openstack
/
openstack-helm
Code Issues Proposed changes

Keystone podSecurityContext 

securitycontext with non-root user is implemented at pod level
and leveraged the helm-toolkit snippet

Fix for adding allowPrivilegeEscalation flag as a blanket
policy on the pod in the keyston chart

Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda
Change-Id: I15333df4707948e50deb935ffc1ee599588e4788
This commit is contained in:
Rahul Khiyani 2018-10-26 20:23:53 -05:00 committed by bk160f
parent 502a7e9bb9
commit 085610523f
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
keystone/templates/deployment-api.yaml
View File

@ -45,6 +45,7 @@ spec:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
{{ dict "envAll" $envAll "application" "keystone" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
affinity:
{{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
@ -58,7 +59,7 @@ spec:
{{ tuple $envAll "keystone_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
runAsUser: {{ .Values.pod.user.keystone.uid }}
allowPrivilegeEscalation: false
command:
- /tmp/keystone-api.sh
- start