Fluent-logging: Fix security context

This PS fixes the use of the security context macros for the fluent-logging chart. Change-Id: I2cd12015732bddb642136ba14f88ed2c248d519d
2019-04-22 18:27:00 -05:00 · 2019-04-22 18:27:00 -05:00 · e3bd69c084
parent 84c12d57e7
commit e3bd69c084
6 changed files with 35 additions and 6 deletions
--- a/fluent-logging/templates/daemonset-fluent-bit.yaml
+++ b/fluent-logging/templates/daemonset-fluent-bit.yaml
@ -94,6 +94,7 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
+{{ dict "envAll" $envAll "application" "daemon" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
 {{ if $envAll.Values.pod.tolerations.fluentbit.enabled }}
 {{ tuple $envAll "fluentbit" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
@ -110,6 +111,7 @@ spec:
        - name: fluentbit
 {{ tuple $envAll "fluentbit" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.fluentbit | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "daemon" "container" "fluentbit" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/fluent-bit.sh
          env:
--- a/fluent-logging/templates/deployment-fluentd.yaml
+++ b/fluent-logging/templates/deployment-fluentd.yaml
@ -95,7 +95,7 @@ spec:
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
-{{ dict "envAll" $envAll "application" "fluentd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+{{ dict "envAll" $envAll "application" "internal" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
      affinity:
 {{ tuple $envAll "fluentd" "internal" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
@ -108,7 +108,7 @@ spec:
        - name: fluentd
 {{ tuple $envAll "fluentd" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.fluentd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "fluentd" "container" "fluentd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "application" "internal" "container" "fluentd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/fluentd.sh
            - start
--- a/fluent-logging/templates/job-elasticsearch-template.yaml
+++ b/fluent-logging/templates/job-elasticsearch-template.yaml
@ -35,6 +35,7 @@ spec:
      labels:
 {{ tuple $envAll "fluentd" "elasticsearch-template" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "elasticsearch_template" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
@ -45,6 +46,7 @@ spec:
        - name: elasticsearch-template
 {{ tuple $envAll "elasticsearch_template" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.elasticsearch_template | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "elasticsearch_template" "container" "elasticsearch_template" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
            - name: ELASTICSEARCH_HOST
              value: {{ tuple "elasticsearch" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
--- a/fluent-logging/templates/monitoring/prometheus/exporter-deployment.yaml
+++ b/fluent-logging/templates/monitoring/prometheus/exporter-deployment.yaml
@ -41,7 +41,7 @@ spec:
      labels:
 {{ tuple $envAll "prometheus-fluentd-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
-{{ dict "envAll" $envAll "application" "fluentd_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+{{ dict "envAll" $envAll "application" "exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
      nodeSelector:
        {{ .Values.labels.prometheus_fluentd_exporter.node_selector_key }}: {{ .Values.labels.prometheus_fluentd_exporter.node_selector_value | quote }}
@ -52,7 +52,7 @@ spec:
        - name: fluentd-exporter
 {{ tuple $envAll "prometheus_fluentd_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.prometheus_fluentd_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "fluentd_exporter" "container" "fluentd_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "application" "exporter" "container" "fluentd_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/fluentd-exporter.sh
            - start
--- a/fluent-logging/templates/pod-helm-tests.yaml
+++ b/fluent-logging/templates/pod-helm-tests.yaml
@ -31,6 +31,7 @@ metadata:
    "helm.sh/hook": test-success
    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
 spec:
+{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
  serviceAccountName: {{ $serviceAccountName }}
  nodeSelector:
    {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
@ -41,6 +42,7 @@ spec:
    - name: {{.Release.Name}}-helm-tests
 {{ tuple $envAll "helm_tests" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "helm_tests" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
      command:
        - /tmp/helm-tests.sh
      env:
--- a/fluent-logging/values.yaml
+++ b/fluent-logging/values.yaml
@ -580,18 +580,41 @@ network_policy:

 pod:
  security_context:
-    fluentd:
+    daemon:
+      pod:
+        runAsUser: 65534
+      container:
+        fluentbit:
+          runAsUser: 0
+          readOnlyRootFilesystem: false
+    internal:
      pod:
        runAsUser: 65534
      container:
        fluentd:
          allowPrivilegeEscalation: false
-    fluentd_exporter:
+          readOnlyRootFilesystem: false
+    elasticsearch_template:
+      pod:
+        runAsUser: 65534
+      container:
+        elasticsearch_template:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: false
+    test:
+      pod:
+        runAsUser: 65534
+      container:
+        helm_test:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: false
+    exporter:
      pod:
        runAsUser: 65534
      container:
        fluentd_exporter:
          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: false
  affinity:
    anti:
      type: