Set Security Context to ks-user job

We need flexibility to add securityContext to ks-user job at pod and containerlevel, so that it can be executed without elevated privileges. Change-Id: Ibd8abdc10906ca4648bfcaa91d0f122e56690606
2021-11-08 09:45:11 -06:00 · 2021-11-08 09:45:11 -06:00 · fddbb0a059
commit fddbb0a059
parent 15e3d30ba2
3 changed files with 26 additions and 1 deletions
--- a/helm-toolkit/Chart.yaml
+++ b/helm-toolkit/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Helm-Toolkit
 name: helm-toolkit
-version: 0.2.27
+version: 0.2.28
 home: https://docs.openstack.org/openstack-helm
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
 sources:
--- a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@ -17,6 +17,28 @@ limitations under the License.
 # {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
 # { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }

+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
 {{- define "helm-toolkit.manifests.job_ks_user" -}}
 {{- $envAll := index . "envAll" -}}
 {{- $serviceName := index . "serviceName" -}}
@ -70,6 +92,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      restartPolicy: {{ $restartPolicy }}
      nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
@ -80,6 +103,7 @@ spec:
          image: {{ $envAll.Values.images.tags.ks_user }}
          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /bin/bash
            - -c
--- a/releasenotes/notes/helm-toolkit.yaml
+++ b/releasenotes/notes/helm-toolkit.yaml
@ -34,4 +34,5 @@ helm-toolkit:
  - 0.2.25 Set Security Context to ks-user job
  - 0.2.26 Revert Set Security Context to ks-user job
  - 0.2.27 Correct private key size input for Certificates and remove minor version support
+  - 0.2.28 Set Security context to ks-user job at pod and container level
 ...