Security: Container user for support openstack services

This PS adds user control for the service user for support openstack services. Change-Id: I132511bfc09d20a2f155bb9498a7fe8eeee8b6f9
2017-08-24 22:03:51 -05:00 · 2017-08-24 22:03:51 -05:00 · 27864cec04
commit 27864cec04
parent 7463058b73
15 changed files with 37 additions and 0 deletions
--- a/glance/templates/deployment-api.yaml
+++ b/glance/templates/deployment-api.yaml
@ -62,6 +62,8 @@ spec:
        - name: ceph-keyring-placement
          image: {{ .Values.images.api }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.glance.uid }}
          command:
            - /tmp/ceph-keyring.sh
          volumeMounts:
@ -81,6 +83,8 @@ spec:
          image: {{ .Values.images.api }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.glance.uid }}
          command:
            - /tmp/glance-api.sh
            - start
--- a/glance/templates/deployment-registry.yaml
+++ b/glance/templates/deployment-registry.yaml
@ -47,6 +47,8 @@ spec:
          image: {{ .Values.images.registry }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.registry | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.glance.uid }}
          command:
            - /tmp/glance-registry.sh
            - start
--- a/glance/values.yaml
+++ b/glance/values.yaml
@ -318,6 +318,9 @@ endpoints:
        default: 5672

 pod:
+  user:
+    glance:
+      uid: 1000
  affinity:
      anti:
        type:
--- a/heat/templates/deployment-api.yaml
+++ b/heat/templates/deployment-api.yaml
@ -47,6 +47,8 @@ spec:
          image: {{ .Values.images.api }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.heat.uid }}
          command:
            - /tmp/heat-api.sh
            - start
--- a/heat/templates/deployment-cfn.yaml
+++ b/heat/templates/deployment-cfn.yaml
@ -47,6 +47,8 @@ spec:
          image: {{ .Values.images.cfn }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.cfn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.heat.uid }}
          command:
            - /tmp/heat-cfn.sh
            - start
--- a/heat/templates/deployment-cloudwatch.yaml
+++ b/heat/templates/deployment-cloudwatch.yaml
@ -47,6 +47,8 @@ spec:
          image: {{ .Values.images.cloudwatch }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.cloudwatch | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.heat.uid }}
          command:
            - /tmp/heat-cloudwatch.sh
            - start
--- a/heat/templates/statefulset-engine.yaml
+++ b/heat/templates/statefulset-engine.yaml
@ -43,6 +43,8 @@ spec:
          image: {{ .Values.images.engine }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.heat.uid }}
          command:
            - /tmp/heat-engine.sh
          volumeMounts:
--- a/heat/values.yaml
+++ b/heat/values.yaml
@ -333,6 +333,9 @@ endpoints:
        default: 5672

 pod:
+  user:
+    heat:
+      uid: 1000
  affinity:
      anti:
        type:
--- a/magnum/templates/deployment-api.yaml
+++ b/magnum/templates/deployment-api.yaml
@ -47,6 +47,8 @@ spec:
          image: {{ .Values.images.api }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.magnum.uid }}
          command:
            - /tmp/magnum-api.sh
            - start
--- a/magnum/templates/statefulset-conductor.yaml
+++ b/magnum/templates/statefulset-conductor.yaml
@ -43,6 +43,8 @@ spec:
          image: {{ .Values.images.conductor }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.magnum.uid }}
          command:
            - /tmp/magnum-conductor.sh
          volumeMounts:
--- a/magnum/values.yaml
+++ b/magnum/values.yaml
@ -209,6 +209,9 @@ endpoints:
        default: 5672

 pod:
+  user:
+    magnum:
+      uid: 1000
  affinity:
      anti:
        type:
--- a/mistral/values.yaml
+++ b/mistral/values.yaml
@ -240,6 +240,9 @@ conf:
          memcache_security_strategy: ENCRYPT

 pod:
+  user:
+    mistral:
+      uid: 1000
  affinity:
      anti:
        type:
--- a/senlin/templates/deployment-api.yaml
+++ b/senlin/templates/deployment-api.yaml
@ -47,6 +47,8 @@ spec:
          image: {{ .Values.images.api }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.senlin.uid }}
          command:
            - /tmp/senlin-api.sh
            - start
--- a/senlin/templates/statefulset-engine.yaml
+++ b/senlin/templates/statefulset-engine.yaml
@ -43,6 +43,8 @@ spec:
          image: {{ .Values.images.engine }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.senlin.uid }}
          command:
            - /tmp/senlin-engine.sh
          volumeMounts:
--- a/senlin/values.yaml
+++ b/senlin/values.yaml
@ -209,6 +209,9 @@ endpoints:
        default: 5672

 pod:
+  user:
+    senlin:
+      uid: 1000
  affinity:
      anti:
        type: