Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added security context and changed init container logic for onos #221

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Added security context and changed init container logic for onos #221

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion onos-classic/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
apiVersion: v1
name: onos-classic
version: 0.1.10
version: 0.1.11
kubeVersion: ">=1.10.0"
appVersion: 2.2.6
description: ONOS cluster
Expand Down
2 changes: 1 addition & 1 deletion onos-classic/templates/configmap-init.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,6 @@ data:
ATOMIX_SERVICE=$1
ATOMIX_REPLICAS=$2

until nslookup "$ATOMIX_SERVICE-api" > /dev/null 2>&1; do sleep 2; done;
until curl -sS -f "$ATOMIX_SERVICE-api:5678/v1/status"; do sleep 10; done;

print_config
12 changes: 9 additions & 3 deletions onos-classic/templates/statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,9 @@ spec:
{{ toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if .Values.podSecurityContext }}
securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- end }}
{{- if .Values.podAntiAffinity.enabled }}
affinity:
podAntiAffinity:
Expand All @@ -48,7 +51,7 @@ spec:
{{- end }}
initContainers:
- name: {{ .Chart.Name }}-init
image: tutum/dnsutils:latest
image: "{{ .Values.initContainer.repository }}:{{ .Values.initContainer.tag }}"
charlesmcchan marked this conversation as resolved.
Show resolved Hide resolved
imagePullPolicy: IfNotPresent
env:
- name: ATOMIX_SERVICE
Expand Down Expand Up @@ -80,6 +83,9 @@ spec:
{{- end }}
containers:
- name: {{ .Chart.Name }}
{{- if .Values.containerSecurityContext }}
securityContext: {{- toYaml .Values.containerSecurityContext | nindent 10 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources:
Expand Down Expand Up @@ -141,11 +147,11 @@ spec:
- name: init-scripts
configMap:
name: {{ template "fullname" . }}-init-scripts
defaultMode: 0744
defaultMode: 0777
- name: probe-scripts
configMap:
name: {{ template "fullname" . }}-probe-scripts
defaultMode: 0744
defaultMode: 0777
- name: config
emptyDir: {}
{{- if .Values.logging }}
Expand Down
15 changes: 15 additions & 0 deletions onos-classic/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ image:
pullPolicy: IfNotPresent
pullSecrets: []

initContainer:
repository: tutum/curl
tag: latest

replicas: 3
java_opts: -Xmx4G
apps:
Expand Down Expand Up @@ -54,3 +58,14 @@ ports:
# log4j2.appender.console.name = Console
# log4j2.appender.console.layout.type = PatternLayout
# log4j2.appender.console.layout.pattern = %d{RFC3339} %-5level [%c{1}] %msg%n%throwable

podSecurityContext:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

again might be worth run-in with these two disabled by default @kuujo thoughts ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no because default should be a secure setup and if a user wants to make it insecure he should do it explicitly otherwise we provide a non-secure definition by default

runAsUser: 1000
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not very clear what this user and group are. May be better to use name or add a comment.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, k8s security context identifies a root user as a user having non-numbers in the id, so even admin or some123 will be considered to be root so we have to use numeric ids

fsGroup: 2000
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have any user with UID 1000 and group with GID 2000 in all images?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this will be enforced by k8s

containerSecurityContext:
runAsNonRoot: true
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL