Fluent-logging: Fix security context

This PS fixes the use of the security context macros for the
fluent-logging chart.

Change-Id: I2cd12015732bddb642136ba14f88ed2c248d519d
This commit is contained in:
RAHUL KHIYANI 2019-04-22 18:27:00 -05:00 committed by Rahul Khiyani
parent 84c12d57e7
commit e3bd69c084
6 changed files with 35 additions and 6 deletions

View File

@ -94,6 +94,7 @@ spec:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec: spec:
{{ dict "envAll" $envAll "application" "daemon" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}
{{ if $envAll.Values.pod.tolerations.fluentbit.enabled }} {{ if $envAll.Values.pod.tolerations.fluentbit.enabled }}
{{ tuple $envAll "fluentbit" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} {{ tuple $envAll "fluentbit" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
@ -110,6 +111,7 @@ spec:
- name: fluentbit - name: fluentbit
{{ tuple $envAll "fluentbit" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "fluentbit" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.fluentbit | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.fluentbit | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "daemon" "container" "fluentbit" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command: command:
- /tmp/fluent-bit.sh - /tmp/fluent-bit.sh
env: env:

View File

@ -95,7 +95,7 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
spec: spec:
{{ dict "envAll" $envAll "application" "fluentd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "internal" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}
affinity: affinity:
{{ tuple $envAll "fluentd" "internal" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} {{ tuple $envAll "fluentd" "internal" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
@ -108,7 +108,7 @@ spec:
- name: fluentd - name: fluentd
{{ tuple $envAll "fluentd" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "fluentd" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.fluentd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.fluentd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "fluentd" "container" "fluentd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "application" "internal" "container" "fluentd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command: command:
- /tmp/fluentd.sh - /tmp/fluentd.sh
- start - start

View File

@ -35,6 +35,7 @@ spec:
labels: labels:
{{ tuple $envAll "fluentd" "elasticsearch-template" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "fluentd" "elasticsearch-template" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec: spec:
{{ dict "envAll" $envAll "application" "elasticsearch_template" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure restartPolicy: OnFailure
nodeSelector: nodeSelector:
@ -45,6 +46,7 @@ spec:
- name: elasticsearch-template - name: elasticsearch-template
{{ tuple $envAll "elasticsearch_template" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "elasticsearch_template" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.elasticsearch_template | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.elasticsearch_template | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "elasticsearch_template" "container" "elasticsearch_template" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env: env:
- name: ELASTICSEARCH_HOST - name: ELASTICSEARCH_HOST
value: {{ tuple "elasticsearch" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }} value: {{ tuple "elasticsearch" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}

View File

@ -41,7 +41,7 @@ spec:
labels: labels:
{{ tuple $envAll "prometheus-fluentd-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "prometheus-fluentd-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec: spec:
{{ dict "envAll" $envAll "application" "fluentd_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}
nodeSelector: nodeSelector:
{{ .Values.labels.prometheus_fluentd_exporter.node_selector_key }}: {{ .Values.labels.prometheus_fluentd_exporter.node_selector_value | quote }} {{ .Values.labels.prometheus_fluentd_exporter.node_selector_key }}: {{ .Values.labels.prometheus_fluentd_exporter.node_selector_value | quote }}
@ -52,7 +52,7 @@ spec:
- name: fluentd-exporter - name: fluentd-exporter
{{ tuple $envAll "prometheus_fluentd_exporter" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "prometheus_fluentd_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.prometheus_fluentd_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.prometheus_fluentd_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "fluentd_exporter" "container" "fluentd_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "application" "exporter" "container" "fluentd_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command: command:
- /tmp/fluentd-exporter.sh - /tmp/fluentd-exporter.sh
- start - start

View File

@ -31,6 +31,7 @@ metadata:
"helm.sh/hook": test-success "helm.sh/hook": test-success
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
spec: spec:
{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}
nodeSelector: nodeSelector:
{{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
@ -41,6 +42,7 @@ spec:
- name: {{.Release.Name}}-helm-tests - name: {{.Release.Name}}-helm-tests
{{ tuple $envAll "helm_tests" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll "helm_tests" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
{{ dict "envAll" $envAll "application" "test" "container" "helm_tests" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
command: command:
- /tmp/helm-tests.sh - /tmp/helm-tests.sh
env: env:

View File

@ -580,18 +580,41 @@ network_policy:
pod: pod:
security_context: security_context:
fluentd: daemon:
pod:
runAsUser: 65534
container:
fluentbit:
runAsUser: 0
readOnlyRootFilesystem: false
internal:
pod: pod:
runAsUser: 65534 runAsUser: 65534
container: container:
fluentd: fluentd:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
fluentd_exporter: readOnlyRootFilesystem: false
elasticsearch_template:
pod:
runAsUser: 65534
container:
elasticsearch_template:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
test:
pod:
runAsUser: 65534
container:
helm_test:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
exporter:
pod: pod:
runAsUser: 65534 runAsUser: 65534
container: container:
fluentd_exporter: fluentd_exporter:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
affinity: affinity:
anti: anti:
type: type: