This PS updates to use security context macros from HTK, in line
with other charts.
Change-Id: I5ca0af17eccc4856baef871cf199554aad075ebe
Signed-off-by: Pete Birley <pete@port.direct>
This PS improves the securityu options for the ovs-db pod
by specifying running as a non-root user, using read only
filesystems for the containers and also preventing
privilege escalation. A subsequent ps will move to use the
helm toolkit functions that allow the control of these params.
Change-Id: I94fbf5b851be68f6fb4a1f9809ad12776e8a80b3
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.
Additionally some yaml indent issues are resolved.
Change-Id: I8b7f1614da059783254aa6efc09facf23fca3cad
Signed-off-by: Pete Birley <pete@port.direct>
I believe when we have set the readOnly flag at pod without HTK functionality the changes were not reflected. That is why it passed the gate.
Later with HTK functionality the gates never passed and I have tested that in various ways and finally I had to unset the readOnly flag
This reverts commit 598040bea05737ea1ee2460ba8675ed7c061e63a.
Change-Id: Icf8d3cc60045926ab60b9735ee1e8202c15df9d5
This adds the release-annotation to the pod spec for the charts in
openstack-helm-infra. This also adds missing configmap annotations
to charts in openstack-helm-infra
Change-Id: Ie23f0c16a7a21d3929e98928db2bbcef69ae6490
This implementation is to add readiness probe to ovs-db pod.
The goal is to check if the db.sock is connected by executing ovs-vsctl
command to list the Open_vswitch configuration table.
Change-Id: Idd4382d95d07ffff94a30bcb7ac132b88e9d6de1
Uses ovs-vsctl for ovs-db
Uses ovs-appctl for ovs-vswitchd as "ovs-vsctl show" does not
talk to ovs-vswitchd.
Change-Id: Ia0b84e3546ff1693676ca61370e1344d75b6e308
This PS implements the helm toolkit function to generate the
Egress in kubernetes network policy manifest based on overrideable values.
It also enbale the K8s network policy at Osh-infra gate.
Change-Id: Icbe2a18c98dba795d15398dcdcac64228f6a7b4c
This PS shares pid namespaces for containers in pods under docker,
bringing running in this runtime inline with other runc based container
backends, allowing the pause process in the pod to act as a reaper.
Change-Id: I1e511b1cd11a4b2f4818a772a91e8a8dfd342be3
Signed-off-by: Pete Birley <pete@port.direct>
This patch set implements the helm toolkit function to generate a
kubernetes network policy manifest based on overrideable values.
This also adds a chart that shuts down all the ingress and egress
traffics in the namespace. This can be used to ensure the
whitelisted network policy works as intended.
Additionally, implementation is done for some infrastructure charts.
Change-Id: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
We have two functionally identical places where we add bridges, one in
the neutron chart and one in the openvswitch chart.
It makes more sense to do it only in the neutron chart as that aligns
with the linux_bridge configuration and also is where the
bridge_mappings are specified.
Change-Id: I655380b021b89c3d93475febf7daca8f9d88cc54
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. A follow up ps will add the ability to add arbitary
annotations to the same objects.
Change-Id: Iceedba457a03387f6fc44eb763a00fd57f9d84a5
Signed-off-by: Pete Birley <pete@port.direct>
This moves the openvswitch chart to openstack-helm-infra as part of
the effort to move charts to their appropriate repositories
Change-Id: I6e00231b8de54c01bc9bb31e0433753a9f281542
Story: 2002204
Task: 21730