Add missing security context to Barbican test pods/containers

This updates the barbican chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true Change-Id: Ibb85435c1fa9fe577bc7a14d97e0acaf9b9513a2
2020-06-30 15:26:03 -05:00 · 2020-06-30 15:26:03 -05:00 · 831e14d03f
commit 831e14d03f
parent a385c18176
2 changed files with 9 additions and 0 deletions
--- a/barbican/templates/pod-test.yaml
+++ b/barbican/templates/pod-test.yaml
@ -34,6 +34,7 @@ metadata:
 {{ dict "envAll" $envAll "podName" "barbican-test" "containerNames" (list "init" "barbican-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
  serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
  nodeSelector:
    {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
  restartPolicy: Never
@ -42,6 +43,7 @@ spec:
  containers:
    - name: barbican-test
 {{ tuple $envAll "scripted_test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "barbican_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
      env:
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@ -59,6 +59,13 @@ pod:
        barbican_api:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
+    test:
+      pod:
+        runAsUser: 42424
+      container:
+        barbican_test:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
  affinity:
    anti:
      type: