diff --git a/nova/templates/cron-job-cell-setup.yaml b/nova/templates/cron-job-cell-setup.yaml index e74c44d8fb..078c343398 100644 --- a/nova/templates/cron-job-cell-setup.yaml +++ b/nova/templates/cron-job-cell-setup.yaml @@ -43,6 +43,7 @@ spec: {{ tuple $envAll "nova" "cell-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "cell_setup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} @@ -52,6 +53,7 @@ spec: - name: nova-cell-setup {{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 14 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }} +{{ dict "envAll" $envAll "application" "cell_setup" "container" "nova_cell_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }} command: - /tmp/cell-setup.sh volumeMounts: diff --git a/nova/templates/cron-job-service-cleaner.yaml b/nova/templates/cron-job-service-cleaner.yaml index 0d897b8ef0..764dda5890 100644 --- a/nova/templates/cron-job-service-cleaner.yaml +++ b/nova/templates/cron-job-service-cleaner.yaml @@ -43,6 +43,7 @@ spec: {{ tuple $envAll "nova" "service-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "service_cleaner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} @@ -52,6 +53,7 @@ spec: - name: nova-service-cleaner {{ tuple $envAll "nova_service_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.service_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }} +{{ dict "envAll" $envAll "application" "service_cleaner" "container" "nova_service_cleaner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }} env: {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 14 }} diff --git a/nova/templates/job-bootstrap.yaml b/nova/templates/job-bootstrap.yaml index 45dfac1ccd..d639be743f 100644 --- a/nova/templates/job-bootstrap.yaml +++ b/nova/templates/job-bootstrap.yaml @@ -36,6 +36,7 @@ spec: annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "bootstrap" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: @@ -62,6 +63,7 @@ spec: image: {{ $envAll.Values.images.tags.bootstrap }} imagePullPolicy: {{ $envAll.Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "bootstrap" "container" "bootstrap" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: {{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} diff --git a/nova/values.yaml b/nova/values.yaml index 5e1b575a8b..d6d300ace2 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -2395,6 +2395,27 @@ pod: nova_spiceproxy: readOnlyRootFilesystem: true allowPrivilegeEscalation: false + bootstrap: + pod: + runAsUser: 42424 + container: + bootstrap: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + cell_setup: + pod: + runAsUser: 42424 + container: + nova_cell_setup: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + service_cleaner: + pod: + runAsUser: 42424 + container: + nova_service_cleaner: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false use_fqdn: # NOTE: If the option "host" is not specified in nova.conf, the host name # shown in the hypervisor host is defaulted to the short name of the host.