From a60cdbf310363d1323ede2211b6073e436c9b4d0 Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Fri, 26 Oct 2018 10:11:00 -0500 Subject: [PATCH] Enable runAsUser in pod level This patchset enables and moves the securityContext: runAsUser to the pod level, and uses a non-root user (UID != 0) wherever applicable. Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda Change-Id: I81f6e11fe31ab7333a3805399b2e5326ec1e06a7 Signed-off-by: Tin Lam --- cinder/templates/deployment-api.yaml | 3 +-- cinder/templates/deployment-backup.yaml | 2 +- cinder/templates/deployment-scheduler.yaml | 3 +-- cinder/templates/deployment-volume.yaml | 3 +-- cinder/templates/job-backup-storage-init.yaml | 3 ++- cinder/templates/job-storage-init.yaml | 1 + glance/templates/deployment-api.yaml | 5 +---- glance/templates/deployment-registry.yaml | 3 +-- glance/templates/job-storage-init.yaml | 3 +-- heat/templates/deployment-api.yaml | 3 +-- heat/templates/deployment-cfn.yaml | 3 +-- heat/templates/deployment-cloudwatch.yaml | 3 +-- heat/templates/deployment-engine.yaml | 3 +-- horizon/templates/deployment.yaml | 1 + horizon/values.yaml | 3 +++ nova/templates/daemonset-compute.yaml | 10 +--------- nova/templates/deployment-api-metadata.yaml | 5 +---- nova/templates/deployment-api-osapi.yaml | 3 +-- nova/templates/deployment-conductor.yaml | 3 +-- nova/templates/deployment-consoleauth.yaml | 3 +-- nova/templates/deployment-novncproxy.yaml | 3 +-- nova/templates/deployment-scheduler.yaml | 3 +-- nova/templates/deployment-spiceproxy.yaml | 3 +-- nova/templates/statefulset-compute-ironic.yaml | 1 + 24 files changed, 27 insertions(+), 49 deletions(-) diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml index d194a40f2f..e3a9727a2b 100644 --- a/cinder/templates/deployment-api.yaml +++ b/cinder/templates/deployment-api.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -71,8 +72,6 @@ spec: - name: cinder-api {{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.cinder.uid }} command: - /tmp/cinder-api.sh - start diff --git a/cinder/templates/deployment-backup.yaml b/cinder/templates/deployment-backup.yaml index d978b3a45b..4cb5eb0972 100644 --- a/cinder/templates/deployment-backup.yaml +++ b/cinder/templates/deployment-backup.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "cinder" "backup" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -129,7 +130,6 @@ spec: {{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.backup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} securityContext: - runAsUser: {{ .Values.pod.user.cinder.uid }} capabilities: add: - SYS_ADMIN diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml index c60e13b030..72002e32c4 100644 --- a/cinder/templates/deployment-scheduler.yaml +++ b/cinder/templates/deployment-scheduler.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "cinder" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -70,8 +71,6 @@ spec: - name: cinder-scheduler {{ tuple $envAll "cinder_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.cinder.uid }} command: - /tmp/cinder-scheduler.sh volumeMounts: diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml index 46d13fd042..d5d1e3ea58 100644 --- a/cinder/templates/deployment-volume.yaml +++ b/cinder/templates/deployment-volume.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -92,8 +93,6 @@ spec: - name: cinder-volume {{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.volume | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.cinder.uid }} command: - /tmp/cinder-volume.sh volumeMounts: diff --git a/cinder/templates/job-backup-storage-init.yaml b/cinder/templates/job-backup-storage-init.yaml index dcb756a076..a073940c6e 100644 --- a/cinder/templates/job-backup-storage-init.yaml +++ b/cinder/templates/job-backup-storage-init.yaml @@ -61,6 +61,7 @@ spec: {{ tuple $envAll "cinder" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} @@ -81,7 +82,7 @@ spec: mountPath: /tmp/ceph-admin-keyring.sh subPath: ceph-admin-keyring.sh readOnly: true - {{- else }} + {{- else }} - name: cinder-bin mountPath: /tmp/ceph-admin-keyring.sh subPath: external-ceph-rbd-admin-keyring.sh diff --git a/cinder/templates/job-storage-init.yaml b/cinder/templates/job-storage-init.yaml index 7ea9a4c190..1d4819c203 100644 --- a/cinder/templates/job-storage-init.yaml +++ b/cinder/templates/job-storage-init.yaml @@ -59,6 +59,7 @@ spec: {{ tuple $envAll "cinder" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml index 0bdc972034..0a3a41441d 100644 --- a/glance/templates/deployment-api.yaml +++ b/glance/templates/deployment-api.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "glance" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -69,8 +70,6 @@ spec: {{ if eq .Values.storage "rbd" }} - name: ceph-keyring-placement {{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.glance.uid }} env: - name: RBD_STORE_USER value: {{ .Values.conf.glance.glance_store.rbd_store_user | quote }} @@ -92,8 +91,6 @@ spec: - name: glance-api {{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.glance.uid }} command: - /tmp/glance-api.sh - start diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml index 54ef7c77d1..1ecd8a818c 100644 --- a/glance/templates/deployment-registry.yaml +++ b/glance/templates/deployment-registry.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "glance" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "glance" "registry" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -57,8 +58,6 @@ spec: - name: glance-registry {{ tuple $envAll "glance_registry" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.registry | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.glance.uid }} command: - /tmp/glance-registry.sh - start diff --git a/glance/templates/job-storage-init.yaml b/glance/templates/job-storage-init.yaml index 9d9562731f..c963ddc959 100644 --- a/glance/templates/job-storage-init.yaml +++ b/glance/templates/job-storage-init.yaml @@ -61,6 +61,7 @@ spec: {{ tuple $envAll "glance" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "glance" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} @@ -69,8 +70,6 @@ spec: {{ if or (eq .Values.storage "rbd") (eq .Values.storage "radosgw") }} - name: ceph-keyring-placement {{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.glance.uid }} command: - /tmp/ceph-admin-keyring.sh volumeMounts: diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml index 1339711c8e..14e43f51a8 100644 --- a/heat/templates/deployment-api.yaml +++ b/heat/templates/deployment-api.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -57,8 +58,6 @@ spec: - name: heat-api {{ tuple $envAll "heat_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.heat.uid }} command: - /tmp/heat-api.sh - start diff --git a/heat/templates/deployment-cfn.yaml b/heat/templates/deployment-cfn.yaml index 4f5d083f71..96f05d2519 100644 --- a/heat/templates/deployment-cfn.yaml +++ b/heat/templates/deployment-cfn.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -57,8 +58,6 @@ spec: - name: heat-cfn {{ tuple $envAll "heat_cfn" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.cfn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.heat.uid }} command: - /tmp/heat-cfn.sh - start diff --git a/heat/templates/deployment-cloudwatch.yaml b/heat/templates/deployment-cloudwatch.yaml index a93babae39..97ba26744a 100644 --- a/heat/templates/deployment-cloudwatch.yaml +++ b/heat/templates/deployment-cloudwatch.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -57,8 +58,6 @@ spec: - name: heat-cloudwatch {{ tuple $envAll "heat_cloudwatch" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.cloudwatch | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.heat.uid }} command: - /tmp/heat-cloudwatch.sh - start diff --git a/heat/templates/deployment-engine.yaml b/heat/templates/deployment-engine.yaml index a68939a0d1..c38e1ccac6 100644 --- a/heat/templates/deployment-engine.yaml +++ b/heat/templates/deployment-engine.yaml @@ -54,6 +54,7 @@ spec: {{- end }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{- tuple $envAll "heat" "engine" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -65,8 +66,6 @@ spec: - name: heat-engine {{ tuple $envAll "heat_engine" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.heat.uid }} command: - /tmp/heat-engine.sh - start diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml index ebbf8153a2..688e880a77 100644 --- a/horizon/templates/deployment.yaml +++ b/horizon/templates/deployment.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "horizon" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "horizon" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/horizon/values.yaml b/horizon/values.yaml index 4c0d5d4bfd..4695d90df8 100644 --- a/horizon/values.yaml +++ b/horizon/values.yaml @@ -1901,6 +1901,9 @@ dependencies: service: local_image_registry pod: + user: + horizon: + uid: 42424 affinity: anti: type: diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml index aa4b27ccc6..55d98dbcbb 100644 --- a/nova/templates/daemonset-compute.yaml +++ b/nova/templates/daemonset-compute.yaml @@ -46,6 +46,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} nodeSelector: {{ .Values.labels.agent.compute.node_selector_key }}: {{ .Values.labels.agent.compute.node_selector_value }} hostNetwork: true @@ -75,8 +76,6 @@ spec: {{- if empty .Values.conf.ceph.cinder.keyring }} - name: ceph-admin-keyring-placement {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: 0 command: - /tmp/ceph-admin-keyring.sh volumeMounts: @@ -95,8 +94,6 @@ spec: {{ end }} - name: ceph-keyring-placement {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.nova.uid }} env: - name: CEPH_CINDER_USER value: "{{ .Values.conf.ceph.cinder.user }}" @@ -123,8 +120,6 @@ spec: - name: nova-compute-vnc-init {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.nova.uid }} command: - /tmp/nova-console-compute-init.sh volumeMounts: @@ -139,8 +134,6 @@ spec: - name: nova-compute-spice-init {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.nova.uid }} command: - /tmp/nova-console-compute-init.sh volumeMounts: @@ -156,7 +149,6 @@ spec: {{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} securityContext: - runAsUser: {{ .Values.pod.user.nova.uid }} privileged: true {{- if .Values.conf.ceph.enabled }} env: diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml index b58fbde68f..9adf4e11ce 100644 --- a/nova/templates/deployment-api-metadata.yaml +++ b/nova/templates/deployment-api-metadata.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "nova" "metadata" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -56,8 +57,6 @@ spec: - name: nova-api-metadata-init {{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.nova.uid }} command: - /tmp/nova-api-metadata-init.sh volumeMounts: @@ -75,8 +74,6 @@ spec: - name: nova-api {{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.nova.uid }} command: - /tmp/nova-api-metadata.sh - start diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml index 46ce6af17e..3ca89c2bc0 100644 --- a/nova/templates/deployment-api-osapi.yaml +++ b/nova/templates/deployment-api-osapi.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "nova" "os-api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -57,8 +58,6 @@ spec: - name: nova-osapi {{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.nova.uid }} command: - /tmp/nova-api.sh - start diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml index 7bf0841f38..86f13766f1 100644 --- a/nova/templates/deployment-conductor.yaml +++ b/nova/templates/deployment-conductor.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "nova" "conductor" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -56,8 +57,6 @@ spec: - name: nova-conductor {{ tuple $envAll "nova_conductor" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.nova.uid }} command: - /tmp/nova-conductor.sh volumeMounts: diff --git a/nova/templates/deployment-consoleauth.yaml b/nova/templates/deployment-consoleauth.yaml index 10de3fc76c..f26cdeba10 100644 --- a/nova/templates/deployment-consoleauth.yaml +++ b/nova/templates/deployment-consoleauth.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "nova" "consoleauth" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -56,8 +57,6 @@ spec: - name: nova-consoleauth {{ tuple $envAll "nova_consoleauth" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.consoleauth | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.nova.uid }} command: - /tmp/nova-consoleauth.sh volumeMounts: diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml index 85e0e11628..2e5e4e344c 100644 --- a/nova/templates/deployment-novncproxy.yaml +++ b/nova/templates/deployment-novncproxy.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "nova" "novnc-proxy" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -57,8 +58,6 @@ spec: - name: nova-novncproxy-init {{ tuple $envAll "nova_novncproxy" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.novncproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.nova.uid }} command: - /tmp/nova-console-proxy-init.sh volumeMounts: diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml index dc8b0d362e..415d298d5d 100644 --- a/nova/templates/deployment-scheduler.yaml +++ b/nova/templates/deployment-scheduler.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "nova" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -56,8 +57,6 @@ spec: - name: nova-scheduler {{ tuple $envAll "nova_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.nova.uid }} command: - /tmp/nova-scheduler.sh volumeMounts: diff --git a/nova/templates/deployment-spiceproxy.yaml b/nova/templates/deployment-spiceproxy.yaml index 65fa900d29..998c5fbe49 100644 --- a/nova/templates/deployment-spiceproxy.yaml +++ b/nova/templates/deployment-spiceproxy.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "nova" "spice-proxy" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -57,8 +58,6 @@ spec: - name: nova-spiceproxy-init {{ tuple $envAll "nova_spiceproxy" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.spiceproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: {{ .Values.pod.user.nova.uid }} command: - /tmp/nova-console-proxy-init.sh volumeMounts: diff --git a/nova/templates/statefulset-compute-ironic.yaml b/nova/templates/statefulset-compute-ironic.yaml index eb39dd8114..aaa87cbe78 100644 --- a/nova/templates/statefulset-compute-ironic.yaml +++ b/nova/templates/statefulset-compute-ironic.yaml @@ -46,6 +46,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: serviceAccountName: {{ $serviceAccountName }} +{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: {{ tuple $envAll "nova" "compute-ironic" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: