diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml index 58bf6b2d36..cabbbdc4d6 100644 --- a/cinder/templates/deployment-api.yaml +++ b/cinder/templates/deployment-api.yaml @@ -47,7 +47,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} -{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} +{{ dict "envAll" $envAll "application" "cinder_api" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -58,8 +58,7 @@ spec: {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }} - name: ceph-coordination-volume-perms {{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: 0 +{{ dict "envAll" $envAll "application" "cinder_api" "container" "ceph_coordination_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - chown - -R @@ -75,7 +74,7 @@ spec: - name: cinder-api {{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "cinder" "container" "cinder-api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{ dict "envAll" $envAll "application" "cinder_api" "container" "cinder_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/cinder-api.sh - start diff --git a/cinder/templates/deployment-backup.yaml b/cinder/templates/deployment-backup.yaml index 835c2597fb..d218e2a378 100755 --- a/cinder/templates/deployment-backup.yaml +++ b/cinder/templates/deployment-backup.yaml @@ -47,7 +47,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} -{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} +{{ dict "envAll" $envAll "application" "cinder_backup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "cinder" "backup" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -57,8 +57,7 @@ spec: {{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }} - name: ceph-backup-keyring-placement {{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: 0 +{{ dict "envAll" $envAll "application" "cinder_backup" "container" "ceph_backup_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/ceph-keyring.sh env: @@ -81,8 +80,7 @@ spec: {{- if include "cinder.utils.has_ceph_backend" $envAll }} - name: ceph-keyring-placement {{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: 0 +{{ dict "envAll" $envAll "application" "cinder_backup" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/ceph-keyring.sh env: @@ -105,8 +103,7 @@ spec: {{- if (contains "cinder.backup.drivers.posix" .Values.conf.cinder.DEFAULT.backup_driver) }} - name: ceph-backup-volume-perms {{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: 0 +{{ dict "envAll" $envAll "application" "cinder_backup" "container" "ceph_backup_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - chown - -R @@ -121,8 +118,7 @@ spec: {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }} - name: ceph-coordination-volume-perms {{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: 0 +{{ dict "envAll" $envAll "application" "cinder_backup" "container" "ceph_coordination_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - chown - -R @@ -138,11 +134,7 @@ spec: - name: cinder-backup {{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.backup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "cinder" "container" "cinder-backup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - securityContext: - capabilities: - add: - - SYS_ADMIN +{{ dict "envAll" $envAll "application" "cinder_backup" "container" "cinder_backup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/cinder-backup.sh volumeMounts: diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml index 06fc3d906b..9ff91f8198 100644 --- a/cinder/templates/deployment-scheduler.yaml +++ b/cinder/templates/deployment-scheduler.yaml @@ -47,7 +47,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} -{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} +{{ dict "envAll" $envAll "application" "cinder_scheduler" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "cinder" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -57,8 +57,7 @@ spec: {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }} - name: ceph-coordination-volume-perms {{ tuple $envAll "cinder_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: 0 +{{ dict "envAll" $envAll "application" "cinder_scheduler" "container" "ceph_coordination_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - chown - -R @@ -74,7 +73,7 @@ spec: - name: cinder-scheduler {{ tuple $envAll "cinder_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "cinder" "container" "cinder-scheduler" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{ dict "envAll" $envAll "application" "cinder_scheduler" "container" "cinder_scheduler" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/cinder-scheduler.sh volumeMounts: diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml index 45298d59a3..331b968610 100755 --- a/cinder/templates/deployment-volume.yaml +++ b/cinder/templates/deployment-volume.yaml @@ -47,7 +47,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} -{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} +{{ dict "envAll" $envAll "application" "cinder_volume" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -57,8 +57,7 @@ spec: {{- if include "cinder.utils.has_ceph_backend" $envAll }} - name: ceph-keyring-placement {{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: 0 +{{ dict "envAll" $envAll "application" "cinder_volume" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/ceph-keyring.sh env: @@ -81,8 +80,7 @@ spec: {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }} - name: ceph-coordination-volume-perms {{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: 0 +{{ dict "envAll" $envAll "application" "cinder_volume" "container" "ceph_coordination_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - chown - -R @@ -95,10 +93,10 @@ spec: mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }} {{ end }} - name: init-cinder-conf +{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ dict "envAll" $envAll "application" "cinder_volume" "container" "init_cinder_conf" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} image: {{ .Values.images.tags.ks_user }} imagePullPolicy: {{ .Values.images.pull_policy }} - securityContext: - runAsUser: 0 command: - /tmp/retrieve-internal-tenant.sh volumeMounts: @@ -127,7 +125,7 @@ spec: - name: cinder-volume {{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.volume | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "cinder" "container" "cinder-volume" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{ dict "envAll" $envAll "application" "cinder_volume" "container" "cinder_volume" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/cinder-volume.sh volumeMounts: diff --git a/cinder/values.yaml b/cinder/values.yaml index 0b69405477..9e37e1bd96 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -78,19 +78,61 @@ jobs: pod: security_context: - cinder: + cinder_api: pod: runAsUser: 42424 container: + ceph_coordination_volume_perms: + runAsUser: 0 + readOnlyRootFilesystem: true cinder_api: readOnlyRootFilesystem: true allowPrivilegeEscalation: false + cinder_backup: + pod: + runAsUser: 42424 + container: + ceph_backup_keyring_placement: + runAsUser: 0 + readOnlyRootFilesystem: true + ceph_keyring_placement: + runAsUser: 0 + readOnlyRootFilesystem: true + ceph_backup_volume_perms: + runAsUser: 0 + readOnlyRootFilesystem: true + ceph_coordination_volume_perms: + runAsUser: 0 + readOnlyRootFilesystem: true cinder_backup: + capabilities: + add: + - SYS_ADMIN redOnlyRootFilesystem: true - allowPrivilegeEscalation: false + runAsUser: 0 + cinder_scheduler: + pod: + runAsUser: 42424 + container: + ceph_coordination_volume_perms: + runAsUser: 0 + readOnlyRootFilesystem: true cinder_scheduler: readOnlyRootFilesystem: true allowPrivilegeEscalation: false + cinder_volume: + pod: + runAsUser: 42424 + container: + ceph_keyring_placement: + runAsUser: 0 + readOnlyRootFilesystem: true + ceph_coordination_volume_perms: + runAsUser: 0 + readOnlyRootFilesystem: true + init_cinder_conf: + runAsUser: 0 + readOnlyRootFilesystem: true cinder_volume: readOnlyRootFilesystem: true allowPrivilegeEscalation: false