From f1757c0dd83ef619086fe68965dea1d7d898acfd Mon Sep 17 00:00:00 2001 From: Andrey Pozolotin Date: Thu, 12 Nov 2020 13:58:39 +0300 Subject: [PATCH] Added security context and changed init container logic for onos towards atomix --- onos-classic/Chart.yaml | 2 +- onos-classic/templates/configmap-init.yaml | 2 +- onos-classic/templates/statefulset.yaml | 12 +++++++++--- onos-classic/values.yaml | 15 +++++++++++++++ 4 files changed, 26 insertions(+), 5 deletions(-) diff --git a/onos-classic/Chart.yaml b/onos-classic/Chart.yaml index 60d32835..aeab1a71 100644 --- a/onos-classic/Chart.yaml +++ b/onos-classic/Chart.yaml @@ -1,7 +1,7 @@ --- apiVersion: v1 name: onos-classic -version: 0.1.10 +version: 0.1.11 kubeVersion: ">=1.10.0" appVersion: 2.2.6 description: ONOS cluster diff --git a/onos-classic/templates/configmap-init.yaml b/onos-classic/templates/configmap-init.yaml index 8494ce2c..fdcf013c 100644 --- a/onos-classic/templates/configmap-init.yaml +++ b/onos-classic/templates/configmap-init.yaml @@ -59,6 +59,6 @@ data: ATOMIX_SERVICE=$1 ATOMIX_REPLICAS=$2 - until nslookup "$ATOMIX_SERVICE-api" > /dev/null 2>&1; do sleep 2; done; + until curl -sS -f "$ATOMIX_SERVICE-api:5678/v1/status"; do sleep 10; done; print_config diff --git a/onos-classic/templates/statefulset.yaml b/onos-classic/templates/statefulset.yaml index feed79c9..20a0a50a 100644 --- a/onos-classic/templates/statefulset.yaml +++ b/onos-classic/templates/statefulset.yaml @@ -34,6 +34,9 @@ spec: {{ toYaml . | nindent 8 }} {{- end }} spec: + {{- if .Values.podSecurityContext }} + securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} {{- if .Values.podAntiAffinity.enabled }} affinity: podAntiAffinity: @@ -48,7 +51,7 @@ spec: {{- end }} initContainers: - name: {{ .Chart.Name }}-init - image: tutum/dnsutils:latest + image: "{{ .Values.initContainer.repository }}:{{ .Values.initContainer.tag }}" imagePullPolicy: IfNotPresent env: - name: ATOMIX_SERVICE @@ -80,6 +83,9 @@ spec: {{- end }} containers: - name: {{ .Chart.Name }} + {{- if .Values.containerSecurityContext }} + securityContext: {{- toYaml .Values.containerSecurityContext | nindent 10 }} + {{- end }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} resources: @@ -141,11 +147,11 @@ spec: - name: init-scripts configMap: name: {{ template "fullname" . }}-init-scripts - defaultMode: 0744 + defaultMode: 0777 - name: probe-scripts configMap: name: {{ template "fullname" . }}-probe-scripts - defaultMode: 0744 + defaultMode: 0777 - name: config emptyDir: {} {{- if .Values.logging }} diff --git a/onos-classic/values.yaml b/onos-classic/values.yaml index c548849c..65cfe10a 100644 --- a/onos-classic/values.yaml +++ b/onos-classic/values.yaml @@ -7,6 +7,10 @@ image: pullPolicy: IfNotPresent pullSecrets: [] +initContainer: + repository: tutum/curl + tag: latest + replicas: 3 java_opts: -Xmx4G apps: @@ -54,3 +58,14 @@ ports: # log4j2.appender.console.name = Console # log4j2.appender.console.layout.type = PatternLayout # log4j2.appender.console.layout.pattern = %d{RFC3339} %-5level [%c{1}] %msg%n%throwable + +podSecurityContext: + runAsUser: 1000 + fsGroup: 2000 +containerSecurityContext: + runAsNonRoot: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL