openstack/openstack-helm-infra
Code Issues Proposed changes

HTK: Update k8s-entrypoint container macro to add security context

Browse Source 
This PS updates the htk k8s-entrypoint container macro to add security
context, with a set of defaults to allow operation with existing charts.

Change-Id: Ib41600e2e3c848ae0d62181ad7e01f3cf00a26a0
Signed-off-by: Pete Birley <pete@port.direct>
This commit is contained in:
Pete Birley 2019-04-06 14:07:42 -04:00 committed by Pete Birley
parent 1a81952929
commit 9af2ef9f62
1 changed files with 37 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
View File

@ -50,12 +50,34 @@ values: |
etcd: etcd:
hosts: hosts:
default: etcd default: etcd
# NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
# specififed then the following will be used as defaults:
# pod:
# security_context:
# kubernetes_entrypoint:
# container:
# kubernetes_entrypoint:
# runAsUser: 65534
# readOnlyRootFilesystem: true
# allowPrivilegeEscalation: false
pod:
security_context:
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
runAsUser: 0
readOnlyRootFilesystem: false
usage: | usage: |
{{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }} {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
return: | return: |
- name: init - name: init
image: "quay.io/stackanetes/kubernetes-entrypoint:v0.3.1" image: "quay.io/stackanetes/kubernetes-entrypoint:v0.3.1"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
runAsUser: 0
env: env:
- name: POD_NAME - name: POD_NAME
valueFrom: valueFrom:
@ -89,6 +111,18 @@ return: |
[] []
*/}} */}}
{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
Values:
pod:
security_context:
kubernetes_entrypoint:
container:
kubernetes_entrypoint:
runAsUser: 65534
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
{{- end -}}
{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}} {{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
{{- $envAll := index . 0 -}} {{- $envAll := index . 0 -}}
{{- $component := index . 1 -}} {{- $component := index . 1 -}}
@ -110,9 +144,11 @@ return: |
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }} {{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
- name: init - name: init
{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }} {{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
env: env:
- name: POD_NAME - name: POD_NAME
valueFrom: valueFrom: