diff --git a/library/common-test/tests/container_in_deployment/fixedEnv_test.yaml b/library/common-test/tests/container_in_deployment/fixedEnv_test.yaml index a2ba3ca1c5..87842a1108 100644 --- a/library/common-test/tests/container_in_deployment/fixedEnv_test.yaml +++ b/library/common-test/tests/container_in_deployment/fixedEnv_test.yaml @@ -81,9 +81,8 @@ tests: - it: should pass with envs changed because run as user root documentIndex: *deploymentDoc set: - podSecurityContext: - runAsUser: 0 securityContext: + runAsUser: 0 runAsNonRoot: false asserts: - equal: @@ -115,9 +114,8 @@ tests: - it: should pass with envs changed because run as group root documentIndex: *deploymentDoc set: - podSecurityContext: - runAsGroup: 0 securityContext: + runAsGroup: 0 runAsNonRoot: false asserts: - equal: @@ -149,9 +147,8 @@ tests: - it: should pass with envs changed because run as user root and PUID 0 documentIndex: *deploymentDoc set: - podSecurityContext: - runAsUser: 0 securityContext: + runAsUser: 0 runAsNonRoot: false security: PUID: 0 @@ -185,9 +182,8 @@ tests: - it: should pass with envs changed because run as group root and PUID 0 documentIndex: *deploymentDoc set: - podSecurityContext: - runAsGroup: 0 securityContext: + runAsGroup: 0 runAsNonRoot: false security: PUID: 0 @@ -222,9 +218,9 @@ tests: documentIndex: *deploymentDoc set: podSecurityContext: - runAsGroup: 0 fsGroup: 0 securityContext: + runAsGroup: 0 runAsNonRoot: false security: PUID: 0 diff --git a/library/common-test/tests/container_in_deployment/securityContext_test.yaml b/library/common-test/tests/container_in_deployment/securityContext_test.yaml index 382822ccc2..d4efc2e538 100644 --- a/library/common-test/tests/container_in_deployment/securityContext_test.yaml +++ b/library/common-test/tests/container_in_deployment/securityContext_test.yaml @@ -15,6 +15,8 @@ tests: set: securityContext: runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 readOnlyRootFilesystem: false allowPrivilegeEscalation: true privileged: true @@ -28,14 +30,16 @@ tests: path: spec.template.spec.containers[0].securityContext value: allowPrivilegeEscalation: true + privileged: true + readOnlyRootFilesystem: false + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 capabilities: add: - SYS_MODULE drop: - NET_ADMIN - privileged: true - readOnlyRootFilesystem: false - runAsNonRoot: false - it: should pass with securityContext changed from tpl documentIndex: *deploymentDoc @@ -62,6 +66,8 @@ tests: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + runAsUser: 568 + runAsGroup: 568 - it: should fail with inherit key added in securityContext on main container set: @@ -75,7 +81,6 @@ tests: set: securityContext: runAsNonRoot: true - podSecurityContext: runAsUser: 0 asserts: - failedTemplate: @@ -85,7 +90,6 @@ tests: set: securityContext: runAsNonRoot: true - podSecurityContext: runAsUser: 0 asserts: - failedTemplate: @@ -140,3 +144,69 @@ tests: asserts: - failedTemplate: errorMessage: Either or capabilities is not a list. + + - it: should fail with empty capabilities.drop in securityContext + set: + securityContext: + capabilities: + drop: + asserts: + - failedTemplate: + errorMessage: key cannot be empty. Set a value or remove the key for the default ([]) to take effect. + + - it: should fail with empty capabilities.add in securityContext + set: + securityContext: + capabilities: + add: + asserts: + - failedTemplate: + errorMessage: key cannot be empty. Set a value or remove the key for the default ([]) to take effect. + + - it: should fail with empty runAsGroup in securityContext + set: + securityContext: + runAsGroup: + asserts: + - failedTemplate: + errorMessage: key cannot be empty. Set a value or remove the key for the default (568) to take effect. + + - it: should fail with empty runAsUser in securityContext + set: + securityContext: + runAsUser: + asserts: + - failedTemplate: + errorMessage: key cannot be empty. Set a value or remove the key for the default (568) to take effect. + + - it: should fail with empty privileged in securityContext + set: + securityContext: + privileged: + asserts: + - failedTemplate: + errorMessage: key has value (). But it must be boolean. + + - it: should fail with empty allowPrivilegeEscalation in securityContext + set: + securityContext: + allowPrivilegeEscalation: + asserts: + - failedTemplate: + errorMessage: key has value (). But it must be boolean. + + - it: should fail with empty readOnlyRootFilesystem in securityContext + set: + securityContext: + readOnlyRootFilesystem: + asserts: + - failedTemplate: + errorMessage: key has value (). But it must be boolean. + + - it: should fail with empty runAsNonRoot in securityContext + set: + securityContext: + runAsNonRoot: + asserts: + - failedTemplate: + errorMessage: key has value (). But it must be boolean. diff --git a/library/common-test/tests/deployment/default_test.yaml b/library/common-test/tests/deployment/default_test.yaml index 17cb627b38..861cf8d154 100644 --- a/library/common-test/tests/deployment/default_test.yaml +++ b/library/common-test/tests/deployment/default_test.yaml @@ -59,16 +59,24 @@ tests: path: spec.template.spec.containers[0].terminationMessagePath - isNull: path: spec.template.spec.containers[0].terminationMessagePolicy + - equal: + path: spec.template.spec.securityContext + value: + fsGroup: 568 + fsGroupChangePolicy: OnRootMismatch + supplementalGroups: [] - equal: path: spec.template.spec.containers[0].securityContext value: allowPrivilegeEscalation: false - capabilities: - add: [] - drop: [] privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + runAsUser: 568 + runAsGroup: 568 + capabilities: + add: [] + drop: [] - equal: path: spec.template.spec.containers[0].env value: diff --git a/library/common-test/tests/deployment/podSecurityContext_test.yaml b/library/common-test/tests/deployment/podSecurityContext_test.yaml index 597a9dd821..36eaaf3c02 100644 --- a/library/common-test/tests/deployment/podSecurityContext_test.yaml +++ b/library/common-test/tests/deployment/podSecurityContext_test.yaml @@ -12,17 +12,14 @@ tests: - equal: path: spec.template.spec.securityContext value: - runAsUser: 568 - runAsGroup: 568 fsGroup: 568 fsGroupChangePolicy: OnRootMismatch + supplementalGroups: [] - it: should pass with changed podSecurity values documentIndex: *deploymentDoc set: podSecurityContext: - runAsUser: 999 - runAsGroup: 999 fsGroup: 999 fsGroupChangePolicy: Always supplementalGroups: @@ -31,37 +28,11 @@ tests: - equal: path: spec.template.spec.securityContext value: - runAsUser: 999 - runAsGroup: 999 fsGroup: 999 fsGroupChangePolicy: Always supplementalGroups: - 1000 - - it: should fail without runAsUser - set: - podSecurityContext: - runAsUser: - asserts: - - failedTemplate: - errorMessage: value is required. - - - it: should fail without runAsGroup - set: - podSecurityContext: - runAsGroup: - asserts: - - failedTemplate: - errorMessage: value is required. - - - it: should fail without fsGroup - set: - podSecurityContext: - fsGroup: - asserts: - - failedTemplate: - errorMessage: value is required. - - it: should fail with invalid fsGroupChangePolicy set: podSecurityContext: @@ -69,3 +40,27 @@ tests: asserts: - failedTemplate: errorMessage: Invalid option for fsGroupChangePolicy. Valid options are and . + + - it: should fail with empty fsGroupChangePolicy + set: + podSecurityContext: + fsGroupChangePolicy: + asserts: + - failedTemplate: + errorMessage: key cannot be empty. Set a value or remove the key for the default (OnRootMismatch) to take effect. + + - it: should fail with empty fsGroup + set: + podSecurityContext: + fsGroup: + asserts: + - failedTemplate: + errorMessage: key cannot be empty. Set a value or remove the key for the default (568) to take effect. + + - it: should fail with empty supplementalGroups + set: + podSecurityContext: + supplementalGroups: + asserts: + - failedTemplate: + errorMessage: key cannot be empty. Set a value or remove the key for the default ([]) to take effect. diff --git a/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_install_test.yaml b/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_install_test.yaml index ee6e03e48c..2934ba1f32 100644 --- a/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_install_test.yaml +++ b/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_install_test.yaml @@ -334,3 +334,201 @@ tests: asserts: - failedTemplate: errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (secret-RELEASE-NAME-common-test-some-secret)] + + + - it: should pass with securityContext inherited + documentIndex: *deploymentDoc + set: + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + initContainers: + some_container: + imageSelector: image + securityContext: + inherit: true + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should pass with securityContext default + documentIndex: *deploymentDoc + set: + initContainers: + some_container: + imageSelector: image + securityContext: + inherit: true + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + + - it: should pass with securityContext changed + documentIndex: *deploymentDoc + set: + initContainers: + some_container: + imageSelector: image + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should pass with securityContext with some values changed + documentIndex: *deploymentDoc + set: + initContainers: + some_container: + imageSelector: image + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + capabilities: + add: + - Something + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Something + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should fail with securityContext with inherit and at least one value changed + documentIndex: *deploymentDoc + set: + securityContext: + privileged: true + allowPrivilegeEscalation: true + capabilities: + drop: + - something_else + initContainers: + some_container: + imageSelector: image + securityContext: + inherit: true + runAsUser: 0 + asserts: + - failedTemplate: + errorMessage: Overriding inherited securityContext is not supported. Please unset inherit or remove the keys ([runAsUser]) diff --git a/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_upgrade_test.yaml b/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_upgrade_test.yaml index 0bc55fb901..a551e7039a 100644 --- a/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_upgrade_test.yaml +++ b/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_upgrade_test.yaml @@ -1,6 +1,8 @@ suite: initContainer in deployment test (on Upgrade) templates: - common.yaml +release: + upgrade: true tests: - it: should pass with default values documentIndex: &deploymentDoc 0 @@ -75,3 +77,460 @@ tests: content: image: some-repo-init2:some-tag-init2 imagePullPolicy: IfNotPresent + + - it: should pass with tty and stdin defined in init container + documentIndex: *deploymentDoc + set: + initContainers: + some-name: + tty: true + stdin: true + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + tty: false + stdin: false + - isSubset: + path: spec.template.spec.initContainers[0] + content: + tty: true + stdin: true + + - it: should pass with command and args defined in init container + documentIndex: *deploymentDoc + set: + port: 8080 + entrypoint: ./run.sh + initContainers: + some-name: + command: + - /bin/sh + - -c + - | + {{ .Values.entrypoint }} + args: + - --port + - "{{ .Values.port }}" + extraArgs: + - --data_dir + - /data + asserts: + - isNotSubset: + path: spec.template.spec.containers[0] + content: + command: + - /bin/sh + - -c + - | + ./run.sh + args: + - --port + - "8080" + - --data_dir + - /data + - isSubset: + path: spec.template.spec.initContainers[0] + content: + command: + - /bin/sh + - -c + - | + ./run.sh + args: + - --port + - "8080" + - --data_dir + - /data + + - it: should pass with termination defined in init container + documentIndex: *deploymentDoc + set: + initContainers: + some-name: + termination: + messagePath: somePath + messagePolicy: File + asserts: + - isNotSubset: + path: spec.template.spec.containers[0] + content: + terminationMessagePath: somePath + terminationMessagePolicy: File + - isSubset: + path: spec.template.spec.initContainers[0] + content: + terminationMessagePath: somePath + terminationMessagePolicy: File + + - it: should pass with resources defined in init container + documentIndex: *deploymentDoc + set: + initContainers: + some-name: + resources: + limits: + cpu: 3000m + memory: 4Gi + requests: + cpu: 20m + memory: 100Mi + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + resources: + limits: + cpu: 4000m + memory: 8Gi + requests: + cpu: 10m + memory: 50Mi + - isSubset: + path: spec.template.spec.initContainers[0] + content: + resources: + limits: + cpu: 3000m + memory: 4Gi + requests: + cpu: 20m + memory: 100Mi + + - it: should pass with envFrom defined in init container + documentIndex: *deploymentDoc + set: + some_name: a_name + some_name2: a_name2 + initContainers: + some-name: + envFrom: + - configMapRef: + name: "{{ .Values.some_name }}" + - configMapRef: + name: "{{ .Values.some_name2 }}" + asserts: + - isNotSubset: + path: spec.template.spec.containers[0] + content: + envFrom: + - configMapRef: + name: a_name + - configMapRef: + name: a_name2 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + envFrom: + - configMapRef: + name: a_name + - configMapRef: + name: a_name2 + + - it: should pass with env and envList defined in init container + documentIndex: *deploymentDoc + set: + some_value: value + some_value2: value2 + some_value3: value3 + some_value4: value4 + initContainers: + some-name: + env: + var1: "{{ .Values.some_value }}" + var2: "{{ .Values.some_value2 }}" + envList: + - name: var3 + value: "{{ .Values.some_value3 }}" + - name: var4 + value: "{{ .Values.some_value4 }}" + asserts: + - isNotSubset: + path: spec.template.spec.containers[0] + content: + env: + - name: var1 + value: value + - name: var2 + value: value2 + - name: var3 + value: value3 + - name: var4 + value: value4 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + env: + - name: TZ + value: UTC + - name: UMASK + value: "2" + - name: UMASK_SET + value: "2" + - name: NVIDIA_VISIBLE_DEVICES + value: void + - name: S6_READ_ONLY_ROOT + value: "1" + - name: var1 + value: value + - name: var2 + value: value2 + - name: var3 + value: value3 + - name: var4 + value: value4 + + - it: should fail with lifecycle defined in init container + documentIndex: *deploymentDoc + set: + initContainers: + some-name: + lifecycle: + asserts: + - failedTemplate: + errorMessage: Init/Install/Upgrade Container (RELEASE-NAME-common-test-some-name) do not support lifecycle hooks + + - it: should fail with env trying to override fixedEnvs in init container + documentIndex: *deploymentDoc + set: + initContainers: + some-name: + env: + TZ: something + asserts: + - failedTemplate: + errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (env)] + + - it: should fail with env trying to override configmap in init container + documentIndex: *deploymentDoc + set: + configmap: + some-confmap: + enabled: true + parseAsEnv: true + content: + TZ: something + initContainers: + some-name: + envFrom: + - configMapRef: + name: '{{ include "ix.v1.common.names.fullname" . }}-some-confmap' + asserts: + - failedTemplate: + errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (configmap-RELEASE-NAME-common-test-some-confmap)] + + - it: should fail with env trying to override secret in init container + documentIndex: *deploymentDoc + set: + secret: + some-secret: + enabled: true + parseAsEnv: true + content: + TZ: something + initContainers: + some-name: + envFrom: + - secretRef: + name: '{{ include "ix.v1.common.names.fullname" . }}-some-secret' + asserts: + - failedTemplate: + errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (secret-RELEASE-NAME-common-test-some-secret)] + + + - it: should pass with securityContext inherited + documentIndex: *deploymentDoc + set: + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + initContainers: + some_container: + imageSelector: image + securityContext: + inherit: true + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should pass with securityContext default + documentIndex: *deploymentDoc + set: + initContainers: + some_container: + imageSelector: image + securityContext: + inherit: true + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + + - it: should pass with securityContext changed + documentIndex: *deploymentDoc + set: + initContainers: + some_container: + imageSelector: image + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should pass with securityContext with some values changed + documentIndex: *deploymentDoc + set: + initContainers: + some_container: + imageSelector: image + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + capabilities: + add: + - Something + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Something + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should fail with securityContext with inherit and at least one value changed + documentIndex: *deploymentDoc + set: + securityContext: + privileged: true + allowPrivilegeEscalation: true + capabilities: + drop: + - something_else + initContainers: + some_container: + imageSelector: image + securityContext: + inherit: true + runAsUser: 0 + asserts: + - failedTemplate: + errorMessage: Overriding inherited securityContext is not supported. Please unset inherit or remove the keys ([runAsUser]) diff --git a/library/common-test/tests/initcontainers_in_deployment/install_containers_in_deployment_test.yaml b/library/common-test/tests/initcontainers_in_deployment/install_containers_in_deployment_test.yaml index f9930f4de0..95816bf9c8 100644 --- a/library/common-test/tests/initcontainers_in_deployment/install_containers_in_deployment_test.yaml +++ b/library/common-test/tests/initcontainers_in_deployment/install_containers_in_deployment_test.yaml @@ -348,3 +348,200 @@ tests: asserts: - failedTemplate: errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (secret-RELEASE-NAME-common-test-some-secret)] + + - it: should pass with securityContext inherited + documentIndex: *deploymentDoc + set: + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + installContainers: + some_container: + imageSelector: image + securityContext: + inherit: true + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should pass with securityContext default + documentIndex: *deploymentDoc + set: + installContainers: + some_container: + imageSelector: image + securityContext: + inherit: true + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + + - it: should pass with securityContext changed + documentIndex: *deploymentDoc + set: + installContainers: + some_container: + imageSelector: image + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should pass with securityContext with some values changed + documentIndex: *deploymentDoc + set: + installContainers: + some_container: + imageSelector: image + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + capabilities: + add: + - Something + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Something + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should fail with securityContext with inherit and at least one value changed + documentIndex: *deploymentDoc + set: + securityContext: + privileged: true + allowPrivilegeEscalation: true + capabilities: + drop: + - something_else + installContainers: + some_container: + imageSelector: image + securityContext: + inherit: true + runAsUser: 0 + asserts: + - failedTemplate: + errorMessage: Overriding inherited securityContext is not supported. Please unset inherit or remove the keys ([runAsUser]) diff --git a/library/common-test/tests/initcontainers_in_deployment/upgrade_containers_in_deployment_test.yaml b/library/common-test/tests/initcontainers_in_deployment/upgrade_containers_in_deployment_test.yaml index 3e353f3c2a..e313831925 100644 --- a/library/common-test/tests/initcontainers_in_deployment/upgrade_containers_in_deployment_test.yaml +++ b/library/common-test/tests/initcontainers_in_deployment/upgrade_containers_in_deployment_test.yaml @@ -350,3 +350,200 @@ tests: asserts: - failedTemplate: errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (secret-RELEASE-NAME-common-test-some-secret)] + + - it: should pass with securityContext inherited + documentIndex: *deploymentDoc + set: + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + upgradeContainers: + some_container: + imageSelector: image + securityContext: + inherit: true + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should pass with securityContext default + documentIndex: *deploymentDoc + set: + upgradeContainers: + some_container: + imageSelector: image + securityContext: + inherit: true + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + + - it: should pass with securityContext changed + documentIndex: *deploymentDoc + set: + upgradeContainers: + some_container: + imageSelector: image + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should pass with securityContext with some values changed + documentIndex: *deploymentDoc + set: + upgradeContainers: + some_container: + imageSelector: image + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + capabilities: + add: + - Something + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Something + drop: [] + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should fail with securityContext with inherit and at least one value changed + documentIndex: *deploymentDoc + set: + securityContext: + privileged: true + allowPrivilegeEscalation: true + capabilities: + drop: + - something_else + upgradeContainers: + some_container: + imageSelector: image + securityContext: + inherit: true + runAsUser: 0 + asserts: + - failedTemplate: + errorMessage: Overriding inherited securityContext is not supported. Please unset inherit or remove the keys ([runAsUser]) diff --git a/library/common/1.0.0/templates/lib/container/_env_vars.tpl b/library/common/1.0.0/templates/lib/container/_env_vars.tpl index 2541dc1378..df6eda97bd 100644 --- a/library/common/1.0.0/templates/lib/container/_env_vars.tpl +++ b/library/common/1.0.0/templates/lib/container/_env_vars.tpl @@ -10,11 +10,13 @@ That's why the custom dict is expected. {{- $envs := .envs -}} {{- $envList := .envList -}} {{- $containerName := .containerName -}} + {{- $isMainContainer := .isMainContainer -}} + {{- $secCont := .secCont -}} {{- $root := .root -}} {{- $fixedEnv := list -}} {{- if $root.Values.injectFixedEnvs -}} - {{- $fixedEnv = (include "ix.v1.common.container.fixedEnvs" (dict "root" $root "fixedEnv" $fixedEnv "containerName" $containerName)) -}} + {{- $fixedEnv = (include "ix.v1.common.container.fixedEnvs" (dict "root" $root "fixedEnv" $fixedEnv "containerName" $containerName "isMainContainer" $isMainContainer "secCont" $secCont)) -}} {{- end -}} {{/* Finish fixedEnv */}} {{- with $fixedEnv -}} {{- range $fixedEnv | fromJsonArray }} {{/* "fromJsonArray" parses stringified output and convet to list */}} diff --git a/library/common/1.0.0/templates/lib/container/_securityContext.tpl b/library/common/1.0.0/templates/lib/container/_securityContext.tpl index bb1ecff9e4..9fb3d8d61a 100644 --- a/library/common/1.0.0/templates/lib/container/_securityContext.tpl +++ b/library/common/1.0.0/templates/lib/container/_securityContext.tpl @@ -1,70 +1,113 @@ {{/* Security Context included by the container */}} {{- define "ix.v1.common.container.securityContext" -}} - {{- $secContext := .secCont -}} - {{- $podSecContext := .podSecCont -}} + {{- $secCont := .secCont -}} {{- $isMainContainer := .isMainContainer -}} {{- $root := .root -}} - {{/* - TODO: Modify podSecContext and securityContext. - Only applied on podSecContext values that can only be set there. - Everything else applied to secContext which has more weight and overrides podSec - */}} - {{- $defaultSecCont := $root.Values.global.defaults.securityContext -}} - {{- if and (hasKey $secContext "inherit") $isMainContainer -}} + {{- if and (hasKey $secCont "inherit") $isMainContainer -}} {{- fail " key is only available for additional/init/install/upgrade containers." -}} {{- end -}} - {{- if and $secContext.inherit (not $isMainContainer) -}} {{/* if inherit is set, use the secContext from main container as default */}} - {{- $defaultSecCont = $root.Values.securityContext -}} - {{- end -}} {{/* TODO: Unittests for inherit + normal securityContext */}} + {{- if and $secCont.inherit (not $isMainContainer) -}} {{/* if inherit is set, use the secContext from main container as default */}} + {{- if gt (len (keys $secCont)) 1 -}} + {{- fail (printf "Overriding inherited securityContext is not supported. Please unset inherit or remove the keys (%s)" (without (keys $secCont) "inherit")) -}} + {{- end -}} + {{- $secCont = $root.Values.securityContext -}} + {{- end -}} + {{/* Init Values */}} {{- $runAsNonRoot := $defaultSecCont.runAsNonRoot -}} + {{- $runAsUser := $defaultSecCont.runAsUser -}} + {{- $runAsGroup := $defaultSecCont.runAsGroup -}} {{- $readOnlyRootFilesystem := $defaultSecCont.readOnlyRootFilesystem -}} {{- $allowPrivilegeEscalation := $defaultSecCont.allowPrivilegeEscalation -}} {{- $privileged := $defaultSecCont.privileged -}} {{- $capAdd := $defaultSecCont.capabilities.add -}} {{- $capDrop := $defaultSecCont.capabilities.drop -}} - {{/* Check that they are set as booleans to prevent typos */}} - {{- range $bool := (list "runAsNonRoot" "privileged" "readOnlyRootFilesystem" "allowPrivilegeEscalation") -}} - {{- if (hasKey $secContext $bool) -}} - {{- if not (kindIs "bool" (get $secContext $bool)) -}} - {{- fail (printf "<%s> key has value (%s). But it must be boolean." $bool (get $secContext $bool)) -}} + {{/* Override based on user/dev input */}} + {{- if (hasKey $secCont "runAsNonRoot") -}} + {{- if not (kindIs "bool" $secCont.runAsNonRoot) -}} + {{- fail (printf " key has value (%v). But it must be boolean." $secCont.runAsNonRoot) -}} + {{- else if or (eq $secCont.runAsNonRoot true) (eq $secCont.runAsNonRoot false) -}} + {{- $runAsNonRoot = $secCont.runAsNonRoot -}} + {{- end -}} + {{- end -}} + + {{- if (hasKey $secCont "readOnlyRootFilesystem") -}} + {{- if not (kindIs "bool" $secCont.readOnlyRootFilesystem) -}} + {{- fail (printf " key has value (%v). But it must be boolean." $secCont.readOnlyRootFilesystem) -}} + {{- else if or (eq $secCont.readOnlyRootFilesystem true) (eq $secCont.readOnlyRootFilesystem false) -}} + {{- $readOnlyRootFilesystem = $secCont.readOnlyRootFilesystem -}} + {{- end -}} + {{- end -}} + + {{- if (hasKey $secCont "allowPrivilegeEscalation") -}} + {{- if not (kindIs "bool" $secCont.allowPrivilegeEscalation) -}} + {{- fail (printf " key has value (%v). But it must be boolean." $secCont.allowPrivilegeEscalation) -}} + {{- else if or (eq $secCont.allowPrivilegeEscalation true) (eq $secCont.allowPrivilegeEscalation false) -}} + {{- $allowPrivilegeEscalation = $secCont.allowPrivilegeEscalation -}} + {{- end -}} + {{- end -}} + + {{- if (hasKey $secCont "privileged") -}} + {{- if not (kindIs "bool" $secCont.privileged) -}} + {{- fail (printf " key has value (%v). But it must be boolean." $secCont.privileged) -}} + {{- else if or (eq $secCont.privileged true) (eq $secCont.privileged false) -}} + {{- $privileged = $secCont.privileged -}} + {{- end -}} + {{- end -}} + + {{- if (hasKey $secCont "runAsUser") -}} + {{- if eq (toString $secCont.runAsUser) "" -}} + {{- fail (printf " key cannot be empty. Set a value or remove the key for the default (%v) to take effect." $runAsUser) -}} + {{- else if ge (int $secCont.runAsUser) 0 -}} + {{- $runAsUser = $secCont.runAsUser -}} + {{- end -}} + {{- end -}} + + {{- if (hasKey $secCont "runAsGroup") -}} + {{- if eq (toString $secCont.runAsGroup) "" -}} + {{- fail (printf " key cannot be empty. Set a value or remove the key for the default (%v) to take effect." $runAsGroup) -}} + {{- else if ge (int $secCont.runAsGroup) 0 -}} + {{- $runAsGroup = $secCont.runAsGroup -}} + {{- end -}} + {{- end -}} + + {{- if (hasKey $secCont "capabilities") -}} + {{- if (hasKey $secCont.capabilities "add") -}} + {{- if $secCont.capabilities.add -}} + {{- $capAdd = $secCont.capabilities.add -}} + {{- else -}} + {{- fail (printf " key cannot be empty. Set a value or remove the key for the default (%s) to take effect." $capAdd) -}} + {{- end -}} + {{- end -}} + {{- if (hasKey $secCont.capabilities "drop") -}} + {{- if $secCont.capabilities.drop -}} + {{- $capDrop = $secCont.capabilities.drop -}} + {{- else -}} + {{- fail (printf " key cannot be empty. Set a value or remove the key for the default (%s) to take effect." $capDrop) -}} {{- end -}} {{- end -}} {{- end -}} - {{/* Override defaults based on user/dev input */}} - {{- if and (hasKey $secContext "runAsNonRoot") (ne (toString $secContext.runAsNonRoot) (toString $runAsNonRoot)) -}} - {{- $runAsNonRoot = $secContext.runAsNonRoot -}} - {{- end -}} - {{- if and (hasKey $secContext "readOnlyRootFilesystem") (ne (toString $secContext.readOnlyRootFilesystem) (toString $readOnlyRootFilesystem)) -}} - {{- $readOnlyRootFilesystem = $secContext.readOnlyRootFilesystem -}} - {{- end -}} - {{- if and (hasKey $secContext "allowPrivilegeEscalation") (ne (toString $secContext.allowPrivilegeEscalation) (toString $allowPrivilegeEscalation)) -}} - {{- $allowPrivilegeEscalation = $secContext.allowPrivilegeEscalation -}} - {{- end -}} - {{- if and (hasKey $secContext "privileged") (ne (toString $secContext.privileged) (toString $privileged)) -}} - {{- $privileged = $secContext.privileged -}} - {{- end -}} - {{/* If has key "add" and has items in the list. */}} - {{- if and (hasKey $secContext.capabilities "add") $secContext.capabilities.add -}} - {{- $capAdd = $secContext.capabilities.add -}} - {{- end -}} - {{/* If has key "drop" and has items in the list. */}} - {{- if and (hasKey $secContext.capabilities "drop") $secContext.capabilities.drop -}} - {{- $capDrop = $secContext.capabilities.drop -}} + {{/* Check that they are still set as booleans after the overrides to prevent errors */}} + {{- range $bool := (list $runAsNonRoot $privileged $readOnlyRootFilesystem $allowPrivilegeEscalation) -}} + {{- if not (kindIs "bool" $bool) -}} + {{- fail (printf "One of , , , has value of (%s). But it must be boolean." $bool) -}} + {{- end -}} {{- end -}} {{/* Only run as root if it's explicitly defined */}} - {{- if or (eq (int $podSecContext.runAsUser) 0) (eq (int $podSecContext.runAsGroup) 0) -}} + {{- if or (eq (int $runAsUser) 0) (eq (int $runAsGroup) 0) -}} {{- if $runAsNonRoot -}} - {{- fail "You are trying to run as root (user or group), but runAsNonRoot is set to true" -}} + {{- fail (printf "You are trying to run as root (user or group), but runAsNonRoot is set to %v" $runAsNonRoot) -}} {{- end -}} {{- end }} runAsNonRoot: {{ $runAsNonRoot }} +runAsUser: {{ $runAsUser }} +runAsGroup: {{ $runAsGroup }} readOnlyRootFilesystem: {{ $readOnlyRootFilesystem }} allowPrivilegeEscalation: {{ $allowPrivilegeEscalation }} privileged: {{ $privileged }} {{/* TODO: Set to true if deviceList is used? */}} diff --git a/library/common/1.0.0/templates/lib/container/env/_fixedEnvs.tpl b/library/common/1.0.0/templates/lib/container/env/_fixedEnvs.tpl index 356e35aa8c..eccdc115c6 100644 --- a/library/common/1.0.0/templates/lib/container/env/_fixedEnvs.tpl +++ b/library/common/1.0.0/templates/lib/container/env/_fixedEnvs.tpl @@ -5,25 +5,84 @@ will be parsed correctly without causing errors. {{- define "ix.v1.common.container.fixedEnvs" -}} {{- $root := .root -}} {{- $containerName := .containerName -}} - {{- $vars := list -}} + {{- $isMainContainer := .isMainContainer -}} + {{- $secCont := .secCont -}} + {{- $podSecCont := $root.Values.podSecurityContext -}} + {{- $defaultSecCont := $root.Values.global.defaults.securityContext -}} + {{- $defaultPodSecCont := $root.Values.global.defaults.podSecurityContext -}} + + {{- if and $secCont.inherit (not $isMainContainer) -}} {{/* if inherit is set, use the secContext from main container as default */}} + {{- $secCont = $root.Values.securityContext -}} + {{- end -}} + + {{/* Init Values */}} + {{- $runAsNonRoot := $defaultSecCont.runAsNonRoot -}} + {{- $runAsUser := $defaultSecCont.runAsUser -}} + {{- $runAsGroup := $defaultSecCont.runAsGroup -}} + {{- $readOnlyRootFilesystem := $defaultSecCont.readOnlyRootFilesystem -}} + {{- $fsGroup := $defaultPodSecCont.fsGroup -}} + + {{/* Override based on user/dev input */}} + {{- if (hasKey $secCont "runAsNonRoot") -}} + {{- if not (kindIs "bool" $secCont.runAsNonRoot) -}} + {{- fail (printf " key has value (%v). But it must be boolean." $secCont.runAsNonRoot) -}} + {{- else if or (eq $secCont.runAsNonRoot true) (eq $secCont.runAsNonRoot false) -}} + {{- $runAsNonRoot = $secCont.runAsNonRoot -}} + {{- end -}} + {{- end -}} + + {{- if (hasKey $secCont "readOnlyRootFilesystem") -}} + {{- if not (kindIs "bool" $secCont.readOnlyRootFilesystem) -}} + {{- fail (printf " key has value (%v). But it must be boolean." $secCont.readOnlyRootFilesystem) -}} + {{- else if or (eq $secCont.readOnlyRootFilesystem true) (eq $secCont.readOnlyRootFilesystem false) -}} + {{- $readOnlyRootFilesystem = $secCont.readOnlyRootFilesystem -}} + {{- end -}} + {{- end -}} + + {{- if (hasKey $secCont "runAsUser") -}} + {{- if eq (toString $secCont.runAsUser) "" -}} + {{- fail (printf " key cannot be empty. Set a value or remove the key for the default (%v) to take effect." $runAsUser) -}} + {{- else if ge (int $secCont.runAsUser) 0 -}} + {{- $runAsUser = $secCont.runAsUser -}} + {{- end -}} + {{- end -}} + + {{- if (hasKey $secCont "runAsGroup") -}} + {{- if eq (toString $secCont.runAsGroup) "" -}} + {{- fail (printf " key cannot be empty. Set a value or remove the key for the default (%v) to take effect." $runAsGroup) -}} + {{- else if ge (int $secCont.runAsGroup) 0 -}} + {{- $runAsGroup = $secCont.runAsGroup -}} + {{- end -}} + {{- end -}} + + {{- if (hasKey $podSecCont "fsGroup") -}} + {{- if eq (toString $podSecCont.fsGroup) "" -}} + {{- fail (printf " key cannot be empty. Set a value or remove the key for the default (%v) to take effect." $fsGroup) -}} + {{- else if ge (int $podSecCont.fsGroup) 0 -}} + {{- $fsGroup = $podSecCont.fsGroup -}} + {{- end -}} + {{- end -}} + + {{- $vars := list -}} + {{/* TODO: container aware UMASK/PUID/NVIDIA Caps*/}} {{- $vars = mustAppend $vars (dict "name" "TZ" "value" (tpl (toYaml $root.Values.TZ) $root)) -}} {{- $vars = mustAppend $vars (dict "name" "UMASK" "value" (tpl (toYaml $root.Values.security.UMASK) $root)) -}} {{- $vars = mustAppend $vars (dict "name" "UMASK_SET" "value" (tpl (toYaml $root.Values.security.UMASK) $root)) -}} - {{- if not ($root.Values.scaleGPU) -}} + {{- if not ($root.Values.scaleGPU) -}} {{/* TODO: container aware GPU */}} {{- $vars = mustAppend $vars (dict "name" "NVIDIA_VISIBLE_DEVICES" "value" "void") -}} {{- else -}} {{- $vars = mustAppend $vars (dict "name" "NVIDIA_DRIVER_CAPABILITIES" "value" ( join "," $root.Values.nvidiaCaps )) -}} {{- end -}} - {{- if and (or (eq ($root.Values.podSecurityContext.runAsUser | int) 0) (eq ($root.Values.podSecurityContext.runAsGroup | int) 0)) (or $root.Values.security.PUID (eq ($root.Values.security.PUID | int) 0)) -}} {{/* If root user or root group and a PUID is set, set PUID and related envs */}} + {{- if and (or (eq ($runAsUser | int) 0) (eq ($runAsGroup | int) 0)) (or $root.Values.security.PUID (eq ($root.Values.security.PUID | int) 0)) -}} {{/* If root user or root group and a PUID is set, set PUID and related envs */}} {{- $vars = mustAppend $vars (dict "name" "PUID" "value" (tpl (toYaml $root.Values.security.PUID) $root)) -}} {{- $vars = mustAppend $vars (dict "name" "USER_ID" "value" (tpl (toYaml $root.Values.security.PUID) $root)) -}} {{- $vars = mustAppend $vars (dict "name" "UID" "value" (tpl (toYaml $root.Values.security.PUID) $root)) -}} - {{- $vars = mustAppend $vars (dict "name" "PGID" "value" (tpl (toYaml $root.Values.podSecurityContext.fsGroup) $root)) -}} - {{- $vars = mustAppend $vars (dict "name" "GROUP_ID" "value" (tpl (toYaml $root.Values.podSecurityContext.fsGroup) $root)) -}} - {{- $vars = mustAppend $vars (dict "name" "GID" "value" (tpl (toYaml $root.Values.podSecurityContext.fsGroup) $root)) -}} + {{- $vars = mustAppend $vars (dict "name" "PGID" "value" (tpl (toYaml $fsGroup) $root)) -}} + {{- $vars = mustAppend $vars (dict "name" "GROUP_ID" "value" (tpl (toYaml $fsGroup) $root)) -}} + {{- $vars = mustAppend $vars (dict "name" "GID" "value" (tpl (toYaml $fsGroup) $root)) -}} {{- end -}} - {{- if or ($root.Values.securityContext.readOnlyRootFilesystem) ($root.Values.securityContext.runAsNonRoot) -}} {{/* Mainly for LSIO containers, tell S6 to avoid using rootfs */}} + {{- if or ($readOnlyRootFilesystem) ($runAsNonRoot) -}} {{/* Mainly for LSIO containers, tell S6 to avoid using rootfs */}} {{- $vars = mustAppend $vars (dict "name" "S6_READ_ONLY_ROOT" "value" "1") -}} {{- end -}} {{- include "ix.v1.common.util.storeEnvsForDupeCheck" (dict "root" $root "source" "fixedEnv" "data" (toJson $vars) "containers" (list $containerName)) -}} diff --git a/library/common/1.0.0/templates/lib/pod/_extraContainers.tpl b/library/common/1.0.0/templates/lib/pod/_extraContainers.tpl index 0037dbaf1d..e0ad02175e 100644 --- a/library/common/1.0.0/templates/lib/pod/_extraContainers.tpl +++ b/library/common/1.0.0/templates/lib/pod/_extraContainers.tpl @@ -42,7 +42,7 @@ args: {{- . | nindent 4 }} {{- end -}} - {{- with (include "ix.v1.common.container.envVars" (dict "envs" $container.env "envList" $container.envList "containerName" $name "root" $root) | trim) }} + {{- with (include "ix.v1.common.container.envVars" (dict "envs" $container.env "envList" $container.envList "containerName" $name "isMainContainer" false "secCont" $container.securityContext "root" $root) | trim) }} env: {{- . | nindent 4 }} {{/* env, fixedEnvs and envList */}} {{- end -}} @@ -57,7 +57,7 @@ lifecycle: {{- . | nindent 4 }} {{- end -}} - {{- with (include "ix.v1.common.container.securityContext" (dict "secCont" $container.securityContext "podSecCont" $root.Values.podSecurityContext "isMainContainer" false "root" $root)) | trim }} + {{- with (include "ix.v1.common.container.securityContext" (dict "secCont" $container.securityContext "isMainContainer" false "root" $root)) | trim }} securityContext: {{- . | nindent 4 }} {{- end -}} diff --git a/library/common/1.0.0/templates/lib/pod/_mainContainer.tpl b/library/common/1.0.0/templates/lib/pod/_mainContainer.tpl index 443d59470b..fcb261c405 100644 --- a/library/common/1.0.0/templates/lib/pod/_mainContainer.tpl +++ b/library/common/1.0.0/templates/lib/pod/_mainContainer.tpl @@ -19,7 +19,7 @@ So it can work on multiple places, like additional containers and not only the m args: {{- . | nindent 4 }} {{- end -}} - {{- with (include "ix.v1.common.container.securityContext" (dict "secCont" .Values.securityContext "podSecCont" .Values.podSecurityContext "isMainContainer" true "root" $)) | trim }} + {{- with (include "ix.v1.common.container.securityContext" (dict "secCont" .Values.securityContext "isMainContainer" true "root" $)) | trim }} securityContext: {{- . | nindent 4 }} {{- end -}} @@ -33,7 +33,7 @@ So it can work on multiple places, like additional containers and not only the m {{- with (include "ix.v1.common.container.termination.messagePolicy" (dict "msgPolicy" .Values.termination.messagePolicy "root" $)) | trim }} terminationMessagePolicy: {{ . }} {{- end -}} - {{- with (include "ix.v1.common.container.envVars" (dict "envs" .Values.env "envList" .Values.envList "containerName" $name "root" $) | trim) }} + {{- with (include "ix.v1.common.container.envVars" (dict "envs" .Values.env "envList" .Values.envList "containerName" $name "isMainContainer" true "secCont" .Values.securityContext "root" $) | trim) }} env: {{- . | nindent 4 }} {{/* env, fixedEnvs and envList */}} {{- end -}} diff --git a/library/common/1.0.0/templates/lib/pod/_pod.tpl b/library/common/1.0.0/templates/lib/pod/_pod.tpl index dbbbe422c5..f0919b8141 100644 --- a/library/common/1.0.0/templates/lib/pod/_pod.tpl +++ b/library/common/1.0.0/templates/lib/pod/_pod.tpl @@ -39,7 +39,7 @@ tolerations: terminationGracePeriodSeconds: {{ . }} {{- end }} enableServiceLinks: {{ .Values.enableServiceLinks }} -{{- with (include "ix.v1.common.container.podSecurityContext" (dict "podSecCont" .Values.podSecurityContext) | trim) }} +{{- with (include "ix.v1.common.container.podSecurityContext" (dict "podSecCont" .Values.podSecurityContext "root" .) | trim) }} securityContext: {{- . | nindent 2 }} {{- end -}} diff --git a/library/common/1.0.0/templates/lib/pod/_podSecurityContext.tpl b/library/common/1.0.0/templates/lib/pod/_podSecurityContext.tpl index 8950891bc3..d51db263ac 100644 --- a/library/common/1.0.0/templates/lib/pod/_podSecurityContext.tpl +++ b/library/common/1.0.0/templates/lib/pod/_podSecurityContext.tpl @@ -1,16 +1,50 @@ -{{/* A dict podSecContext is expected with keys like runAsUser */}} +{{/* A dict podSecContext is expected with keys like fsGroup */}} {{- define "ix.v1.common.container.podSecurityContext" -}} {{- $podSecCont := .podSecCont -}} -runAsUser: {{ required " value is required." $podSecCont.runAsUser }} -runAsGroup: {{ required " value is required." $podSecCont.runAsGroup }} -fsGroup: {{ required " value is required." $podSecCont.fsGroup }} - {{- with $podSecCont.supplementalGroups }} {{/* TODO: deviceList + suppleGroups */}} + {{- $root := .root -}} + + {{/* TODO: deviceList + suppleGroups */}} + {{- $defaultPodSec := $root.Values.global.defaults.podSecurityContext -}} + + {{/* Init Values */}} + {{- $fsGroup := $defaultPodSec.fsGroup -}} + {{- $fsGroupChangePolicy := $defaultPodSec.fsGroupChangePolicy -}} + {{- $supplementalGroups := $defaultPodSec.supplementalGroups -}} + + {{/* Override based on user/dev input */}} + {{- if (hasKey $podSecCont "fsGroup") -}} + {{- if eq (toString $podSecCont.fsGroup) "" -}} + {{- fail (printf " key cannot be empty. Set a value or remove the key for the default (%v) to take effect." $fsGroup) -}} + {{- else if ge (int $podSecCont.fsGroup) 0 -}} + {{- $fsGroup = $podSecCont.fsGroup -}} + {{- end -}} + {{- end -}} + + {{- if (hasKey $podSecCont "fsGroupChangePolicy") -}} + {{- if $podSecCont.fsGroupChangePolicy -}} + {{- $fsGroupChangePolicy = $podSecCont.fsGroupChangePolicy -}} + {{- else -}} + {{- fail (printf " key cannot be empty. Set a value or remove the key for the default (%s) to take effect." $fsGroupChangePolicy) -}} + {{- end -}} + {{- end -}} + + {{- if (hasKey $podSecCont "supplementalGroups") -}} + {{- if $podSecCont.supplementalGroups -}} + {{- $supplementalGroups = $podSecCont.supplementalGroups -}} + {{- else -}} + {{- fail (printf " key cannot be empty. Set a value or remove the key for the default (%s) to take effect." $supplementalGroups) -}} + {{- end -}} + {{- end }} +fsGroup: {{ $fsGroup }} + {{- with $supplementalGroups }} supplementalGroups: {{- range . }} - {{ . }} {{- end -}} + {{- else }} +supplementalGroups: [] {{- end -}} - {{- with $podSecCont.fsGroupChangePolicy -}} + {{- with $fsGroupChangePolicy -}} {{- if not (mustHas . (list "Always" "OnRootMismatch")) -}} {{- fail "Invalid option for fsGroupChangePolicy. Valid options are and ." -}} {{- end }} diff --git a/library/common/1.0.0/values.yaml b/library/common/1.0.0/values.yaml index 5c3e229e6d..8530213145 100644 --- a/library/common/1.0.0/values.yaml +++ b/library/common/1.0.0/values.yaml @@ -169,16 +169,24 @@ global: # When SCALE-ZFS is set for storageClass, return this name scaleZFSStorageClass: # Default security context used for all - # init/install/upgrade/additional containers - # if not specified + # init/install/upgrade/additional + # and main containers if not specified securityContext: runAsNonRoot: true + runAsUser: 568 + runAsGroup: 568 readOnlyRootFilesystem: true allowPrivilegeEscalation: false privileged: false capabilities: add: [] drop: [] + # Default podSecurityContext, used if + # no other is specified + podSecurityContext: + fsGroup: 568 + supplementalGroups: [] + fsGroupChangePolicy: OnRootMismatch resources: limits: cpu: 4000m @@ -211,21 +219,17 @@ runtimeClassName: "" tolerations: [] -podSecurityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - supplementalGroups: [] - fsGroupChangePolicy: OnRootMismatch +# podSecurityContext: +# fsGroup: 568 +# fsGroupChangePolicy: OnRootMismatch -securityContext: - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - runAsNonRoot: true - capabilities: - add: [] - drop: [] +# securityContext: +# runAsUser: 568 +# runAsGroup: 568 +# privileged: false +# readOnlyRootFilesystem: true +# allowPrivilegeEscalation: false +# runAsNonRoot: true termination: messagePath: "" diff --git a/run_common_tests.sh b/run_common_tests.sh index cf907dc196..5e9bce132b 100755 --- a/run_common_tests.sh +++ b/run_common_tests.sh @@ -22,6 +22,6 @@ echo "🔨 Building common..." helm dependency update "$common_test_path" echo "🧪 Running tests..." -helm unittest --update-snapshot --helm3 -f "tests/*/*.yaml" "./$common_test_path" +helm unittest --update-snapshot --helm3 -f "tests/*init*/*.yaml" "./$common_test_path" cleanup