openstack/openstack-helm
Code Issues Proposed changes

Implement Security Context for Neutron

Browse Source 
Implement container security context for the following Nova resources:
 - Neutron metadata_agent
 - Neutron ovs_agent

Change-Id: If8246450f8ebd62a0c5999f832ec59796355ee78
This commit is contained in:
Prateek Dodda
2019-11-04 18:12:49 -06:00
parent efe3d3cf19
commit bea5c63d4d
3 changed files with 22 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
neutron/templates/daemonset-metadata-agent.yaml
View File

@@ -85,8 +85,7 @@ spec:
- name: neutron-metadata-agent-init
{{ tuple $envAll "neutron_metadata" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.agent.metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
runAsUser: 0
{{ dict "envAll" $envAll "application" "neutron_metadata_agent" "container" "neutron_metadata_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: NEUTRON_USER_UID
value: "{{ .Values.pod.security_context.neutron_metadata_agent.pod.runAsUser }}"

13
neutron/templates/daemonset-ovs-agent.yaml
View File

@@ -81,11 +81,7 @@ spec:
{{ tuple $envAll "pod_dependency" $mounts_neutron_ovs_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
- name: neutron-openvswitch-agent-kernel-modules
{{ tuple $envAll "neutron_openvswitch_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext:
capabilities:
add:
- SYS_MODULE
runAsUser: 0
{{ dict "envAll" $envAll "application" "neutron_ovs_agent" "container" "neutron_openvswitch_agent_kernel_modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/neutron-openvswitch-agent-init-modules.sh
volumeMounts:
@@ -105,9 +101,7 @@ spec:
- name: neutron-ovs-agent-init
{{ tuple $envAll "neutron_openvswitch_agent" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.agent.ovs | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
privileged: true
runAsUser: 0
{{ dict "envAll" $envAll "application" "neutron_ovs_agent" "container" "neutron_ovs_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/neutron-openvswitch-agent-init.sh
volumeMounts:
@@ -183,8 +177,7 @@ spec:
{{ tuple $envAll $envAll.Values.pod.resources.agent.ovs | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "component" "ovs_agent" "container" "ovs_agent" "type" "readiness" "probeTemplate" (include "ovsAgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
{{ dict "envAll" $envAll "component" "ovs_agent" "container" "ovs_agent" "type" "liveness" "probeTemplate" (include "ovsAgentLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
securityContext:
privileged: true
{{ dict "envAll" $envAll "application" "neutron_ovs_agent" "container" "neutron_ovs_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/neutron-openvswitch-agent.sh
volumeMounts:

18
neutron/values.yaml
View File

@@ -450,9 +450,27 @@ pod:
neutron_metadata_agent:
pod:
runAsUser: 42424
container:
neutron_metadata_agent_init:
runAsUser: 0
readOnlyRootFilesystem: true
neutron_ovs_agent:
pod:
runAsUser: 42424
container:
neutron_openvswitch_agent_kernel_modules:
capabilities:
add:
- SYS_MODULE
runAsUser: 0
readOnlyRootFilesystem: true
neutron_ovs_agent_init:
privileged: true
runAsUser: 0
readOnlyRootFilesystem: true
neutron_ovs_agent:
readOnlyRootFilesystem: true
privileged: true
neutron_server:
pod:
runAsUser: 42424