Implement Security Context for Keystone

Implement container security context for the following Keystone resources: - Keystone server deployment Change-Id: Ia68b5ebe4d76e0405d67224d976fee013cc02d0b
2019-03-19 13:21:19 -05:00 · 2019-03-19 13:21:19 -05:00 · 3cd1b78b68
parent ba593e1a6b
commit 3cd1b78b68
2 changed files with 8 additions and 6 deletions
--- a/keystone/templates/deployment-api.yaml
+++ b/keystone/templates/deployment-api.yaml
@ -46,8 +46,6 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
-      securityContext:
-        readOnlyRootFilesystem: true
 {{ dict "envAll" $envAll "application" "keystone" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
      affinity:
@ -61,8 +59,7 @@ spec:
        - name: keystone-api
 {{ tuple $envAll "keystone_api" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            allowPrivilegeEscalation: false
+{{ dict "envAll" $envAll "application" "keystone" "container" "keystone_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/keystone-api.sh
            - start
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@ -152,9 +152,14 @@ dependencies:
          service: local_image_registry

 pod:
-  user:
+  security_context:
    keystone:
-      uid: 42424
+      pod:
+        runAsUser: 42424
+      container:
+        keystone_api:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
  affinity:
    anti:
      type: