From a60cdbf310363d1323ede2211b6073e436c9b4d0 Mon Sep 17 00:00:00 2001
From: Tin Lam <tin@irrational.io>
Date: Fri, 26 Oct 2018 10:11:00 -0500
Subject: [PATCH] Enable runAsUser in pod level
This patchset enables and moves the securityContext: runAsUser to the pod
level, and uses a non-root user (UID != 0) wherever applicable.
Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda
Change-Id: I81f6e11fe31ab7333a3805399b2e5326ec1e06a7
Signed-off-by: Tin Lam <tin@irrational.io>
---
cinder/templates/deployment-api.yaml | 3 +--
cinder/templates/deployment-backup.yaml | 2 +-
cinder/templates/deployment-scheduler.yaml | 3 +--
cinder/templates/deployment-volume.yaml | 3 +--
cinder/templates/job-backup-storage-init.yaml | 3 ++-
cinder/templates/job-storage-init.yaml | 1 +
glance/templates/deployment-api.yaml | 5 +----
glance/templates/deployment-registry.yaml | 3 +--
glance/templates/job-storage-init.yaml | 3 +--
heat/templates/deployment-api.yaml | 3 +--
heat/templates/deployment-cfn.yaml | 3 +--
heat/templates/deployment-cloudwatch.yaml | 3 +--
heat/templates/deployment-engine.yaml | 3 +--
horizon/templates/deployment.yaml | 1 +
horizon/values.yaml | 3 +++
nova/templates/daemonset-compute.yaml | 10 +---------
nova/templates/deployment-api-metadata.yaml | 5 +----
nova/templates/deployment-api-osapi.yaml | 3 +--
nova/templates/deployment-conductor.yaml | 3 +--
nova/templates/deployment-consoleauth.yaml | 3 +--
nova/templates/deployment-novncproxy.yaml | 3 +--
nova/templates/deployment-scheduler.yaml | 3 +--
nova/templates/deployment-spiceproxy.yaml | 3 +--
nova/templates/statefulset-compute-ironic.yaml | 1 +
24 files changed, 27 insertions(+), 49 deletions(-)
diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml
index d194a40f2f..e3a9727a2b 100644
--- a/cinder/templates/deployment-api.yaml
+++ b/cinder/templates/deployment-api.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@@ -71,8 +72,6 @@ spec:
- name: cinder-api
{{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.cinder.uid }}
command:
- /tmp/cinder-api.sh
- start
diff --git a/cinder/templates/deployment-backup.yaml b/cinder/templates/deployment-backup.yaml
index d978b3a45b..4cb5eb0972 100644
--- a/cinder/templates/deployment-backup.yaml
+++ b/cinder/templates/deployment-backup.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "cinder" "backup" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@@ -129,7 +130,6 @@ spec:
{{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.backup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
- runAsUser: {{ .Values.pod.user.cinder.uid }}
capabilities:
add:
- SYS_ADMIN
diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml
index c60e13b030..72002e32c4 100644
--- a/cinder/templates/deployment-scheduler.yaml
+++ b/cinder/templates/deployment-scheduler.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "cinder" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@@ -70,8 +71,6 @@ spec:
- name: cinder-scheduler
{{ tuple $envAll "cinder_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.cinder.uid }}
command:
- /tmp/cinder-scheduler.sh
volumeMounts:
diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml
index 46d13fd042..d5d1e3ea58 100644
--- a/cinder/templates/deployment-volume.yaml
+++ b/cinder/templates/deployment-volume.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@@ -92,8 +93,6 @@ spec:
- name: cinder-volume
{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.volume | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.cinder.uid }}
command:
- /tmp/cinder-volume.sh
volumeMounts:
diff --git a/cinder/templates/job-backup-storage-init.yaml b/cinder/templates/job-backup-storage-init.yaml
index dcb756a076..a073940c6e 100644
--- a/cinder/templates/job-backup-storage-init.yaml
+++ b/cinder/templates/job-backup-storage-init.yaml
@@ -61,6 +61,7 @@ spec:
{{ tuple $envAll "cinder" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
@@ -81,7 +82,7 @@ spec:
mountPath: /tmp/ceph-admin-keyring.sh
subPath: ceph-admin-keyring.sh
readOnly: true
- {{- else }}
+ {{- else }}
- name: cinder-bin
mountPath: /tmp/ceph-admin-keyring.sh
subPath: external-ceph-rbd-admin-keyring.sh
diff --git a/cinder/templates/job-storage-init.yaml b/cinder/templates/job-storage-init.yaml
index 7ea9a4c190..1d4819c203 100644
--- a/cinder/templates/job-storage-init.yaml
+++ b/cinder/templates/job-storage-init.yaml
@@ -59,6 +59,7 @@ spec:
{{ tuple $envAll "cinder" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml
index 0bdc972034..0a3a41441d 100644
--- a/glance/templates/deployment-api.yaml
+++ b/glance/templates/deployment-api.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "glance" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@@ -69,8 +70,6 @@ spec:
{{ if eq .Values.storage "rbd" }}
- name: ceph-keyring-placement
{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.glance.uid }}
env:
- name: RBD_STORE_USER
value: {{ .Values.conf.glance.glance_store.rbd_store_user | quote }}
@@ -92,8 +91,6 @@ spec:
- name: glance-api
{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.glance.uid }}
command:
- /tmp/glance-api.sh
- start
diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml
index 54ef7c77d1..1ecd8a818c 100644
--- a/glance/templates/deployment-registry.yaml
+++ b/glance/templates/deployment-registry.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "glance" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "glance" "registry" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@@ -57,8 +58,6 @@ spec:
- name: glance-registry
{{ tuple $envAll "glance_registry" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.registry | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.glance.uid }}
command:
- /tmp/glance-registry.sh
- start
diff --git a/glance/templates/job-storage-init.yaml b/glance/templates/job-storage-init.yaml
index 9d9562731f..c963ddc959 100644
--- a/glance/templates/job-storage-init.yaml
+++ b/glance/templates/job-storage-init.yaml
@@ -61,6 +61,7 @@ spec:
{{ tuple $envAll "glance" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "glance" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
@@ -69,8 +70,6 @@ spec:
{{ if or (eq .Values.storage "rbd") (eq .Values.storage "radosgw") }}
- name: ceph-keyring-placement
{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.glance.uid }}
command:
- /tmp/ceph-admin-keyring.sh
volumeMounts:
diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml
index 1339711c8e..14e43f51a8 100644
--- a/heat/templates/deployment-api.yaml
+++ b/heat/templates/deployment-api.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@@ -57,8 +58,6 @@ spec:
- name: heat-api
{{ tuple $envAll "heat_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.heat.uid }}
command:
- /tmp/heat-api.sh
- start
diff --git a/heat/templates/deployment-cfn.yaml b/heat/templates/deployment-cfn.yaml
index 4f5d083f71..96f05d2519 100644
--- a/heat/templates/deployment-cfn.yaml
+++ b/heat/templates/deployment-cfn.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@@ -57,8 +58,6 @@ spec:
- name: heat-cfn
{{ tuple $envAll "heat_cfn" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.cfn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.heat.uid }}
command:
- /tmp/heat-cfn.sh
- start
diff --git a/heat/templates/deployment-cloudwatch.yaml b/heat/templates/deployment-cloudwatch.yaml
index a93babae39..97ba26744a 100644
--- a/heat/templates/deployment-cloudwatch.yaml
+++ b/heat/templates/deployment-cloudwatch.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@@ -57,8 +58,6 @@ spec:
- name: heat-cloudwatch
{{ tuple $envAll "heat_cloudwatch" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.cloudwatch | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.heat.uid }}
command:
- /tmp/heat-cloudwatch.sh
- start
diff --git a/heat/templates/deployment-engine.yaml b/heat/templates/deployment-engine.yaml
index a68939a0d1..c38e1ccac6 100644
--- a/heat/templates/deployment-engine.yaml
+++ b/heat/templates/deployment-engine.yaml
@@ -54,6 +54,7 @@ spec:
{{- end }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{- tuple $envAll "heat" "engine" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@@ -65,8 +66,6 @@ spec:
- name: heat-engine
{{ tuple $envAll "heat_engine" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.heat.uid }}
command:
- /tmp/heat-engine.sh
- start
diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml
index ebbf8153a2..688e880a77 100644
--- a/horizon/templates/deployment.yaml
+++ b/horizon/templates/deployment.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "horizon" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "horizon" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
diff --git a/horizon/values.yaml b/horizon/values.yaml
index 4c0d5d4bfd..4695d90df8 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -1901,6 +1901,9 @@ dependencies:
service: local_image_registry
pod:
+ user:
+ horizon:
+ uid: 42424
affinity:
anti:
type:
diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml
index aa4b27ccc6..55d98dbcbb 100644
--- a/nova/templates/daemonset-compute.yaml
+++ b/nova/templates/daemonset-compute.yaml
@@ -46,6 +46,7 @@ spec:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
nodeSelector:
{{ .Values.labels.agent.compute.node_selector_key }}: {{ .Values.labels.agent.compute.node_selector_value }}
hostNetwork: true
@@ -75,8 +76,6 @@ spec:
{{- if empty .Values.conf.ceph.cinder.keyring }}
- name: ceph-admin-keyring-placement
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
- securityContext:
- runAsUser: 0
command:
- /tmp/ceph-admin-keyring.sh
volumeMounts:
@@ -95,8 +94,6 @@ spec:
{{ end }}
- name: ceph-keyring-placement
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.nova.uid }}
env:
- name: CEPH_CINDER_USER
value: "{{ .Values.conf.ceph.cinder.user }}"
@@ -123,8 +120,6 @@ spec:
- name: nova-compute-vnc-init
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.nova.uid }}
command:
- /tmp/nova-console-compute-init.sh
volumeMounts:
@@ -139,8 +134,6 @@ spec:
- name: nova-compute-spice-init
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.nova.uid }}
command:
- /tmp/nova-console-compute-init.sh
volumeMounts:
@@ -156,7 +149,6 @@ spec:
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
- runAsUser: {{ .Values.pod.user.nova.uid }}
privileged: true
{{- if .Values.conf.ceph.enabled }}
env:
diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml
index b58fbde68f..9adf4e11ce 100644
--- a/nova/templates/deployment-api-metadata.yaml
+++ b/nova/templates/deployment-api-metadata.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "nova" "metadata" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@@ -56,8 +57,6 @@ spec:
- name: nova-api-metadata-init
{{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.nova.uid }}
command:
- /tmp/nova-api-metadata-init.sh
volumeMounts:
@@ -75,8 +74,6 @@ spec:
- name: nova-api
{{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.nova.uid }}
command:
- /tmp/nova-api-metadata.sh
- start
diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml
index 46ce6af17e..3ca89c2bc0 100644
--- a/nova/templates/deployment-api-osapi.yaml
+++ b/nova/templates/deployment-api-osapi.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "nova" "os-api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@@ -57,8 +58,6 @@ spec:
- name: nova-osapi
{{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.nova.uid }}
command:
- /tmp/nova-api.sh
- start
diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml
index 7bf0841f38..86f13766f1 100644
--- a/nova/templates/deployment-conductor.yaml
+++ b/nova/templates/deployment-conductor.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "nova" "conductor" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@@ -56,8 +57,6 @@ spec:
- name: nova-conductor
{{ tuple $envAll "nova_conductor" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.nova.uid }}
command:
- /tmp/nova-conductor.sh
volumeMounts:
diff --git a/nova/templates/deployment-consoleauth.yaml b/nova/templates/deployment-consoleauth.yaml
index 10de3fc76c..f26cdeba10 100644
--- a/nova/templates/deployment-consoleauth.yaml
+++ b/nova/templates/deployment-consoleauth.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "nova" "consoleauth" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@@ -56,8 +57,6 @@ spec:
- name: nova-consoleauth
{{ tuple $envAll "nova_consoleauth" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.consoleauth | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.nova.uid }}
command:
- /tmp/nova-consoleauth.sh
volumeMounts:
diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml
index 85e0e11628..2e5e4e344c 100644
--- a/nova/templates/deployment-novncproxy.yaml
+++ b/nova/templates/deployment-novncproxy.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "nova" "novnc-proxy" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@@ -57,8 +58,6 @@ spec:
- name: nova-novncproxy-init
{{ tuple $envAll "nova_novncproxy" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.novncproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.nova.uid }}
command:
- /tmp/nova-console-proxy-init.sh
volumeMounts:
diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml
index dc8b0d362e..415d298d5d 100644
--- a/nova/templates/deployment-scheduler.yaml
+++ b/nova/templates/deployment-scheduler.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "nova" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@@ -56,8 +57,6 @@ spec:
- name: nova-scheduler
{{ tuple $envAll "nova_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.nova.uid }}
command:
- /tmp/nova-scheduler.sh
volumeMounts:
diff --git a/nova/templates/deployment-spiceproxy.yaml b/nova/templates/deployment-spiceproxy.yaml
index 65fa900d29..998c5fbe49 100644
--- a/nova/templates/deployment-spiceproxy.yaml
+++ b/nova/templates/deployment-spiceproxy.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "nova" "spice-proxy" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
@@ -57,8 +58,6 @@ spec:
- name: nova-spiceproxy-init
{{ tuple $envAll "nova_spiceproxy" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.spiceproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- runAsUser: {{ .Values.pod.user.nova.uid }}
command:
- /tmp/nova-console-proxy-init.sh
volumeMounts:
diff --git a/nova/templates/statefulset-compute-ironic.yaml b/nova/templates/statefulset-compute-ironic.yaml
index eb39dd8114..aaa87cbe78 100644
--- a/nova/templates/statefulset-compute-ironic.yaml
+++ b/nova/templates/statefulset-compute-ironic.yaml
@@ -46,6 +46,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "nova" "compute-ironic" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector: