From 1e85edddfcd43abb3422eb12e9867ece2e3ec7d5 Mon Sep 17 00:00:00 2001 From: Rahul Khiyani Date: Mon, 7 Jan 2019 22:07:55 -0500 Subject: [PATCH] Fix for adding allowPrivilegeEscalation flag in container securityContext in the charts whereever needed Change-Id: I97f17ce0631051be33038449a21efee26c572613 --- cinder/templates/deployment-api.yaml | 2 ++ cinder/templates/deployment-scheduler.yaml | 2 ++ cinder/templates/deployment-volume.yaml | 2 ++ glance/templates/deployment-api.yaml | 2 ++ glance/templates/deployment-registry.yaml | 2 ++ glance/templates/job-storage-init.yaml | 2 ++ heat/templates/deployment-api.yaml | 2 ++ heat/templates/deployment-cfn.yaml | 2 ++ heat/templates/deployment-cloudwatch.yaml | 2 ++ heat/templates/deployment-engine.yaml | 2 ++ nova/templates/daemonset-compute.yaml | 6 ++++++ nova/templates/deployment-api-metadata.yaml | 4 ++++ nova/templates/deployment-api-osapi.yaml | 2 ++ nova/templates/deployment-conductor.yaml | 2 ++ nova/templates/deployment-consoleauth.yaml | 2 ++ nova/templates/deployment-novncproxy.yaml | 2 ++ nova/templates/deployment-scheduler.yaml | 2 ++ nova/templates/deployment-spiceproxy.yaml | 2 ++ 18 files changed, 42 insertions(+) diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml index e3a9727a2b..5aeda1c7e5 100644 --- a/cinder/templates/deployment-api.yaml +++ b/cinder/templates/deployment-api.yaml @@ -72,6 +72,8 @@ spec: - name: cinder-api {{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/cinder-api.sh - start diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml index 72002e32c4..a0a930e8ec 100644 --- a/cinder/templates/deployment-scheduler.yaml +++ b/cinder/templates/deployment-scheduler.yaml @@ -71,6 +71,8 @@ spec: - name: cinder-scheduler {{ tuple $envAll "cinder_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/cinder-scheduler.sh volumeMounts: diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml index d5d1e3ea58..c8bc203c06 100644 --- a/cinder/templates/deployment-volume.yaml +++ b/cinder/templates/deployment-volume.yaml @@ -93,6 +93,8 @@ spec: - name: cinder-volume {{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.volume | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/cinder-volume.sh volumeMounts: diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml index 0a3a41441d..c2735100eb 100644 --- a/glance/templates/deployment-api.yaml +++ b/glance/templates/deployment-api.yaml @@ -70,6 +70,8 @@ spec: {{ if eq .Values.storage "rbd" }} - name: ceph-keyring-placement {{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false env: - name: RBD_STORE_USER value: {{ .Values.conf.glance.glance_store.rbd_store_user | quote }} diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml index 1ecd8a818c..ce45e1208a 100644 --- a/glance/templates/deployment-registry.yaml +++ b/glance/templates/deployment-registry.yaml @@ -58,6 +58,8 @@ spec: - name: glance-registry {{ tuple $envAll "glance_registry" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.registry | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/glance-registry.sh - start diff --git a/glance/templates/job-storage-init.yaml b/glance/templates/job-storage-init.yaml index c963ddc959..f6e767dc20 100644 --- a/glance/templates/job-storage-init.yaml +++ b/glance/templates/job-storage-init.yaml @@ -70,6 +70,8 @@ spec: {{ if or (eq .Values.storage "rbd") (eq .Values.storage "radosgw") }} - name: ceph-keyring-placement {{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/ceph-admin-keyring.sh volumeMounts: diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml index 14e43f51a8..3d2cc78b0d 100644 --- a/heat/templates/deployment-api.yaml +++ b/heat/templates/deployment-api.yaml @@ -58,6 +58,8 @@ spec: - name: heat-api {{ tuple $envAll "heat_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/heat-api.sh - start diff --git a/heat/templates/deployment-cfn.yaml b/heat/templates/deployment-cfn.yaml index 96f05d2519..d75975b6bb 100644 --- a/heat/templates/deployment-cfn.yaml +++ b/heat/templates/deployment-cfn.yaml @@ -58,6 +58,8 @@ spec: - name: heat-cfn {{ tuple $envAll "heat_cfn" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.cfn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/heat-cfn.sh - start diff --git a/heat/templates/deployment-cloudwatch.yaml b/heat/templates/deployment-cloudwatch.yaml index 97ba26744a..e5356521cb 100644 --- a/heat/templates/deployment-cloudwatch.yaml +++ b/heat/templates/deployment-cloudwatch.yaml @@ -58,6 +58,8 @@ spec: - name: heat-cloudwatch {{ tuple $envAll "heat_cloudwatch" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.cloudwatch | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/heat-cloudwatch.sh - start diff --git a/heat/templates/deployment-engine.yaml b/heat/templates/deployment-engine.yaml index c38e1ccac6..462e951b94 100644 --- a/heat/templates/deployment-engine.yaml +++ b/heat/templates/deployment-engine.yaml @@ -66,6 +66,8 @@ spec: - name: heat-engine {{ tuple $envAll "heat_engine" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/heat-engine.sh - start diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml index 55d98dbcbb..3c3b3bf902 100644 --- a/nova/templates/daemonset-compute.yaml +++ b/nova/templates/daemonset-compute.yaml @@ -94,6 +94,8 @@ spec: {{ end }} - name: ceph-keyring-placement {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false env: - name: CEPH_CINDER_USER value: "{{ .Values.conf.ceph.cinder.user }}" @@ -120,6 +122,8 @@ spec: - name: nova-compute-vnc-init {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/nova-console-compute-init.sh volumeMounts: @@ -134,6 +138,8 @@ spec: - name: nova-compute-spice-init {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/nova-console-compute-init.sh volumeMounts: diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml index 9adf4e11ce..89b49a6e76 100644 --- a/nova/templates/deployment-api-metadata.yaml +++ b/nova/templates/deployment-api-metadata.yaml @@ -57,6 +57,8 @@ spec: - name: nova-api-metadata-init {{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/nova-api-metadata-init.sh volumeMounts: @@ -74,6 +76,8 @@ spec: - name: nova-api {{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/nova-api-metadata.sh - start diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml index 3ca89c2bc0..6cebe9fb92 100644 --- a/nova/templates/deployment-api-osapi.yaml +++ b/nova/templates/deployment-api-osapi.yaml @@ -58,6 +58,8 @@ spec: - name: nova-osapi {{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/nova-api.sh - start diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml index 86f13766f1..bd5c69f57e 100644 --- a/nova/templates/deployment-conductor.yaml +++ b/nova/templates/deployment-conductor.yaml @@ -57,6 +57,8 @@ spec: - name: nova-conductor {{ tuple $envAll "nova_conductor" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/nova-conductor.sh volumeMounts: diff --git a/nova/templates/deployment-consoleauth.yaml b/nova/templates/deployment-consoleauth.yaml index f26cdeba10..2505323393 100644 --- a/nova/templates/deployment-consoleauth.yaml +++ b/nova/templates/deployment-consoleauth.yaml @@ -57,6 +57,8 @@ spec: - name: nova-consoleauth {{ tuple $envAll "nova_consoleauth" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.consoleauth | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/nova-consoleauth.sh volumeMounts: diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml index 2e5e4e344c..00bd2a42a8 100644 --- a/nova/templates/deployment-novncproxy.yaml +++ b/nova/templates/deployment-novncproxy.yaml @@ -58,6 +58,8 @@ spec: - name: nova-novncproxy-init {{ tuple $envAll "nova_novncproxy" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.novncproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/nova-console-proxy-init.sh volumeMounts: diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml index 415d298d5d..5a085d783c 100644 --- a/nova/templates/deployment-scheduler.yaml +++ b/nova/templates/deployment-scheduler.yaml @@ -57,6 +57,8 @@ spec: - name: nova-scheduler {{ tuple $envAll "nova_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/nova-scheduler.sh volumeMounts: diff --git a/nova/templates/deployment-spiceproxy.yaml b/nova/templates/deployment-spiceproxy.yaml index 998c5fbe49..1d11aded36 100644 --- a/nova/templates/deployment-spiceproxy.yaml +++ b/nova/templates/deployment-spiceproxy.yaml @@ -58,6 +58,8 @@ spec: - name: nova-spiceproxy-init {{ tuple $envAll "nova_spiceproxy" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.spiceproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/nova-console-proxy-init.sh volumeMounts: