizer chart to
OpenStack-Helm-Infra.

Change-Id: I16136f4ac2a787e8bcf90eb0675294300ac088f0
Co-Authored-By: Gage Hugo <gagehugo@gmail.com>
Signed-off-by: Tin Lam <tin@irrational.io>
Signed-off-by: Pete Birley <pete@port.direct>
2018-05-17 00:00:36 -05:00