From 831e14d03fc71acf2c82febc792e26e155ef8d39 Mon Sep 17 00:00:00 2001 From: "DODDA, PRATEEK REDDY (PD2839)" Date: Tue, 30 Jun 2020 15:26:03 -0500 Subject: [PATCH] Add missing security context to Barbican test pods/containers This updates the barbican chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true Change-Id: Ibb85435c1fa9fe577bc7a14d97e0acaf9b9513a2 --- barbican/templates/pod-test.yaml | 2 ++ barbican/values.yaml | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/barbican/templates/pod-test.yaml b/barbican/templates/pod-test.yaml index 2dd7f30fa0..314c3902fb 100644 --- a/barbican/templates/pod-test.yaml +++ b/barbican/templates/pod-test.yaml @@ -34,6 +34,7 @@ metadata: {{ dict "envAll" $envAll "podName" "barbican-test" "containerNames" (list "init" "barbican-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }} nodeSelector: {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} restartPolicy: Never @@ -42,6 +43,7 @@ spec: containers: - name: barbican-test {{ tuple $envAll "scripted_test" | include "helm-toolkit.snippets.image" | indent 6 }} +{{ dict "envAll" $envAll "application" "test" "container" "barbican_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }} env: {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} diff --git a/barbican/values.yaml b/barbican/values.yaml index 42463f4f95..41183f1fb8 100644 --- a/barbican/values.yaml +++ b/barbican/values.yaml @@ -59,6 +59,13 @@ pod: barbican_api: allowPrivilegeEscalation: false readOnlyRootFilesystem: true + test: + pod: + runAsUser: 42424 + container: + barbican_test: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true affinity: anti: type: