From 363b50b336d0b2f11e79f6b85075e5d4ee503df1 Mon Sep 17 00:00:00 2001 From: Steve Wilkerson Date: Fri, 5 Jul 2019 08:35:32 -0500 Subject: [PATCH] Neutron: Fix security context values keys This updates the values used for generating the pod and container security contexts for the components of the neutron chart. This moves to using a unique application key for each neutron service instead of a single 'neutron' key that maps to every pod This also removes the .pod.user.neutron.uid key in favor of using the user key in the security_context values tree Change-Id: I1c87a5b4b74e2a2d17b8913dd34f40dc1c38fbe0 Signed-off-by: Steve Wilkerson --- neutron/templates/daemonset-dhcp-agent.yaml | 4 +- neutron/templates/daemonset-l2gw-agent.yaml | 2 +- neutron/templates/daemonset-l3-agent.yaml | 4 +- neutron/templates/daemonset-lb-agent.yaml | 8 ++-- .../templates/daemonset-metadata-agent.yaml | 4 +- neutron/templates/daemonset-ovs-agent.yaml | 2 +- neutron/templates/daemonset-sriov-agent.yaml | 6 +-- neutron/templates/deployment-server.yaml | 4 +- neutron/values.yaml | 44 ++++++++++++++----- 9 files changed, 50 insertions(+), 28 deletions(-) diff --git a/neutron/templates/daemonset-dhcp-agent.yaml b/neutron/templates/daemonset-dhcp-agent.yaml index 012222f184..2b88a928ea 100644 --- a/neutron/templates/daemonset-dhcp-agent.yaml +++ b/neutron/templates/daemonset-dhcp-agent.yaml @@ -72,7 +72,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: -{{ dict "envAll" $envAll "application" "neutron" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} +{{ dict "envAll" $envAll "application" "neutron_dhcp_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.agent.dhcp.node_selector_key }}: {{ .Values.labels.agent.dhcp.node_selector_value }} @@ -89,7 +89,7 @@ spec: - name: neutron-dhcp-agent {{ tuple $envAll "neutron_dhcp" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.agent.dhcp | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_dhcp_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{ dict "envAll" $envAll "application" "neutron_dhcp_agent" "container" "neutron_dhcp_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "component" "dhcp_agent" "container" "dhcp_agent" "type" "readiness" "probeTemplate" (include "dhcpAgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} {{ dict "envAll" $envAll "component" "dhcp_agent" "container" "dhcp_agent" "type" "liveness" "probeTemplate" (include "dhcpAgentLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} command: diff --git a/neutron/templates/daemonset-l2gw-agent.yaml b/neutron/templates/daemonset-l2gw-agent.yaml index ce825c6b78..d41e41137c 100644 --- a/neutron/templates/daemonset-l2gw-agent.yaml +++ b/neutron/templates/daemonset-l2gw-agent.yaml @@ -47,7 +47,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: -{{ dict "envAll" $envAll "application" "neutron" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} +{{ dict "envAll" $envAll "application" "neutron_l2gw_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.agent.l2gw.node_selector_key }}: {{ .Values.labels.agent.l2gw.node_selector_value }} diff --git a/neutron/templates/daemonset-l3-agent.yaml b/neutron/templates/daemonset-l3-agent.yaml index cc7df0445f..6ebe91c39e 100644 --- a/neutron/templates/daemonset-l3-agent.yaml +++ b/neutron/templates/daemonset-l3-agent.yaml @@ -73,7 +73,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: -{{ dict "envAll" $envAll "application" "neutron" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} +{{ dict "envAll" $envAll "application" "neutron_l3_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.agent.l3.node_selector_key }}: {{ .Values.labels.agent.l3.node_selector_value }} @@ -90,7 +90,7 @@ spec: - name: neutron-l3-agent {{ tuple $envAll "neutron_l3" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.agent.l3 | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_l3_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{ dict "envAll" $envAll "application" "neutron_l3_agent" "container" "neutron_l3_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "component" "l3_agent" "container" "l3_agent" "type" "readiness" "probeTemplate" (include "l3AgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} {{ dict "envAll" $envAll "component" "l3_agent" "container" "l3_agent" "type" "liveness" "probeTemplate" (include "l3AgentLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} command: diff --git a/neutron/templates/daemonset-lb-agent.yaml b/neutron/templates/daemonset-lb-agent.yaml index b77c13bc56..07788b43b5 100644 --- a/neutron/templates/daemonset-lb-agent.yaml +++ b/neutron/templates/daemonset-lb-agent.yaml @@ -55,7 +55,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: -{{ dict "envAll" $envAll "application" "neutron" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} +{{ dict "envAll" $envAll "application" "neutron_lb_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.lb.node_selector_key }}: {{ .Values.labels.lb.node_selector_value }} @@ -70,7 +70,7 @@ spec: {{ tuple $envAll "pod_dependency" $mounts_neutron_lb_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: neutron-lb-agent-kernel-modules {{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }} -{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_lb_agent_kernel_modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{ dict "envAll" $envAll "application" "neutron_lb_agent" "container" "neutron_lb_agent_kernel_modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/neutron-linuxbridge-agent-init-modules.sh volumeMounts: @@ -84,7 +84,7 @@ spec: - name: neutron-lb-agent-init {{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.agent.lb | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_lb_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{ dict "envAll" $envAll "application" "neutron_lb_agent" "container" "neutron_lb_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/neutron-linuxbridge-agent-init.sh volumeMounts: @@ -140,7 +140,7 @@ spec: - name: neutron-lb-agent {{ tuple $envAll "neutron_linuxbridge_agent" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.agent.lb | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_lb_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{ dict "envAll" $envAll "application" "neutron_lb_agent" "container" "neutron_lb_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "component" "lb_agent" "container" "lb_agent" "type" "readiness" "probeTemplate" (include "lbAgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} command: - /tmp/neutron-linuxbridge-agent.sh diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml index a276ae3959..e1468cfd0a 100644 --- a/neutron/templates/daemonset-metadata-agent.yaml +++ b/neutron/templates/daemonset-metadata-agent.yaml @@ -69,7 +69,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: -{{ dict "envAll" $envAll "application" "neutron" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} +{{ dict "envAll" $envAll "application" "neutron_metadata_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.agent.metadata.node_selector_key }}: {{ .Values.labels.agent.metadata.node_selector_value }} @@ -89,7 +89,7 @@ spec: runAsUser: 0 env: - name: NEUTRON_USER_UID - value: "{{ .Values.pod.user.neutron.uid }}" + value: "{{ .Values.pod.security_context.neutron_metadata_agent.pod.runAsUser }}" command: - /tmp/neutron-metadata-agent-init.sh volumeMounts: diff --git a/neutron/templates/daemonset-ovs-agent.yaml b/neutron/templates/daemonset-ovs-agent.yaml index 2f595ff26a..4a3e71de56 100644 --- a/neutron/templates/daemonset-ovs-agent.yaml +++ b/neutron/templates/daemonset-ovs-agent.yaml @@ -70,7 +70,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: -{{ dict "envAll" $envAll "application" "neutron" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} +{{ dict "envAll" $envAll "application" "neutron_ovs_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }} diff --git a/neutron/templates/daemonset-sriov-agent.yaml b/neutron/templates/daemonset-sriov-agent.yaml index 2577033822..c622cfdbf4 100644 --- a/neutron/templates/daemonset-sriov-agent.yaml +++ b/neutron/templates/daemonset-sriov-agent.yaml @@ -58,7 +58,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: -{{ dict "envAll" $envAll "application" "neutron" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} +{{ dict "envAll" $envAll "application" "neutron_sriov_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.sriov.node_selector_key }}: {{ .Values.labels.sriov.node_selector_value }} @@ -74,7 +74,7 @@ spec: - name: neutron-sriov-agent-init {{ tuple $envAll "neutron_sriov_agent_init" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.agent.sriov | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_sriov_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{ dict "envAll" $envAll "application" "neutron_sriov_agent" "container" "neutron_sriov_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "component" "sriov_agent" "container" "sriov_agent" "type" "readiness" "probeTemplate" (include "sriovAgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} command: - /tmp/neutron-sriov-agent-init.sh @@ -137,7 +137,7 @@ spec: - name: neutron-sriov-agent {{ tuple $envAll "neutron_sriov_agent" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.agent.sriov | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_sriov_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{ dict "envAll" $envAll "application" "neutron_sriov_agent" "container" "neutron_sriov_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/neutron-sriov-agent.sh readinessProbe: diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml index 7d83a489ad..f12a65b8a9 100644 --- a/neutron/templates/deployment-server.yaml +++ b/neutron/templates/deployment-server.yaml @@ -58,7 +58,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: -{{ dict "envAll" $envAll "application" "neutron" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} +{{ dict "envAll" $envAll "application" "neutron_server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "neutron" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} @@ -71,7 +71,7 @@ spec: - name: neutron-server {{ tuple $envAll "neutron_server" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "neutron" "container" "neutron_server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{ dict "envAll" $envAll "application" "neutron_server" "container" "neutron_server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "component" "server" "container" "server" "type" "readiness" "probeTemplate" (include "serverReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} {{ dict "envAll" $envAll "component" "server" "container" "server" "type" "liveness" "probeTemplate" (include "serverLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} command: diff --git a/neutron/values.yaml b/neutron/values.yaml index 9466166d1c..dd5d70c91b 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -381,20 +381,28 @@ pod: enabled: true params: initialDelaySeconds: 60 - user: - neutron: - uid: 42424 security_context: - neutron: + neutron_dhcp_agent: pod: runAsUser: 42424 container: neutron_dhcp_agent: readOnlyRootFilesystem: true privileged: true + neutron_l2gw_agent: + pod: + runAsUser: 42424 + neutron_l3_agent: + pod: + runAsUser: 42424 + container: neutron_l3_agent: readOnlyRootFilesystem: true privileged: true + neutron_lb_agent: + pod: + runAsUser: 42424 + container: neutron_lb_agent_kernel_modules: capabilities: add: @@ -408,16 +416,30 @@ pod: neutron_lb_agent: readOnlyRootFilesystem: true privileged: true - neutron_sriov_agent_init: - privileged: true - runAsUser: 0 - readOnlyRootFilesystem: true - neutron_sriov_agent: - readOnlyRootFilesystem: true - privileged: true + neutron_metadata_agent: + pod: + runAsUser: 42424 + neutron_ovs_agent: + pod: + runAsUser: 42424 + neutron_server: + pod: + runAsUser: 42424 + container: neutron_server: allowPrivilegeEscalation: false readOnlyRootFilesystem: true + neutron_sriov_avent: + pod: + runAsUser: 42424 + container: + neutron_sriov_agent_init: + privileged: true + runAsUser: 0 + readOnlyRootFilesystem: false + neutron_sriov_agent: + readOnlyRootFilesystem: true + privileged: true affinity: anti: type: