Add missing security context to Nova pods/containers

This updates the Nova chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true Change-Id: I10b12db8019beb42005764430711694a61c8d17b
2020-08-05 13:55:03 -05:00 · 2020-08-05 13:55:03 -05:00 · 27dac1d2c1
parent fc5712909e
commit 27dac1d2c1
3 changed files with 16 additions and 0 deletions
--- a/nova/templates/job-bootstrap.yaml
+++ b/nova/templates/job-bootstrap.yaml
@ -46,6 +46,7 @@ spec:
 {{- if $envAll.Values.bootstrap.wait_for_computes.enabled }}
        - name: nova-wait-for-computes-init
 {{ tuple $envAll "nova_wait_for_computes_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "bootstrap" "container" "nova_wait_for_computes_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /bin/bash
            - -c
--- a/nova/templates/job-cell-setup.yaml
+++ b/nova/templates/job-cell-setup.yaml
@ -41,6 +41,7 @@ spec:
        - name: nova-cell-setup-init
 {{ tuple $envAll "nova_cell_setup_init" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
 {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
@ -59,6 +60,7 @@ spec:
        - name: nova-cell-setup
 {{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/cell-setup.sh
          volumeMounts:
--- a/nova/values.yaml
+++ b/nova/values.yaml
@ -2412,9 +2412,22 @@ pod:
      pod:
        runAsUser: 42424
      container:
+        nova_wait_for_computes_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
        bootstrap:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
+    nova_cell_setup:
+      pod:
+        runAsUser: 42424
+      container:
+        nova_cell_setup_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_cell_setup:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
    cell_setup:
      pod:
        runAsUser: 42424