From 04861c7d74ae92b0a2d95d62890f04372e6c928b Mon Sep 17 00:00:00 2001 From: Stavros kois Date: Wed, 28 Dec 2022 11:53:58 +0200 Subject: [PATCH] add todo for seccont --- .../securityContext_test.yaml | 8 +++++++ .../lib/container/_securityContext.tpl | 21 ++++++++++++++----- .../templates/lib/pod/_extraContainers.tpl | 2 +- .../templates/lib/pod/_mainContainer.tpl | 2 +- .../templates/lib/pod/_podSecurityContext.tpl | 2 +- 5 files changed, 27 insertions(+), 8 deletions(-) diff --git a/library/common-test/tests/container_in_deployment/securityContext_test.yaml b/library/common-test/tests/container_in_deployment/securityContext_test.yaml index 61be557ea5..382822ccc2 100644 --- a/library/common-test/tests/container_in_deployment/securityContext_test.yaml +++ b/library/common-test/tests/container_in_deployment/securityContext_test.yaml @@ -63,6 +63,14 @@ tests: readOnlyRootFilesystem: true runAsNonRoot: true + - it: should fail with inherit key added in securityContext on main container + set: + securityContext: + inherit: true + asserts: + - failedTemplate: + errorMessage: key is only available for additional/init/install/upgrade containers. + - it: should fail with securityContext changed, runAsNonRoot true and runAsUser 0 set: securityContext: diff --git a/library/common/1.0.0/templates/lib/container/_securityContext.tpl b/library/common/1.0.0/templates/lib/container/_securityContext.tpl index c31c98f1c7..bb1ecff9e4 100644 --- a/library/common/1.0.0/templates/lib/container/_securityContext.tpl +++ b/library/common/1.0.0/templates/lib/container/_securityContext.tpl @@ -1,10 +1,25 @@ -init{{/* Security Context included by the container */}} +{{/* Security Context included by the container */}} {{- define "ix.v1.common.container.securityContext" -}} {{- $secContext := .secCont -}} {{- $podSecContext := .podSecCont -}} + {{- $isMainContainer := .isMainContainer -}} {{- $root := .root -}} + {{/* + TODO: Modify podSecContext and securityContext. + Only applied on podSecContext values that can only be set there. + Everything else applied to secContext which has more weight and overrides podSec + */}} + {{- $defaultSecCont := $root.Values.global.defaults.securityContext -}} + + {{- if and (hasKey $secContext "inherit") $isMainContainer -}} + {{- fail " key is only available for additional/init/install/upgrade containers." -}} + {{- end -}} + {{- if and $secContext.inherit (not $isMainContainer) -}} {{/* if inherit is set, use the secContext from main container as default */}} + {{- $defaultSecCont = $root.Values.securityContext -}} + {{- end -}} {{/* TODO: Unittests for inherit + normal securityContext */}} + {{- $runAsNonRoot := $defaultSecCont.runAsNonRoot -}} {{- $readOnlyRootFilesystem := $defaultSecCont.readOnlyRootFilesystem -}} {{- $allowPrivilegeEscalation := $defaultSecCont.allowPrivilegeEscalation -}} @@ -21,10 +36,6 @@ init{{/* Security Context included by the container */}} {{- end -}} {{- end -}} - {{- if $secContext.inheritMain -}} {{/* if inheritMain is set, use the secContext from main container as default */}} - {{- $defaultSecCont = $root.Values.securityContext -}} - {{- end -}} {{/* TODO: Unittests for inherit + normal securityContext */}} - {{/* Override defaults based on user/dev input */}} {{- if and (hasKey $secContext "runAsNonRoot") (ne (toString $secContext.runAsNonRoot) (toString $runAsNonRoot)) -}} {{- $runAsNonRoot = $secContext.runAsNonRoot -}} diff --git a/library/common/1.0.0/templates/lib/pod/_extraContainers.tpl b/library/common/1.0.0/templates/lib/pod/_extraContainers.tpl index 085c630b9d..0037dbaf1d 100644 --- a/library/common/1.0.0/templates/lib/pod/_extraContainers.tpl +++ b/library/common/1.0.0/templates/lib/pod/_extraContainers.tpl @@ -57,7 +57,7 @@ lifecycle: {{- . | nindent 4 }} {{- end -}} - {{- with (include "ix.v1.common.container.securityContext" (dict "secCont" $container.securityContext "podSecCont" $root.Values.podSecurityContext "root" $root)) | trim }} + {{- with (include "ix.v1.common.container.securityContext" (dict "secCont" $container.securityContext "podSecCont" $root.Values.podSecurityContext "isMainContainer" false "root" $root)) | trim }} securityContext: {{- . | nindent 4 }} {{- end -}} diff --git a/library/common/1.0.0/templates/lib/pod/_mainContainer.tpl b/library/common/1.0.0/templates/lib/pod/_mainContainer.tpl index d9c19836e5..443d59470b 100644 --- a/library/common/1.0.0/templates/lib/pod/_mainContainer.tpl +++ b/library/common/1.0.0/templates/lib/pod/_mainContainer.tpl @@ -19,7 +19,7 @@ So it can work on multiple places, like additional containers and not only the m args: {{- . | nindent 4 }} {{- end -}} - {{- with (include "ix.v1.common.container.securityContext" (dict "secCont" .Values.securityContext "podSecCont" .Values.podSecurityContext "root" $)) | trim }} + {{- with (include "ix.v1.common.container.securityContext" (dict "secCont" .Values.securityContext "podSecCont" .Values.podSecurityContext "isMainContainer" true "root" $)) | trim }} securityContext: {{- . | nindent 4 }} {{- end -}} diff --git a/library/common/1.0.0/templates/lib/pod/_podSecurityContext.tpl b/library/common/1.0.0/templates/lib/pod/_podSecurityContext.tpl index cf5d4a6f56..8950891bc3 100644 --- a/library/common/1.0.0/templates/lib/pod/_podSecurityContext.tpl +++ b/library/common/1.0.0/templates/lib/pod/_podSecurityContext.tpl @@ -1,4 +1,4 @@ -{{/* A dict podSecContext is expected with keys line runAsUser */}} +{{/* A dict podSecContext is expected with keys like runAsUser */}} {{- define "ix.v1.common.container.podSecurityContext" -}} {{- $podSecCont := .podSecCont -}} runAsUser: {{ required " value is required." $podSecCont.runAsUser }}