From e7b06a40765fdca5f783f67d7a89a0365dd94153 Mon Sep 17 00:00:00 2001 From: pd2839 Date: Mon, 18 Mar 2019 13:50:18 -0500 Subject: [PATCH] Implement Security Context for Heat Implement container security context for the following Heat resources: - Heat server deployment Change-Id: I4c1efb0807c56f750cc8d74155b96f06735e5051 --- heat/templates/deployment-api.yaml | 5 +---- heat/templates/deployment-cfn.yaml | 5 +---- heat/templates/deployment-cloudwatch.yaml | 5 +---- heat/templates/deployment-engine.yaml | 5 +---- heat/values.yaml | 18 ++++++++++++++++-- 5 files changed, 20 insertions(+), 18 deletions(-) diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml index ac615355ad..cf45cc553c 100644 --- a/heat/templates/deployment-api.yaml +++ b/heat/templates/deployment-api.yaml @@ -46,8 +46,6 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: - securityContext: - readOnlyRootFilesystem: true serviceAccountName: {{ $serviceAccountName }} {{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: @@ -61,8 +59,7 @@ spec: - name: heat-api {{ tuple $envAll "heat_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - allowPrivilegeEscalation: false +{{ dict "envAll" $envAll "application" "heat" "container" "heat_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/heat-api.sh - start diff --git a/heat/templates/deployment-cfn.yaml b/heat/templates/deployment-cfn.yaml index f1d58b081d..9f30ba62d2 100644 --- a/heat/templates/deployment-cfn.yaml +++ b/heat/templates/deployment-cfn.yaml @@ -46,8 +46,6 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: - securityContext: - readOnlyRootFilesystem: true serviceAccountName: {{ $serviceAccountName }} {{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: @@ -61,8 +59,7 @@ spec: - name: heat-cfn {{ tuple $envAll "heat_cfn" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.cfn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - allowPrivilegeEscalation: false +{{ dict "envAll" $envAll "application" "heat" "container" "heat_cfn" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/heat-cfn.sh - start diff --git a/heat/templates/deployment-cloudwatch.yaml b/heat/templates/deployment-cloudwatch.yaml index fc0173f206..1d58d5ff3d 100644 --- a/heat/templates/deployment-cloudwatch.yaml +++ b/heat/templates/deployment-cloudwatch.yaml @@ -46,8 +46,6 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: - securityContext: - readOnlyRootFilesystem: true serviceAccountName: {{ $serviceAccountName }} {{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: @@ -61,8 +59,7 @@ spec: - name: heat-cloudwatch {{ tuple $envAll "heat_cloudwatch" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.cloudwatch | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - allowPrivilegeEscalation: false +{{ dict "envAll" $envAll "application" "heat" "container" "heat_cloudwatch" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/heat-cloudwatch.sh - start diff --git a/heat/templates/deployment-engine.yaml b/heat/templates/deployment-engine.yaml index b3d0a02a71..3b603caeb4 100644 --- a/heat/templates/deployment-engine.yaml +++ b/heat/templates/deployment-engine.yaml @@ -54,8 +54,6 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} {{- end }} spec: - securityContext: - readOnlyRootFilesystem: true serviceAccountName: {{ $serviceAccountName }} {{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: @@ -69,8 +67,7 @@ spec: - name: heat-engine {{ tuple $envAll "heat_engine" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - allowPrivilegeEscalation: false +{{ dict "envAll" $envAll "application" "heat" "container" "heat_engine" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/heat-engine.sh - start diff --git a/heat/values.yaml b/heat/values.yaml index d51f152300..021aa46651 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -954,9 +954,23 @@ endpoints: namespace: kube-public pod: - user: + security_context: heat: - uid: 42424 + pod: + runAsUser: 42424 + container: + heat_api: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + heat_cfn: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + heat_cloudwatch: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + heat_engine: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false affinity: anti: type: