From 46f9dea2c82611d69c65e3842d24cd2a716e3088 Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Mon, 28 Aug 2017 20:18:38 -0500 Subject: [PATCH] Security: Add Pod user to missed services This PS adds the pod user to missed services, which is required for fully agnosic image operation. Change-Id: I09c481f90b5e6a478e699ebaae51a2316ceb6a8d --- barbican/templates/deployment-api.yaml | 2 ++ barbican/values.yaml | 3 +++ mistral/templates/deployment-api.yaml | 2 ++ mistral/templates/deployment-executor.yaml | 2 ++ mistral/templates/statefulset-engine.yaml | 2 ++ mistral/templates/statefulset-event-engine.yaml | 2 ++ 6 files changed, 13 insertions(+) diff --git a/barbican/templates/deployment-api.yaml b/barbican/templates/deployment-api.yaml index f0cb336012..259b34e844 100644 --- a/barbican/templates/deployment-api.yaml +++ b/barbican/templates/deployment-api.yaml @@ -46,6 +46,8 @@ spec: image: {{ .Values.images.api }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.barbican.uid }} command: - /tmp/barbican.sh - start diff --git a/barbican/values.yaml b/barbican/values.yaml index acd6789c31..d8a0683009 100644 --- a/barbican/values.yaml +++ b/barbican/values.yaml @@ -29,6 +29,9 @@ images: pull_policy: "IfNotPresent" pod: + user: + barbican: + uid: 1000 affinity: anti: type: diff --git a/mistral/templates/deployment-api.yaml b/mistral/templates/deployment-api.yaml index 1d6bfde70e..3e6795a9d5 100644 --- a/mistral/templates/deployment-api.yaml +++ b/mistral/templates/deployment-api.yaml @@ -47,6 +47,8 @@ spec: image: {{ .Values.images.api }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.mistral.uid }} command: - /tmp/mistral-api.sh - start diff --git a/mistral/templates/deployment-executor.yaml b/mistral/templates/deployment-executor.yaml index a4485a96d8..b33c6bdf3b 100644 --- a/mistral/templates/deployment-executor.yaml +++ b/mistral/templates/deployment-executor.yaml @@ -46,6 +46,8 @@ spec: image: {{ .Values.images.executor }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.executor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.mistral.uid }} command: - /tmp/mistral-executor.sh volumeMounts: diff --git a/mistral/templates/statefulset-engine.yaml b/mistral/templates/statefulset-engine.yaml index 67d562e534..a1bbb3b080 100644 --- a/mistral/templates/statefulset-engine.yaml +++ b/mistral/templates/statefulset-engine.yaml @@ -41,6 +41,8 @@ spec: image: {{ .Values.images.engine }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.mistral.uid }} command: - /tmp/mistral-engine.sh volumeMounts: diff --git a/mistral/templates/statefulset-event-engine.yaml b/mistral/templates/statefulset-event-engine.yaml index 1ac63ea2df..d2022d2cb6 100644 --- a/mistral/templates/statefulset-event-engine.yaml +++ b/mistral/templates/statefulset-event-engine.yaml @@ -43,6 +43,8 @@ spec: image: {{ .Values.images.event_engine }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.event_engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.mistral.uid }} command: - /tmp/mistral-event-engine.sh volumeMounts: