truenas/chart
1
0
Fork 0
mirror of https://github.com/truenas/charts.git synced 2026-06-17 15:38:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

overhaul podSecurityContext and securityContext

Browse Source
This commit is contained in:
Stavros kois
2022-12-28 21:19:17 +02:00
parent 04861c7d74
commit 62bad4f816
17 changed files with 1384 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
library/common-test/tests/container_in_deployment/fixedEnv_test.yaml
View File

@@ -81,9 +81,8 @@ tests:
- it: should pass with envs changed because run as user root
documentIndex: *deploymentDoc
set:
podSecurityContext:
runAsUser: 0
securityContext:
runAsUser: 0
runAsNonRoot: false
asserts:
- equal:
@@ -115,9 +114,8 @@ tests:
- it: should pass with envs changed because run as group root
documentIndex: *deploymentDoc
set:
podSecurityContext:
runAsGroup: 0
securityContext:
runAsGroup: 0
runAsNonRoot: false
asserts:
- equal:
@@ -149,9 +147,8 @@ tests:
- it: should pass with envs changed because run as user root and PUID 0
documentIndex: *deploymentDoc
set:
podSecurityContext:
runAsUser: 0
securityContext:
runAsUser: 0
runAsNonRoot: false
security:
PUID: 0
@@ -185,9 +182,8 @@ tests:
- it: should pass with envs changed because run as group root and PUID 0
documentIndex: *deploymentDoc
set:
podSecurityContext:
runAsGroup: 0
securityContext:
runAsGroup: 0
runAsNonRoot: false
security:
PUID: 0
@@ -222,9 +218,9 @@ tests:
documentIndex: *deploymentDoc
set:
podSecurityContext:
runAsGroup: 0
fsGroup: 0
securityContext:
runAsGroup: 0
runAsNonRoot: false
security:
PUID: 0

80
library/common-test/tests/container_in_deployment/securityContext_test.yaml
View File

@@ -15,6 +15,8 @@ tests:
set:
securityContext:
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
privileged: true
@@ -28,14 +30,16 @@ tests:
path: spec.template.spec.containers[0].securityContext
value:
allowPrivilegeEscalation: true
privileged: true
readOnlyRootFilesystem: false
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
capabilities:
add:
- SYS_MODULE
drop:
- NET_ADMIN
privileged: true
readOnlyRootFilesystem: false
runAsNonRoot: false
- it: should pass with securityContext changed from tpl
documentIndex: *deploymentDoc
@@ -62,6 +66,8 @@ tests:
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
- it: should fail with inherit key added in securityContext on main container
set:
@@ -75,7 +81,6 @@ tests:
set:
securityContext:
runAsNonRoot: true
podSecurityContext:
runAsUser: 0
asserts:
- failedTemplate:
@@ -85,7 +90,6 @@ tests:
set:
securityContext:
runAsNonRoot: true
podSecurityContext:
runAsUser: 0
asserts:
- failedTemplate:
@@ -140,3 +144,69 @@ tests:
asserts:
- failedTemplate:
errorMessage: Either <add> or <drop> capabilities is not a list.
- it: should fail with empty capabilities.drop in securityContext
set:
securityContext:
capabilities:
drop:
asserts:
- failedTemplate:
errorMessage: <capabilities.drop> key cannot be empty. Set a value or remove the key for the default ([]) to take effect.
- it: should fail with empty capabilities.add in securityContext
set:
securityContext:
capabilities:
add:
asserts:
- failedTemplate:
errorMessage: <capabilities.add> key cannot be empty. Set a value or remove the key for the default ([]) to take effect.
- it: should fail with empty runAsGroup in securityContext
set:
securityContext:
runAsGroup:
asserts:
- failedTemplate:
errorMessage: <runAsGroup> key cannot be empty. Set a value or remove the key for the default (568) to take effect.
- it: should fail with empty runAsUser in securityContext
set:
securityContext:
runAsUser:
asserts:
- failedTemplate:
errorMessage: <runAsUser> key cannot be empty. Set a value or remove the key for the default (568) to take effect.
- it: should fail with empty privileged in securityContext
set:
securityContext:
privileged:
asserts:
- failedTemplate:
errorMessage: <privileged> key has value (<nil>). But it must be boolean.
- it: should fail with empty allowPrivilegeEscalation in securityContext
set:
securityContext:
allowPrivilegeEscalation:
asserts:
- failedTemplate:
errorMessage: <allowPrivilegeEscalation> key has value (<nil>). But it must be boolean.
- it: should fail with empty readOnlyRootFilesystem in securityContext
set:
securityContext:
readOnlyRootFilesystem:
asserts:
- failedTemplate:
errorMessage: <readOnlyRootFilesystem> key has value (<nil>). But it must be boolean.
- it: should fail with empty runAsNonRoot in securityContext
set:
securityContext:
runAsNonRoot:
asserts:
- failedTemplate:
errorMessage: <runAsNonRoot> key has value (<nil>). But it must be boolean.

14
library/common-test/tests/deployment/default_test.yaml
View File

@@ -59,16 +59,24 @@ tests:
path: spec.template.spec.containers[0].terminationMessagePath
- isNull:
path: spec.template.spec.containers[0].terminationMessagePolicy
- equal:
path: spec.template.spec.securityContext
value:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
supplementalGroups: []
- equal:
path: spec.template.spec.containers[0].securityContext
value:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
capabilities:
add: []
drop: []
- equal:
path: spec.template.spec.containers[0].env
value:

55
library/common-test/tests/deployment/podSecurityContext_test.yaml
View File

@@ -12,17 +12,14 @@ tests:
- equal:
path: spec.template.spec.securityContext
value:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
supplementalGroups: []
- it: should pass with changed podSecurity values
documentIndex: *deploymentDoc
set:
podSecurityContext:
runAsUser: 999
runAsGroup: 999
fsGroup: 999
fsGroupChangePolicy: Always
supplementalGroups:
@@ -31,37 +28,11 @@ tests:
- equal:
path: spec.template.spec.securityContext
value:
runAsUser: 999
runAsGroup: 999
fsGroup: 999
fsGroupChangePolicy: Always
supplementalGroups:
- 1000
- it: should fail without runAsUser
set:
podSecurityContext:
runAsUser:
asserts:
- failedTemplate:
errorMessage: <runAsUser> value is required.
- it: should fail without runAsGroup
set:
podSecurityContext:
runAsGroup:
asserts:
- failedTemplate:
errorMessage: <runAsGroup> value is required.
- it: should fail without fsGroup
set:
podSecurityContext:
fsGroup:
asserts:
- failedTemplate:
errorMessage: <fsGroup> value is required.
- it: should fail with invalid fsGroupChangePolicy
set:
podSecurityContext:
@@ -69,3 +40,27 @@ tests:
asserts:
- failedTemplate:
errorMessage: Invalid option for fsGroupChangePolicy. Valid options are <Always> and <OnRootMismatch>.
- it: should fail with empty fsGroupChangePolicy
set:
podSecurityContext:
fsGroupChangePolicy:
asserts:
- failedTemplate:
errorMessage: <fsGroupChangePolicy> key cannot be empty. Set a value or remove the key for the default (OnRootMismatch) to take effect.
- it: should fail with empty fsGroup
set:
podSecurityContext:
fsGroup:
asserts:
- failedTemplate:
errorMessage: <fsGroup> key cannot be empty. Set a value or remove the key for the default (568) to take effect.
- it: should fail with empty supplementalGroups
set:
podSecurityContext:
supplementalGroups:
asserts:
- failedTemplate:
errorMessage: <supplementalGroups> key cannot be empty. Set a value or remove the key for the default ([]) to take effect.

198
library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_install_test.yaml
View File

@@ -334,3 +334,201 @@ tests:
asserts:
- failedTemplate:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (secret-RELEASE-NAME-common-test-some-secret)]
- it: should pass with securityContext inherited
documentIndex: *deploymentDoc
set:
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
privileged: true
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
initContainers:
some_container:
imageSelector: image
securityContext:
inherit: true
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
privileged: true
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
- isSubset:
path: spec.template.spec.initContainers[0]
content:
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
- it: should pass with securityContext default
documentIndex: *deploymentDoc
set:
initContainers:
some_container:
imageSelector: image
securityContext:
inherit: true
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- isSubset:
path: spec.template.spec.initContainers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- it: should pass with securityContext changed
documentIndex: *deploymentDoc
set:
initContainers:
some_container:
imageSelector: image
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
privileged: true
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- isSubset:
path: spec.template.spec.initContainers[0]
content:
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
- it: should pass with securityContext with some values changed
documentIndex: *deploymentDoc
set:
initContainers:
some_container:
imageSelector: image
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
capabilities:
add:
- Something
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- isSubset:
path: spec.template.spec.initContainers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- Something
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
- it: should fail with securityContext with inherit and at least one value changed
documentIndex: *deploymentDoc
set:
securityContext:
privileged: true
allowPrivilegeEscalation: true
capabilities:
drop:
- something_else
initContainers:
some_container:
imageSelector: image
securityContext:
inherit: true
runAsUser: 0
asserts:
- failedTemplate:
errorMessage: Overriding inherited securityContext is not supported. Please unset inherit or remove the keys ([runAsUser])

459
library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_upgrade_test.yaml
View File

@@ -1,6 +1,8 @@
suite: initContainer in deployment test (on Upgrade)
templates:
- common.yaml
release:
upgrade: true
tests:
- it: should pass with default values
documentIndex: &deploymentDoc 0
@@ -75,3 +77,460 @@ tests:
content:
image: some-repo-init2:some-tag-init2
imagePullPolicy: IfNotPresent
- it: should pass with tty and stdin defined in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
tty: true
stdin: true
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
tty: false
stdin: false
- isSubset:
path: spec.template.spec.initContainers[0]
content:
tty: true
stdin: true
- it: should pass with command and args defined in init container
documentIndex: *deploymentDoc
set:
port: 8080
entrypoint: ./run.sh
initContainers:
some-name:
command:
- /bin/sh
- -c
- |
{{ .Values.entrypoint }}
args:
- --port
- "{{ .Values.port }}"
extraArgs:
- --data_dir
- /data
asserts:
- isNotSubset:
path: spec.template.spec.containers[0]
content:
command:
- /bin/sh
- -c
- |
./run.sh
args:
- --port
- "8080"
- --data_dir
- /data
- isSubset:
path: spec.template.spec.initContainers[0]
content:
command:
- /bin/sh
- -c
- |
./run.sh
args:
- --port
- "8080"
- --data_dir
- /data
- it: should pass with termination defined in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
termination:
messagePath: somePath
messagePolicy: File
asserts:
- isNotSubset:
path: spec.template.spec.containers[0]
content:
terminationMessagePath: somePath
terminationMessagePolicy: File
- isSubset:
path: spec.template.spec.initContainers[0]
content:
terminationMessagePath: somePath
terminationMessagePolicy: File
- it: should pass with resources defined in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
resources:
limits:
cpu: 3000m
memory: 4Gi
requests:
cpu: 20m
memory: 100Mi
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
resources:
limits:
cpu: 4000m
memory: 8Gi
requests:
cpu: 10m
memory: 50Mi
- isSubset:
path: spec.template.spec.initContainers[0]
content:
resources:
limits:
cpu: 3000m
memory: 4Gi
requests:
cpu: 20m
memory: 100Mi
- it: should pass with envFrom defined in init container
documentIndex: *deploymentDoc
set:
some_name: a_name
some_name2: a_name2
initContainers:
some-name:
envFrom:
- configMapRef:
name: "{{ .Values.some_name }}"
- configMapRef:
name: "{{ .Values.some_name2 }}"
asserts:
- isNotSubset:
path: spec.template.spec.containers[0]
content:
envFrom:
- configMapRef:
name: a_name
- configMapRef:
name: a_name2
- isSubset:
path: spec.template.spec.initContainers[0]
content:
envFrom:
- configMapRef:
name: a_name
- configMapRef:
name: a_name2
- it: should pass with env and envList defined in init container
documentIndex: *deploymentDoc
set:
some_value: value
some_value2: value2
some_value3: value3
some_value4: value4
initContainers:
some-name:
env:
var1: "{{ .Values.some_value }}"
var2: "{{ .Values.some_value2 }}"
envList:
- name: var3
value: "{{ .Values.some_value3 }}"
- name: var4
value: "{{ .Values.some_value4 }}"
asserts:
- isNotSubset:
path: spec.template.spec.containers[0]
content:
env:
- name: var1
value: value
- name: var2
value: value2
- name: var3
value: value3
- name: var4
value: value4
- isSubset:
path: spec.template.spec.initContainers[0]
content:
env:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: S6_READ_ONLY_ROOT
value: "1"
- name: var1
value: value
- name: var2
value: value2
- name: var3
value: value3
- name: var4
value: value4
- it: should fail with lifecycle defined in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
lifecycle:
asserts:
- failedTemplate:
errorMessage: Init/Install/Upgrade Container (RELEASE-NAME-common-test-some-name) do not support lifecycle hooks
- it: should fail with env trying to override fixedEnvs in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
env:
TZ: something
asserts:
- failedTemplate:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (env)]
- it: should fail with env trying to override configmap in init container
documentIndex: *deploymentDoc
set:
configmap:
some-confmap:
enabled: true
parseAsEnv: true
content:
TZ: something
initContainers:
some-name:
envFrom:
- configMapRef:
name: '{{ include "ix.v1.common.names.fullname" . }}-some-confmap'
asserts:
- failedTemplate:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (configmap-RELEASE-NAME-common-test-some-confmap)]
- it: should fail with env trying to override secret in init container
documentIndex: *deploymentDoc
set:
secret:
some-secret:
enabled: true
parseAsEnv: true
content:
TZ: something
initContainers:
some-name:
envFrom:
- secretRef:
name: '{{ include "ix.v1.common.names.fullname" . }}-some-secret'
asserts:
- failedTemplate:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (secret-RELEASE-NAME-common-test-some-secret)]
- it: should pass with securityContext inherited
documentIndex: *deploymentDoc
set:
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
privileged: true
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
initContainers:
some_container:
imageSelector: image
securityContext:
inherit: true
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
privileged: true
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
- isSubset:
path: spec.template.spec.initContainers[0]
content:
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
- it: should pass with securityContext default
documentIndex: *deploymentDoc
set:
initContainers:
some_container:
imageSelector: image
securityContext:
inherit: true
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- isSubset:
path: spec.template.spec.initContainers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- it: should pass with securityContext changed
documentIndex: *deploymentDoc
set:
initContainers:
some_container:
imageSelector: image
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
privileged: true
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- isSubset:
path: spec.template.spec.initContainers[0]
content:
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
- it: should pass with securityContext with some values changed
documentIndex: *deploymentDoc
set:
initContainers:
some_container:
imageSelector: image
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
capabilities:
add:
- Something
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- isSubset:
path: spec.template.spec.initContainers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- Something
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
- it: should fail with securityContext with inherit and at least one value changed
documentIndex: *deploymentDoc
set:
securityContext:
privileged: true
allowPrivilegeEscalation: true
capabilities:
drop:
- something_else
initContainers:
some_container:
imageSelector: image
securityContext:
inherit: true
runAsUser: 0
asserts:
- failedTemplate:
errorMessage: Overriding inherited securityContext is not supported. Please unset inherit or remove the keys ([runAsUser])

197
library/common-test/tests/initcontainers_in_deployment/install_containers_in_deployment_test.yaml
View File

@@ -348,3 +348,200 @@ tests:
asserts:
- failedTemplate:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (secret-RELEASE-NAME-common-test-some-secret)]
- it: should pass with securityContext inherited
documentIndex: *deploymentDoc
set:
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
privileged: true
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
installContainers:
some_container:
imageSelector: image
securityContext:
inherit: true
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
privileged: true
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
- isSubset:
path: spec.template.spec.initContainers[0]
content:
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
- it: should pass with securityContext default
documentIndex: *deploymentDoc
set:
installContainers:
some_container:
imageSelector: image
securityContext:
inherit: true
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- isSubset:
path: spec.template.spec.initContainers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- it: should pass with securityContext changed
documentIndex: *deploymentDoc
set:
installContainers:
some_container:
imageSelector: image
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
privileged: true
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- isSubset:
path: spec.template.spec.initContainers[0]
content:
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
- it: should pass with securityContext with some values changed
documentIndex: *deploymentDoc
set:
installContainers:
some_container:
imageSelector: image
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
capabilities:
add:
- Something
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- isSubset:
path: spec.template.spec.initContainers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- Something
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
- it: should fail with securityContext with inherit and at least one value changed
documentIndex: *deploymentDoc
set:
securityContext:
privileged: true
allowPrivilegeEscalation: true
capabilities:
drop:
- something_else
installContainers:
some_container:
imageSelector: image
securityContext:
inherit: true
runAsUser: 0
asserts:
- failedTemplate:
errorMessage: Overriding inherited securityContext is not supported. Please unset inherit or remove the keys ([runAsUser])

197
library/common-test/tests/initcontainers_in_deployment/upgrade_containers_in_deployment_test.yaml
View File

@@ -350,3 +350,200 @@ tests:
asserts:
- failedTemplate:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (secret-RELEASE-NAME-common-test-some-secret)]
- it: should pass with securityContext inherited
documentIndex: *deploymentDoc
set:
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
privileged: true
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
upgradeContainers:
some_container:
imageSelector: image
securityContext:
inherit: true
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
privileged: true
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
- isSubset:
path: spec.template.spec.initContainers[0]
content:
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
- it: should pass with securityContext default
documentIndex: *deploymentDoc
set:
upgradeContainers:
some_container:
imageSelector: image
securityContext:
inherit: true
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- isSubset:
path: spec.template.spec.initContainers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- it: should pass with securityContext changed
documentIndex: *deploymentDoc
set:
upgradeContainers:
some_container:
imageSelector: image
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
privileged: true
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- isSubset:
path: spec.template.spec.initContainers[0]
content:
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
- it: should pass with securityContext with some values changed
documentIndex: *deploymentDoc
set:
upgradeContainers:
some_container:
imageSelector: image
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
capabilities:
add:
- Something
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- isSubset:
path: spec.template.spec.initContainers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- Something
drop: []
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
- it: should fail with securityContext with inherit and at least one value changed
documentIndex: *deploymentDoc
set:
securityContext:
privileged: true
allowPrivilegeEscalation: true
capabilities:
drop:
- something_else
upgradeContainers:
some_container:
imageSelector: image
securityContext:
inherit: true
runAsUser: 0
asserts:
- failedTemplate:
errorMessage: Overriding inherited securityContext is not supported. Please unset inherit or remove the keys ([runAsUser])

4
library/common/1.0.0/templates/lib/container/_env_vars.tpl
View File

@@ -10,11 +10,13 @@ That's why the custom dict is expected.
{{- $envs := .envs -}}
{{- $envList := .envList -}}
{{- $containerName := .containerName -}}
{{- $isMainContainer := .isMainContainer -}}
{{- $secCont := .secCont -}}
{{- $root := .root -}}
{{- $fixedEnv := list -}}
{{- if $root.Values.injectFixedEnvs -}}
{{- $fixedEnv = (include "ix.v1.common.container.fixedEnvs" (dict "root" $root "fixedEnv" $fixedEnv "containerName" $containerName)) -}}
{{- $fixedEnv = (include "ix.v1.common.container.fixedEnvs" (dict "root" $root "fixedEnv" $fixedEnv "containerName" $containerName "isMainContainer" $isMainContainer "secCont" $secCont)) -}}
{{- end -}} {{/* Finish fixedEnv */}}
{{- with $fixedEnv -}}
{{- range $fixedEnv | fromJsonArray }} {{/* "fromJsonArray" parses stringified output and convet to list */}}

121
library/common/1.0.0/templates/lib/container/_securityContext.tpl
View File

@@ -1,70 +1,113 @@
{{/* Security Context included by the container */}}
{{- define "ix.v1.common.container.securityContext" -}}
{{- $secContext := .secCont -}}
{{- $podSecContext := .podSecCont -}}
{{- $secCont := .secCont -}}
{{- $isMainContainer := .isMainContainer -}}
{{- $root := .root -}}
{{/*
TODO: Modify podSecContext and securityContext.
Only applied on podSecContext values that can only be set there.
Everything else applied to secContext which has more weight and overrides podSec
*/}}
{{- $defaultSecCont := $root.Values.global.defaults.securityContext -}}
{{- if and (hasKey $secContext "inherit") $isMainContainer -}}
{{- if and (hasKey $secCont "inherit") $isMainContainer -}}
{{- fail "<inherit> key is only available for additional/init/install/upgrade containers." -}}
{{- end -}}
{{- if and $secContext.inherit (not $isMainContainer) -}} {{/* if inherit is set, use the secContext from main container as default */}}
{{- $defaultSecCont = $root.Values.securityContext -}}
{{- end -}} {{/* TODO: Unittests for inherit + normal securityContext */}}
{{- if and $secCont.inherit (not $isMainContainer) -}} {{/* if inherit is set, use the secContext from main container as default */}}
{{- if gt (len (keys $secCont)) 1 -}}
{{- fail (printf "Overriding inherited securityContext is not supported. Please unset inherit or remove the keys (%s)" (without (keys $secCont) "inherit")) -}}
{{- end -}}
{{- $secCont = $root.Values.securityContext -}}
{{- end -}}
{{/* Init Values */}}
{{- $runAsNonRoot := $defaultSecCont.runAsNonRoot -}}
{{- $runAsUser := $defaultSecCont.runAsUser -}}
{{- $runAsGroup := $defaultSecCont.runAsGroup -}}
{{- $readOnlyRootFilesystem := $defaultSecCont.readOnlyRootFilesystem -}}
{{- $allowPrivilegeEscalation := $defaultSecCont.allowPrivilegeEscalation -}}
{{- $privileged := $defaultSecCont.privileged -}}
{{- $capAdd := $defaultSecCont.capabilities.add -}}
{{- $capDrop := $defaultSecCont.capabilities.drop -}}
{{/* Check that they are set as booleans to prevent typos */}}
{{- range $bool := (list "runAsNonRoot" "privileged" "readOnlyRootFilesystem" "allowPrivilegeEscalation") -}}
{{- if (hasKey $secContext $bool) -}}
{{- if not (kindIs "bool" (get $secContext $bool)) -}}
{{- fail (printf "<%s> key has value (%s). But it must be boolean." $bool (get $secContext $bool)) -}}
{{/* Override based on user/dev input */}}
{{- if (hasKey $secCont "runAsNonRoot") -}}
{{- if not (kindIs "bool" $secCont.runAsNonRoot) -}}
{{- fail (printf "<runAsNonRoot> key has value (%v). But it must be boolean." $secCont.runAsNonRoot) -}}
{{- else if or (eq $secCont.runAsNonRoot true) (eq $secCont.runAsNonRoot false) -}}
{{- $runAsNonRoot = $secCont.runAsNonRoot -}}
{{- end -}}
{{- end -}}
{{- if (hasKey $secCont "readOnlyRootFilesystem") -}}
{{- if not (kindIs "bool" $secCont.readOnlyRootFilesystem) -}}
{{- fail (printf "<readOnlyRootFilesystem> key has value (%v). But it must be boolean." $secCont.readOnlyRootFilesystem) -}}
{{- else if or (eq $secCont.readOnlyRootFilesystem true) (eq $secCont.readOnlyRootFilesystem false) -}}
{{- $readOnlyRootFilesystem = $secCont.readOnlyRootFilesystem -}}
{{- end -}}
{{- end -}}
{{- if (hasKey $secCont "allowPrivilegeEscalation") -}}
{{- if not (kindIs "bool" $secCont.allowPrivilegeEscalation) -}}
{{- fail (printf "<allowPrivilegeEscalation> key has value (%v). But it must be boolean." $secCont.allowPrivilegeEscalation) -}}
{{- else if or (eq $secCont.allowPrivilegeEscalation true) (eq $secCont.allowPrivilegeEscalation false) -}}
{{- $allowPrivilegeEscalation = $secCont.allowPrivilegeEscalation -}}
{{- end -}}
{{- end -}}
{{- if (hasKey $secCont "privileged") -}}
{{- if not (kindIs "bool" $secCont.privileged) -}}
{{- fail (printf "<privileged> key has value (%v). But it must be boolean." $secCont.privileged) -}}
{{- else if or (eq $secCont.privileged true) (eq $secCont.privileged false) -}}
{{- $privileged = $secCont.privileged -}}
{{- end -}}
{{- end -}}
{{- if (hasKey $secCont "runAsUser") -}}
{{- if eq (toString $secCont.runAsUser) "<nil>" -}}
{{- fail (printf "<runAsUser> key cannot be empty. Set a value or remove the key for the default (%v) to take effect." $runAsUser) -}}
{{- else if ge (int $secCont.runAsUser) 0 -}}
{{- $runAsUser = $secCont.runAsUser -}}
{{- end -}}
{{- end -}}
{{- if (hasKey $secCont "runAsGroup") -}}
{{- if eq (toString $secCont.runAsGroup) "<nil>" -}}
{{- fail (printf "<runAsGroup> key cannot be empty. Set a value or remove the key for the default (%v) to take effect." $runAsGroup) -}}
{{- else if ge (int $secCont.runAsGroup) 0 -}}
{{- $runAsGroup = $secCont.runAsGroup -}}
{{- end -}}
{{- end -}}
{{- if (hasKey $secCont "capabilities") -}}
{{- if (hasKey $secCont.capabilities "add") -}}
{{- if $secCont.capabilities.add -}}
{{- $capAdd = $secCont.capabilities.add -}}
{{- else -}}
{{- fail (printf "<capabilities.add> key cannot be empty. Set a value or remove the key for the default (%s) to take effect." $capAdd) -}}
{{- end -}}
{{- end -}}
{{- if (hasKey $secCont.capabilities "drop") -}}
{{- if $secCont.capabilities.drop -}}
{{- $capDrop = $secCont.capabilities.drop -}}
{{- else -}}
{{- fail (printf "<capabilities.drop> key cannot be empty. Set a value or remove the key for the default (%s) to take effect." $capDrop) -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/* Override defaults based on user/dev input */}}
{{- if and (hasKey $secContext "runAsNonRoot") (ne (toString $secContext.runAsNonRoot) (toString $runAsNonRoot)) -}}
{{- $runAsNonRoot = $secContext.runAsNonRoot -}}
{{- end -}}
{{- if and (hasKey $secContext "readOnlyRootFilesystem") (ne (toString $secContext.readOnlyRootFilesystem) (toString $readOnlyRootFilesystem)) -}}
{{- $readOnlyRootFilesystem = $secContext.readOnlyRootFilesystem -}}
{{- end -}}
{{- if and (hasKey $secContext "allowPrivilegeEscalation") (ne (toString $secContext.allowPrivilegeEscalation) (toString $allowPrivilegeEscalation)) -}}
{{- $allowPrivilegeEscalation = $secContext.allowPrivilegeEscalation -}}
{{- end -}}
{{- if and (hasKey $secContext "privileged") (ne (toString $secContext.privileged) (toString $privileged)) -}}
{{- $privileged = $secContext.privileged -}}
{{- end -}}
{{/* If has key "add" and has items in the list. */}}
{{- if and (hasKey $secContext.capabilities "add") $secContext.capabilities.add -}}
{{- $capAdd = $secContext.capabilities.add -}}
{{- end -}}
{{/* If has key "drop" and has items in the list. */}}
{{- if and (hasKey $secContext.capabilities "drop") $secContext.capabilities.drop -}}
{{- $capDrop = $secContext.capabilities.drop -}}
{{/* Check that they are still set as booleans after the overrides to prevent errors */}}
{{- range $bool := (list $runAsNonRoot $privileged $readOnlyRootFilesystem $allowPrivilegeEscalation) -}}
{{- if not (kindIs "bool" $bool) -}}
{{- fail (printf "One of <runAsNonRoot>, <privileged>, <readOnlyRootFilesystem>, <allowPrivilegeEscalation> has value of (%s). But it must be boolean." $bool) -}}
{{- end -}}
{{- end -}}
{{/* Only run as root if it's explicitly defined */}}
{{- if or (eq (int $podSecContext.runAsUser) 0) (eq (int $podSecContext.runAsGroup) 0) -}}
{{- if or (eq (int $runAsUser) 0) (eq (int $runAsGroup) 0) -}}
{{- if $runAsNonRoot -}}
{{- fail "You are trying to run as root (user or group), but runAsNonRoot is set to true" -}}
{{- fail (printf "You are trying to run as root (user or group), but runAsNonRoot is set to %v" $runAsNonRoot) -}}
{{- end -}}
{{- end }}
runAsNonRoot: {{ $runAsNonRoot }}
runAsUser: {{ $runAsUser }}
runAsGroup: {{ $runAsGroup }}
readOnlyRootFilesystem: {{ $readOnlyRootFilesystem }}
allowPrivilegeEscalation: {{ $allowPrivilegeEscalation }}
privileged: {{ $privileged }} {{/* TODO: Set to true if deviceList is used? */}}

73
library/common/1.0.0/templates/lib/container/env/_fixedEnvs.tpl vendored
View File

@@ -5,25 +5,84 @@ will be parsed correctly without causing errors.
{{- define "ix.v1.common.container.fixedEnvs" -}}
{{- $root := .root -}}
{{- $containerName := .containerName -}}
{{- $vars := list -}}
{{- $isMainContainer := .isMainContainer -}}
{{- $secCont := .secCont -}}
{{- $podSecCont := $root.Values.podSecurityContext -}}
{{- $defaultSecCont := $root.Values.global.defaults.securityContext -}}
{{- $defaultPodSecCont := $root.Values.global.defaults.podSecurityContext -}}
{{- if and $secCont.inherit (not $isMainContainer) -}} {{/* if inherit is set, use the secContext from main container as default */}}
{{- $secCont = $root.Values.securityContext -}}
{{- end -}}
{{/* Init Values */}}
{{- $runAsNonRoot := $defaultSecCont.runAsNonRoot -}}
{{- $runAsUser := $defaultSecCont.runAsUser -}}
{{- $runAsGroup := $defaultSecCont.runAsGroup -}}
{{- $readOnlyRootFilesystem := $defaultSecCont.readOnlyRootFilesystem -}}
{{- $fsGroup := $defaultPodSecCont.fsGroup -}}
{{/* Override based on user/dev input */}}
{{- if (hasKey $secCont "runAsNonRoot") -}}
{{- if not (kindIs "bool" $secCont.runAsNonRoot) -}}
{{- fail (printf "<runAsNonRoot> key has value (%v). But it must be boolean." $secCont.runAsNonRoot) -}}
{{- else if or (eq $secCont.runAsNonRoot true) (eq $secCont.runAsNonRoot false) -}}
{{- $runAsNonRoot = $secCont.runAsNonRoot -}}
{{- end -}}
{{- end -}}
{{- if (hasKey $secCont "readOnlyRootFilesystem") -}}
{{- if not (kindIs "bool" $secCont.readOnlyRootFilesystem) -}}
{{- fail (printf "<readOnlyRootFilesystem> key has value (%v). But it must be boolean." $secCont.readOnlyRootFilesystem) -}}
{{- else if or (eq $secCont.readOnlyRootFilesystem true) (eq $secCont.readOnlyRootFilesystem false) -}}
{{- $readOnlyRootFilesystem = $secCont.readOnlyRootFilesystem -}}
{{- end -}}
{{- end -}}
{{- if (hasKey $secCont "runAsUser") -}}
{{- if eq (toString $secCont.runAsUser) "<nil>" -}}
{{- fail (printf "<runAsUser> key cannot be empty. Set a value or remove the key for the default (%v) to take effect." $runAsUser) -}}
{{- else if ge (int $secCont.runAsUser) 0 -}}
{{- $runAsUser = $secCont.runAsUser -}}
{{- end -}}
{{- end -}}
{{- if (hasKey $secCont "runAsGroup") -}}
{{- if eq (toString $secCont.runAsGroup) "<nil>" -}}
{{- fail (printf "<runAsGroup> key cannot be empty. Set a value or remove the key for the default (%v) to take effect." $runAsGroup) -}}
{{- else if ge (int $secCont.runAsGroup) 0 -}}
{{- $runAsGroup = $secCont.runAsGroup -}}
{{- end -}}
{{- end -}}
{{- if (hasKey $podSecCont "fsGroup") -}}
{{- if eq (toString $podSecCont.fsGroup) "<nil>" -}}
{{- fail (printf "<fsGroup> key cannot be empty. Set a value or remove the key for the default (%v) to take effect." $fsGroup) -}}
{{- else if ge (int $podSecCont.fsGroup) 0 -}}
{{- $fsGroup = $podSecCont.fsGroup -}}
{{- end -}}
{{- end -}}
{{- $vars := list -}}
{{/* TODO: container aware UMASK/PUID/NVIDIA Caps*/}}
{{- $vars = mustAppend $vars (dict "name" "TZ" "value" (tpl (toYaml $root.Values.TZ) $root)) -}}
{{- $vars = mustAppend $vars (dict "name" "UMASK" "value" (tpl (toYaml $root.Values.security.UMASK) $root)) -}}
{{- $vars = mustAppend $vars (dict "name" "UMASK_SET" "value" (tpl (toYaml $root.Values.security.UMASK) $root)) -}}
{{- if not ($root.Values.scaleGPU) -}}
{{- if not ($root.Values.scaleGPU) -}} {{/* TODO: container aware GPU */}}
{{- $vars = mustAppend $vars (dict "name" "NVIDIA_VISIBLE_DEVICES" "value" "void") -}}
{{- else -}}
{{- $vars = mustAppend $vars (dict "name" "NVIDIA_DRIVER_CAPABILITIES" "value" ( join "," $root.Values.nvidiaCaps )) -}}
{{- end -}}
{{- if and (or (eq ($root.Values.podSecurityContext.runAsUser | int) 0) (eq ($root.Values.podSecurityContext.runAsGroup | int) 0)) (or $root.Values.security.PUID (eq ($root.Values.security.PUID | int) 0)) -}} {{/* If root user or root group and a PUID is set, set PUID and related envs */}}
{{- if and (or (eq ($runAsUser | int) 0) (eq ($runAsGroup | int) 0)) (or $root.Values.security.PUID (eq ($root.Values.security.PUID | int) 0)) -}} {{/* If root user or root group and a PUID is set, set PUID and related envs */}}
{{- $vars = mustAppend $vars (dict "name" "PUID" "value" (tpl (toYaml $root.Values.security.PUID) $root)) -}}
{{- $vars = mustAppend $vars (dict "name" "USER_ID" "value" (tpl (toYaml $root.Values.security.PUID) $root)) -}}
{{- $vars = mustAppend $vars (dict "name" "UID" "value" (tpl (toYaml $root.Values.security.PUID) $root)) -}}
{{- $vars = mustAppend $vars (dict "name" "PGID" "value" (tpl (toYaml $root.Values.podSecurityContext.fsGroup) $root)) -}}
{{- $vars = mustAppend $vars (dict "name" "GROUP_ID" "value" (tpl (toYaml $root.Values.podSecurityContext.fsGroup) $root)) -}}
{{- $vars = mustAppend $vars (dict "name" "GID" "value" (tpl (toYaml $root.Values.podSecurityContext.fsGroup) $root)) -}}
{{- $vars = mustAppend $vars (dict "name" "PGID" "value" (tpl (toYaml $fsGroup) $root)) -}}
{{- $vars = mustAppend $vars (dict "name" "GROUP_ID" "value" (tpl (toYaml $fsGroup) $root)) -}}
{{- $vars = mustAppend $vars (dict "name" "GID" "value" (tpl (toYaml $fsGroup) $root)) -}}
{{- end -}}
{{- if or ($root.Values.securityContext.readOnlyRootFilesystem) ($root.Values.securityContext.runAsNonRoot) -}} {{/* Mainly for LSIO containers, tell S6 to avoid using rootfs */}}
{{- if or ($readOnlyRootFilesystem) ($runAsNonRoot) -}} {{/* Mainly for LSIO containers, tell S6 to avoid using rootfs */}}
{{- $vars = mustAppend $vars (dict "name" "S6_READ_ONLY_ROOT" "value" "1") -}}
{{- end -}}
{{- include "ix.v1.common.util.storeEnvsForDupeCheck" (dict "root" $root "source" "fixedEnv" "data" (toJson $vars) "containers" (list $containerName)) -}}

4
library/common/1.0.0/templates/lib/pod/_extraContainers.tpl
View File

@@ -42,7 +42,7 @@
args:
{{- . | nindent 4 }}
{{- end -}}
{{- with (include "ix.v1.common.container.envVars" (dict "envs" $container.env "envList" $container.envList "containerName" $name "root" $root) | trim) }}
{{- with (include "ix.v1.common.container.envVars" (dict "envs" $container.env "envList" $container.envList "containerName" $name "isMainContainer" false "secCont" $container.securityContext "root" $root) | trim) }}
env:
{{- . | nindent 4 }} {{/* env, fixedEnvs and envList */}}
{{- end -}}
@@ -57,7 +57,7 @@
lifecycle:
{{- . | nindent 4 }}
{{- end -}}
{{- with (include "ix.v1.common.container.securityContext" (dict "secCont" $container.securityContext "podSecCont" $root.Values.podSecurityContext "isMainContainer" false "root" $root)) | trim }}
{{- with (include "ix.v1.common.container.securityContext" (dict "secCont" $container.securityContext "isMainContainer" false "root" $root)) | trim }}
securityContext:
{{- . | nindent 4 }}
{{- end -}}

4
library/common/1.0.0/templates/lib/pod/_mainContainer.tpl
View File

@@ -19,7 +19,7 @@ So it can work on multiple places, like additional containers and not only the m
args:
{{- . | nindent 4 }}
{{- end -}}
{{- with (include "ix.v1.common.container.securityContext" (dict "secCont" .Values.securityContext "podSecCont" .Values.podSecurityContext "isMainContainer" true "root" $)) | trim }}
{{- with (include "ix.v1.common.container.securityContext" (dict "secCont" .Values.securityContext "isMainContainer" true "root" $)) | trim }}
securityContext:
{{- . | nindent 4 }}
{{- end -}}
@@ -33,7 +33,7 @@ So it can work on multiple places, like additional containers and not only the m
{{- with (include "ix.v1.common.container.termination.messagePolicy" (dict "msgPolicy" .Values.termination.messagePolicy "root" $)) | trim }}
terminationMessagePolicy: {{ . }}
{{- end -}}
{{- with (include "ix.v1.common.container.envVars" (dict "envs" .Values.env "envList" .Values.envList "containerName" $name "root" $) | trim) }}
{{- with (include "ix.v1.common.container.envVars" (dict "envs" .Values.env "envList" .Values.envList "containerName" $name "isMainContainer" true "secCont" .Values.securityContext "root" $) | trim) }}
env:
{{- . | nindent 4 }} {{/* env, fixedEnvs and envList */}}
{{- end -}}

2
library/common/1.0.0/templates/lib/pod/_pod.tpl
View File

@@ -39,7 +39,7 @@ tolerations:
terminationGracePeriodSeconds: {{ . }}
{{- end }}
enableServiceLinks: {{ .Values.enableServiceLinks }}
{{- with (include "ix.v1.common.container.podSecurityContext" (dict "podSecCont" .Values.podSecurityContext) | trim) }}
{{- with (include "ix.v1.common.container.podSecurityContext" (dict "podSecCont" .Values.podSecurityContext "root" .) | trim) }}
securityContext:
{{- . | nindent 2 }}
{{- end -}}

46
library/common/1.0.0/templates/lib/pod/_podSecurityContext.tpl
View File

@@ -1,16 +1,50 @@
{{/* A dict podSecContext is expected with keys like runAsUser */}}
{{/* A dict podSecContext is expected with keys like fsGroup */}}
{{- define "ix.v1.common.container.podSecurityContext" -}}
{{- $podSecCont := .podSecCont -}}
runAsUser: {{ required "<runAsUser> value is required." $podSecCont.runAsUser }}
runAsGroup: {{ required "<runAsGroup> value is required." $podSecCont.runAsGroup }}
fsGroup: {{ required "<fsGroup> value is required." $podSecCont.fsGroup }}
{{- with $podSecCont.supplementalGroups }} {{/* TODO: deviceList + suppleGroups */}}
{{- $root := .root -}}
{{/* TODO: deviceList + suppleGroups */}}
{{- $defaultPodSec := $root.Values.global.defaults.podSecurityContext -}}
{{/* Init Values */}}
{{- $fsGroup := $defaultPodSec.fsGroup -}}
{{- $fsGroupChangePolicy := $defaultPodSec.fsGroupChangePolicy -}}
{{- $supplementalGroups := $defaultPodSec.supplementalGroups -}}
{{/* Override based on user/dev input */}}
{{- if (hasKey $podSecCont "fsGroup") -}}
{{- if eq (toString $podSecCont.fsGroup) "<nil>" -}}
{{- fail (printf "<fsGroup> key cannot be empty. Set a value or remove the key for the default (%v) to take effect." $fsGroup) -}}
{{- else if ge (int $podSecCont.fsGroup) 0 -}}
{{- $fsGroup = $podSecCont.fsGroup -}}
{{- end -}}
{{- end -}}
{{- if (hasKey $podSecCont "fsGroupChangePolicy") -}}
{{- if $podSecCont.fsGroupChangePolicy -}}
{{- $fsGroupChangePolicy = $podSecCont.fsGroupChangePolicy -}}
{{- else -}}
{{- fail (printf "<fsGroupChangePolicy> key cannot be empty. Set a value or remove the key for the default (%s) to take effect." $fsGroupChangePolicy) -}}
{{- end -}}
{{- end -}}
{{- if (hasKey $podSecCont "supplementalGroups") -}}
{{- if $podSecCont.supplementalGroups -}}
{{- $supplementalGroups = $podSecCont.supplementalGroups -}}
{{- else -}}
{{- fail (printf "<supplementalGroups> key cannot be empty. Set a value or remove the key for the default (%s) to take effect." $supplementalGroups) -}}
{{- end -}}
{{- end }}
fsGroup: {{ $fsGroup }}
{{- with $supplementalGroups }}
supplementalGroups:
{{- range . }}
- {{ . }}
{{- end -}}
{{- else }}
supplementalGroups: []
{{- end -}}
{{- with $podSecCont.fsGroupChangePolicy -}}
{{- with $fsGroupChangePolicy -}}
{{- if not (mustHas . (list "Always" "OnRootMismatch")) -}}
{{- fail "Invalid option for fsGroupChangePolicy. Valid options are <Always> and <OnRootMismatch>." -}}
{{- end }}

36
library/common/1.0.0/values.yaml
View File

@@ -169,16 +169,24 @@ global:
# When SCALE-ZFS is set for storageClass, return this name
scaleZFSStorageClass:
# Default security context used for all
# init/install/upgrade/additional containers
# if not specified
# init/install/upgrade/additional
# and main containers if not specified
securityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
capabilities:
add: []
drop: []
# Default podSecurityContext, used if
# no other is specified
podSecurityContext:
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: OnRootMismatch
resources:
limits:
cpu: 4000m
@@ -211,21 +219,17 @@ runtimeClassName: ""
tolerations: []
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: OnRootMismatch
# podSecurityContext:
# fsGroup: 568
# fsGroupChangePolicy: OnRootMismatch
securityContext:
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
add: []
drop: []
# securityContext:
# runAsUser: 568
# runAsGroup: 568
# privileged: false
# readOnlyRootFilesystem: true
# allowPrivilegeEscalation: false
# runAsNonRoot: true
termination:
messagePath: ""

2
run_common_tests.sh
View File

@@ -22,6 +22,6 @@ echo "🔨 Building common..."
helm dependency update "$common_test_path"
echo "🧪 Running tests..."
helm unittest --update-snapshot --helm3 -f "tests/*/*.yaml" "./$common_test_path"
helm unittest --update-snapshot --helm3 -f "tests/*init*/*.yaml" "./$common_test_path"
cleanup