HTK: Update k8s-entrypoint container macro to add security context

This PS updates the htk k8s-entrypoint container macro to add security context, with a set of defaults to allow operation with existing charts. Change-Id: Ib41600e2e3c848ae0d62181ad7e01f3cf00a26a0 Signed-off-by: Pete Birley <pete@port.direct>
2019-04-06 14:07:42 -04:00 · 2019-04-06 14:07:42 -04:00 · 9af2ef9f62
commit 9af2ef9f62
parent 1a81952929
1 changed files with 37 additions and 1 deletions
--- a/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
+++ b/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@ -50,12 +50,34 @@ values: |
    etcd:
      hosts:
        default: etcd
+  # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+  # specififed then the following will be used as defaults:
+  #  pod:
+  #    security_context:
+  #      kubernetes_entrypoint:
+  #        container:
+  #          kubernetes_entrypoint:
+  #            runAsUser: 65534
+  #            readOnlyRootFilesystem: true
+  #            allowPrivilegeEscalation: false
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 0
+            readOnlyRootFilesystem: false
 usage: |
  {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
 return: |
  - name: init
    image: "quay.io/stackanetes/kubernetes-entrypoint:v0.3.1"
    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
+      runAsUser: 0
+
    env:
      - name: POD_NAME
        valueFrom:
@ -89,6 +111,18 @@ return: |
      []
 */}}

+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+  pod:
+    security_context:
+      kubernetes_entrypoint:
+        container:
+          kubernetes_entrypoint:
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+{{- end -}}
+
 {{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
 {{- $envAll := index . 0 -}}
 {{- $component := index . 1 -}}
@ -110,9 +144,11 @@ return: |
 {{- end -}}
 {{- end -}}
 {{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
-
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
 - name: init
 {{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
  env:
    - name: POD_NAME
      valueFrom: