openstack/openstack-helm
Code Issues Proposed changes

Merge "Implement Security Context for Nova"

Browse Source
This commit is contained in:
Zuul 2019-06-04 21:16:34 +00:00 committed by Gerrit Code Review
commit 0ee6063173
9 changed files with 88 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
nova/templates/daemonset-compute.yaml
View File

@ -58,8 +58,7 @@ spec:
{{ tuple $envAll "pod_dependency" $mounts_nova_compute_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
- name: nova-compute-init
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext:
runAsUser: 0
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: NOVA_USER_UID
value: "{{ .Values.pod.user.nova.uid }}"
@ -79,8 +78,7 @@ spec:
{{- if .Values.conf.ceph.enabled }}
- name: ceph-perms
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext:
runAsUser: 0
{{ dict "envAll" $envAll "application" "nova" "container" "ceph_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- chown
- -R
@ -94,6 +92,7 @@ spec:
{{- if empty .Values.conf.ceph.cinder.keyring }}
- name: ceph-admin-keyring-placement
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "ceph_admin_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/ceph-admin-keyring.sh
volumeMounts:
@ -114,8 +113,7 @@ spec:
{{ end }}
- name: ceph-keyring-placement
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
{{ dict "envAll" $envAll "application" "nova" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: CEPH_CINDER_USER
value: "{{ .Values.conf.ceph.cinder.user }}"
@ -144,8 +142,7 @@ spec:
- name: nova-compute-vnc-init
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_vnc_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/nova-console-compute-init.sh
volumeMounts:
@ -162,8 +159,7 @@ spec:
- name: nova-compute-spice-init
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_spice_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/nova-console-compute-init.sh
volumeMounts:
@ -180,6 +176,7 @@ spec:
- name: nova-compute
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova_compute" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
securityContext:
privileged: true
{{- if .Values.conf.ceph.enabled }}
@ -316,6 +313,7 @@ spec:
- name: nova-compute-ssh
{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova_compute" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
securityContext:
privileged: true
env:

6
nova/templates/deployment-api-metadata.yaml
View File

@ -58,8 +58,7 @@ spec:
- name: nova-api-metadata-init
{{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
{{ dict "envAll" $envAll "application" "nova" "container" "nova_api_metadata_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/nova-api-metadata-init.sh
volumeMounts:
@ -79,8 +78,7 @@ spec:
- name: nova-api
{{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
{{ dict "envAll" $envAll "application" "nova" "container" "nova_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/nova-api-metadata.sh
- start

7
nova/templates/deployment-api-osapi.yaml
View File

@ -59,8 +59,7 @@ spec:
- name: nova-osapi
{{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
{{ dict "envAll" $envAll "application" "nova" "container" "nova_osapi" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/nova-api.sh
- start
@ -83,6 +82,8 @@ spec:
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: pod-var-nova
mountPath: /var/lib/nova
- name: nova-bin
mountPath: /tmp/nova-api.sh
subPath: nova-api.sh
@ -111,6 +112,8 @@ spec:
volumes:
- name: pod-tmp
emptyDir: {}
- name: pod-var-nova
emptyDir: {}
- name: nova-bin
configMap:
name: nova-bin

3
nova/templates/deployment-conductor.yaml
View File

@ -58,8 +58,7 @@ spec:
- name: nova-conductor
{{ tuple $envAll "nova_conductor" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
{{ dict "envAll" $envAll "application" "nova" "container" "nova_conductor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
readinessProbe:
exec:
command:

3
nova/templates/deployment-consoleauth.yaml
View File

@ -58,8 +58,7 @@ spec:
- name: nova-consoleauth
{{ tuple $envAll "nova_consoleauth" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.consoleauth | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
{{ dict "envAll" $envAll "application" "nova" "container" "nova_consoleauth" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
readinessProbe:
exec:
command:

5
nova/templates/deployment-novncproxy.yaml
View File

@ -59,8 +59,7 @@ spec:
- name: nova-novncproxy-init
{{ tuple $envAll "nova_novncproxy" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.novncproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
{{ dict "envAll" $envAll "application" "nova" "container" "nova_novncproxy_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/nova-console-proxy-init.sh
volumeMounts:
@ -83,6 +82,7 @@ spec:
- name: nova-novncproxy-init-assets
{{ tuple $envAll "nova_novncproxy_assets" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.novncproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_novncproxy_init_assests" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/nova-console-proxy-init-assets.sh
volumeMounts:
@ -98,6 +98,7 @@ spec:
- name: nova-novncproxy
{{ tuple $envAll "nova_novncproxy" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.novncproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_novncproxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
readinessProbe:
tcpSocket:
port: {{ tuple "compute_novnc_proxy" "internal" "novnc_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}

3
nova/templates/deployment-scheduler.yaml
View File

@ -58,8 +58,7 @@ spec:
- name: nova-scheduler
{{ tuple $envAll "nova_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
{{ dict "envAll" $envAll "application" "nova" "container" "nova_scheduler" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
readinessProbe:
exec:
command:

5
nova/templates/deployment-spiceproxy.yaml
View File

@ -59,8 +59,7 @@ spec:
- name: nova-spiceproxy-init
{{ tuple $envAll "nova_spiceproxy" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.spiceproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
{{ dict "envAll" $envAll "application" "nova" "container" "nova_spiceproxy_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/nova-console-proxy-init.sh
volumeMounts:
@ -83,6 +82,7 @@ spec:
- name: nova-spiceproxy-init-assets
{{ tuple $envAll "nova_spiceproxy_assets" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.spiceproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_spiceproxy_init_assets" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/nova-console-proxy-init-assets.sh
volumeMounts:
@ -98,6 +98,7 @@ spec:
- name: nova-spiceproxy
{{ tuple $envAll "nova_spiceproxy" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.spiceproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_spiceproxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
readinessProbe:
tcpSocket:
port: {{ tuple "compute_spice_proxy" "internal" "spice_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}

64
nova/values.yaml
View File

@ -2114,6 +2114,70 @@ pod:
user:
nova:
uid: 42424
security_context:
nova:
pod:
runAsUser: 42424
container:
nova_compute_init:
readOnlyRootFilesystem: true
runAsUser: 0
ceph_perms:
readOnlyRootFilesystem: true
runAsUser: 0
ceph_admin_keyring_placement:
readOnlyRootFilesystem: true
ceph_keyring_placement:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_compute_vnc_init:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_compute_spice_init:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_compute:
readOnlyRootFilesystem: true
privileged: true
nova_compute_ssh:
readOnlyRootFilesystem: true
privileged: true
nova_api_metadata_init:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_api:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_osapi:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_conductor:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_consoleauth:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_novncproxy_init:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_novncproxy_init_assests:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_novncproxy:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_scheduler:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_spiceproxy_init:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_spiceproxy_init_assets:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nova_spiceproxy:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
affinity:
anti:
type: