Set up openstack cluster role for pod security policies
This commit adds a helm chart that deploys a rolebinding to the openstack application to allow deployments to the openstack namespace after PodSecurityPolicy plugin is enabled on the Kubernetes cluster. Change-Id: I57d3a31c9fcc7e03499e605d6d722fdb36004339 Partial-bug: 1878900 Depends-On: https://review.opendev.org/#/c/734408/ Depends-On: https://review.opendev.org/#/c/735998/ Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
This commit is contained in:
parent
7ff175f60c
commit
92ed6fecc7
|
@ -35,3 +35,4 @@ HELM_CHART_PLACEMENT = 'placement'
|
||||||
HELM_CHART_RABBITMQ = 'rabbitmq'
|
HELM_CHART_RABBITMQ = 'rabbitmq'
|
||||||
HELM_CHART_SWIFT = 'ceph-rgw'
|
HELM_CHART_SWIFT = 'ceph-rgw'
|
||||||
HELM_CHART_DCDBSYNC = 'dcdbsync'
|
HELM_CHART_DCDBSYNC = 'dcdbsync'
|
||||||
|
HELM_CHART_PSP_ROLEBINDING = 'psp-rolebinding'
|
||||||
|
|
|
@ -0,0 +1,43 @@
|
||||||
|
#
|
||||||
|
# Copyright (c) 2020 Wind River Systems, Inc.
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
#
|
||||||
|
|
||||||
|
from k8sapp_openstack.common import constants as app_constants
|
||||||
|
|
||||||
|
from sysinv.common import constants
|
||||||
|
from sysinv.common import exception
|
||||||
|
|
||||||
|
from sysinv.helm import base
|
||||||
|
from sysinv.helm import common
|
||||||
|
|
||||||
|
|
||||||
|
class PSPRolebindingHelm(base.BaseHelm):
|
||||||
|
"""Class to encapsulate helm operations for the psp rolebinding chart"""
|
||||||
|
|
||||||
|
SUPPORTED_NAMESPACES = \
|
||||||
|
base.BaseHelm.SUPPORTED_NAMESPACES + [common.HELM_NS_OPENSTACK]
|
||||||
|
SUPPORTED_APP_NAMESPACES = {
|
||||||
|
constants.HELM_APP_OPENSTACK:
|
||||||
|
base.BaseHelm.SUPPORTED_NAMESPACES + [common.HELM_NS_OPENSTACK]
|
||||||
|
}
|
||||||
|
|
||||||
|
CHART = app_constants.HELM_CHART_PSP_ROLEBINDING
|
||||||
|
SERVICE_NAME = 'psp-rolebinding'
|
||||||
|
|
||||||
|
def get_namespaces(self):
|
||||||
|
return self.SUPPORTED_NAMESPACES
|
||||||
|
|
||||||
|
def get_overrides(self, namespace=None):
|
||||||
|
overrides = {
|
||||||
|
common.HELM_NS_OPENSTACK: {}
|
||||||
|
}
|
||||||
|
|
||||||
|
if namespace in self.SUPPORTED_NAMESPACES:
|
||||||
|
return overrides[namespace]
|
||||||
|
elif namespace:
|
||||||
|
raise exception.InvalidHelmNamespace(chart=self.CHART,
|
||||||
|
namespace=namespace)
|
||||||
|
else:
|
||||||
|
return overrides
|
|
@ -61,6 +61,7 @@ systemconfig.helm_plugins.stx_openstack =
|
||||||
026_nginx-ports-control = k8sapp_openstack.helm.nginx_ports_control:NginxPortsControlHelm
|
026_nginx-ports-control = k8sapp_openstack.helm.nginx_ports_control:NginxPortsControlHelm
|
||||||
027_fm-rest-api = k8sapp_openstack.helm.fm_rest_api:FmRestApiHelm
|
027_fm-rest-api = k8sapp_openstack.helm.fm_rest_api:FmRestApiHelm
|
||||||
028_dcdbsync = k8sapp_openstack.helm.dcdbsync:DcdbsyncHelm
|
028_dcdbsync = k8sapp_openstack.helm.dcdbsync:DcdbsyncHelm
|
||||||
|
029_psp-rolebinding = k8sapp_openstack.helm.psp_rolebinding:PSPRolebindingHelm
|
||||||
|
|
||||||
systemconfig.armada.manifest_ops =
|
systemconfig.armada.manifest_ops =
|
||||||
stx-openstack = k8sapp_openstack.armada.manifest_openstack:OpenstackArmadaManifestOperator
|
stx-openstack = k8sapp_openstack.armada.manifest_openstack:OpenstackArmadaManifestOperator
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
SRC_DIR="stx-openstack-helm"
|
SRC_DIR="stx-openstack-helm"
|
||||||
COPY_LIST_TO_TAR="\
|
COPY_LIST_TO_TAR="\
|
||||||
$STX_BASE/helm-charts/fm-rest-api/fm-rest-api/helm-charts \
|
$STX_BASE/helm-charts/fm-rest-api/fm-rest-api/helm-charts \
|
||||||
|
$STX_BASE/helm-charts/psp-rolebinding/psp-rolebinding/helm-charts \
|
||||||
"
|
"
|
||||||
|
|
||||||
# Bump the version by the previous version value prior to decoupling as this
|
# Bump the version by the previous version value prior to decoupling as this
|
||||||
|
|
|
@ -47,6 +47,7 @@ make keystone-api-proxy
|
||||||
make fm-rest-api
|
make fm-rest-api
|
||||||
make nginx-ports-control
|
make nginx-ports-control
|
||||||
make dcdbsync
|
make dcdbsync
|
||||||
|
make psp-rolebinding
|
||||||
cd -
|
cd -
|
||||||
|
|
||||||
# terminate helm server (the last backgrounded task)
|
# terminate helm server (the last backgrounded task)
|
||||||
|
|
|
@ -1,5 +1,35 @@
|
||||||
---
|
---
|
||||||
schema: armada/Chart/v1
|
schema: armada/Chart/v1
|
||||||
|
metadata:
|
||||||
|
schema: metadata/Document/v1
|
||||||
|
name: openstack-psp-rolebinding
|
||||||
|
data:
|
||||||
|
chart_name: psp-rolebinding
|
||||||
|
dependencies: []
|
||||||
|
namespace: openstack
|
||||||
|
release: openstack-psp-rolebinding
|
||||||
|
source:
|
||||||
|
location: http://172.17.0.1/helm_charts/starlingx/psp-rolebinding-0.1.0.tgz
|
||||||
|
subpath: psp-rolebinding
|
||||||
|
type: tar
|
||||||
|
reference: master
|
||||||
|
upgrade:
|
||||||
|
no_hooks: false
|
||||||
|
pre:
|
||||||
|
delete:
|
||||||
|
- labels:
|
||||||
|
release_group: osh-openstack-psp-rolebinding
|
||||||
|
type: job
|
||||||
|
wait:
|
||||||
|
labels:
|
||||||
|
release_group: osh-openstack-psp-rolebinding
|
||||||
|
resources: []
|
||||||
|
timeout: 1800
|
||||||
|
values:
|
||||||
|
rolebindingNamespace: openstack
|
||||||
|
serviceAccount: openstack
|
||||||
|
---
|
||||||
|
schema: armada/Chart/v1
|
||||||
metadata:
|
metadata:
|
||||||
schema: metadata/Document/v1
|
schema: metadata/Document/v1
|
||||||
name: helm-toolkit
|
name: helm-toolkit
|
||||||
|
@ -3767,6 +3797,16 @@ data:
|
||||||
chart_group:
|
chart_group:
|
||||||
- openstack-dcdbsync
|
- openstack-dcdbsync
|
||||||
---
|
---
|
||||||
|
schema: armada/ChartGroup/v1
|
||||||
|
metadata:
|
||||||
|
schema: metadata/Document/v1
|
||||||
|
name: openstack-psp-rolebinding
|
||||||
|
data:
|
||||||
|
description: "Deploy psp rolebinding"
|
||||||
|
sequenced: true
|
||||||
|
chart_group:
|
||||||
|
- openstack-psp-rolebinding
|
||||||
|
---
|
||||||
schema: armada/Manifest/v1
|
schema: armada/Manifest/v1
|
||||||
metadata:
|
metadata:
|
||||||
schema: metadata/Document/v1
|
schema: metadata/Document/v1
|
||||||
|
@ -3774,6 +3814,7 @@ metadata:
|
||||||
data:
|
data:
|
||||||
release_prefix: osh
|
release_prefix: osh
|
||||||
chart_groups:
|
chart_groups:
|
||||||
|
- openstack-psp-rolebinding
|
||||||
- openstack-ingress
|
- openstack-ingress
|
||||||
- openstack-mariadb
|
- openstack-mariadb
|
||||||
- openstack-memcached
|
- openstack-memcached
|
||||||
|
|
Loading…
Reference in New Issue