Fix for adding allowPrivilegeEscalation flag in container

securityContext in the charts whereever needed

Change-Id: I97f17ce0631051be33038449a21efee26c572613
This commit is contained in:
Rahul Khiyani 2019-01-07 22:07:55 -05:00 committed by bk160f
parent 82211e427b
commit 1e85edddfc
18 changed files with 42 additions and 0 deletions

View File

@ -72,6 +72,8 @@ spec:
- name: cinder-api
{{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/cinder-api.sh
- start

View File

@ -71,6 +71,8 @@ spec:
- name: cinder-scheduler
{{ tuple $envAll "cinder_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/cinder-scheduler.sh
volumeMounts:

View File

@ -93,6 +93,8 @@ spec:
- name: cinder-volume
{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.volume | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/cinder-volume.sh
volumeMounts:

View File

@ -70,6 +70,8 @@ spec:
{{ if eq .Values.storage "rbd" }}
- name: ceph-keyring-placement
{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
env:
- name: RBD_STORE_USER
value: {{ .Values.conf.glance.glance_store.rbd_store_user | quote }}

View File

@ -58,6 +58,8 @@ spec:
- name: glance-registry
{{ tuple $envAll "glance_registry" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.registry | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/glance-registry.sh
- start

View File

@ -70,6 +70,8 @@ spec:
{{ if or (eq .Values.storage "rbd") (eq .Values.storage "radosgw") }}
- name: ceph-keyring-placement
{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/ceph-admin-keyring.sh
volumeMounts:

View File

@ -58,6 +58,8 @@ spec:
- name: heat-api
{{ tuple $envAll "heat_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/heat-api.sh
- start

View File

@ -58,6 +58,8 @@ spec:
- name: heat-cfn
{{ tuple $envAll "heat_cfn" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.cfn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/heat-cfn.sh
- start

View File

@ -58,6 +58,8 @@ spec:
- name: heat-cloudwatch
{{ tuple $envAll "heat_cloudwatch" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.cloudwatch | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/heat-cloudwatch.sh
- start

View File

@ -66,6 +66,8 @@ spec:
- name: heat-engine
{{ tuple $envAll "heat_engine" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/heat-engine.sh
- start

View File

@ -94,6 +94,8 @@ spec:
{{ end }}
- name: ceph-keyring-placement
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
env:
- name: CEPH_CINDER_USER
value: "{{ .Values.conf.ceph.cinder.user }}"
@ -120,6 +122,8 @@ spec:
- name: nova-compute-vnc-init
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/nova-console-compute-init.sh
volumeMounts:
@ -134,6 +138,8 @@ spec:
- name: nova-compute-spice-init
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/nova-console-compute-init.sh
volumeMounts:

View File

@ -57,6 +57,8 @@ spec:
- name: nova-api-metadata-init
{{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/nova-api-metadata-init.sh
volumeMounts:
@ -74,6 +76,8 @@ spec:
- name: nova-api
{{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/nova-api-metadata.sh
- start

View File

@ -58,6 +58,8 @@ spec:
- name: nova-osapi
{{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/nova-api.sh
- start

View File

@ -57,6 +57,8 @@ spec:
- name: nova-conductor
{{ tuple $envAll "nova_conductor" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/nova-conductor.sh
volumeMounts:

View File

@ -57,6 +57,8 @@ spec:
- name: nova-consoleauth
{{ tuple $envAll "nova_consoleauth" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.consoleauth | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/nova-consoleauth.sh
volumeMounts:

View File

@ -58,6 +58,8 @@ spec:
- name: nova-novncproxy-init
{{ tuple $envAll "nova_novncproxy" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.novncproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/nova-console-proxy-init.sh
volumeMounts:

View File

@ -57,6 +57,8 @@ spec:
- name: nova-scheduler
{{ tuple $envAll "nova_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/nova-scheduler.sh
volumeMounts:

View File

@ -58,6 +58,8 @@ spec:
- name: nova-spiceproxy-init
{{ tuple $envAll "nova_spiceproxy" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.spiceproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/nova-console-proxy-init.sh
volumeMounts: