diff --git a/library/common/1.0.0/templates/lib/container/_securityContext.tpl b/library/common/1.0.0/templates/lib/container/_securityContext.tpl index 48479179c5..4a81359577 100644 --- a/library/common/1.0.0/templates/lib/container/_securityContext.tpl +++ b/library/common/1.0.0/templates/lib/container/_securityContext.tpl @@ -1,20 +1,20 @@ {{/* Security Context included by the container */}} {{- define "ix.v1.common.container.securityContext" -}} -{{- $secContext := .secCont -}} -{{- $podSecContext := .podSecCont -}} -{{- $root := .root -}} -{{/* Check that they are set as booleans to prevent typos */}} -{{- with $secContext -}} - {{- if or (not (kindIs "bool" .runAsNonRoot)) (not (kindIs "bool" .privileged)) (not (kindIs "bool" .readOnlyRootFilesystem)) (not (kindIs "bool" .allowPrivilegeEscalation)) -}} - {{- fail "One or more of the following are not set as booleans (runAsNonRoot, privileged, readOnlyRootFilesystem, allowPrivilegeEscalation)" -}} - {{- end -}} -{{- end -}} -{{/* Only run as root if it's explicitly defined */}} -{{- if or (not $podSecContext.runAsUser) (not $podSecContext.runAsGroup) -}} - {{- if $secContext.runAsNonRoot -}} - {{- fail "You are trying to run as root (user or group), but runAsNonRoot is set to true" -}} + {{- $secContext := .secCont -}} + {{- $podSecContext := .podSecCont -}} + {{- $root := .root -}} + {{/* Check that they are set as booleans to prevent typos */}} + {{- with $secContext -}} + {{- if or (not (kindIs "bool" .runAsNonRoot)) (not (kindIs "bool" .privileged)) (not (kindIs "bool" .readOnlyRootFilesystem)) (not (kindIs "bool" .allowPrivilegeEscalation)) -}} + {{- fail "One or more of the following are not set as booleans (runAsNonRoot, privileged, readOnlyRootFilesystem, allowPrivilegeEscalation)" -}} + {{- end -}} + {{- end -}} +{{/* Only run as root if it's explicitly defined */}} + {{- if or (not $podSecContext.runAsUser) (not $podSecContext.runAsGroup) -}} + {{- if $secContext.runAsNonRoot -}} + {{- fail "You are trying to run as root (user or group), but runAsNonRoot is set to true" -}} + {{- end -}} {{- end -}} -{{- end -}} runAsNonRoot: {{ $secContext.runAsNonRoot }} readOnlyRootFilesystem: {{ $secContext.readOnlyRootFilesystem }} allowPrivilegeEscalation: {{ $secContext.allowPrivilegeEscalation }} @@ -41,23 +41,3 @@ capabilities: drop: [] {{- end }} {{- end -}} - -{{/* A dict podSecContext is expected with keys line runAsUser */}} -{{- define "ix.v1.common.container.podSecurityContext" -}} -{{- $podSecCont := .podSecCont -}} -runAsUser: {{ required " value is required." $podSecCont.runAsUser }} -runAsGroup: {{ required " value is required." $podSecCont.runAsGroup }} -fsGroup: {{ required " value is required." $podSecCont.fsGroup }} -{{- with $podSecCont.supplementalGroups }} -supplementalGroups: - {{- range . }} - - {{ . }} - {{- end -}} -{{- end -}} -{{- with $podSecCont.fsGroupChangePolicy -}} - {{- if not (has . (list "Always" "OnRootMismatch")) -}} - {{- fail "Invalid option for fsGroupChangePolicy. Valid options are and ." -}} - {{- end }} -fsGroupChangePolicy: {{ . }} -{{- end -}} -{{- end -}} diff --git a/library/common/1.0.0/templates/lib/container/probeTemplates/_custom.tpl b/library/common/1.0.0/templates/lib/container/probes/_custom.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/container/probeTemplates/_custom.tpl rename to library/common/1.0.0/templates/lib/container/probes/_custom.tpl diff --git a/library/common/1.0.0/templates/lib/container/probeTemplates/_exec.tpl b/library/common/1.0.0/templates/lib/container/probes/_exec.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/container/probeTemplates/_exec.tpl rename to library/common/1.0.0/templates/lib/container/probes/_exec.tpl diff --git a/library/common/1.0.0/templates/lib/container/probeTemplates/_grpc.tpl b/library/common/1.0.0/templates/lib/container/probes/_grpc.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/container/probeTemplates/_grpc.tpl rename to library/common/1.0.0/templates/lib/container/probes/_grpc.tpl diff --git a/library/common/1.0.0/templates/lib/container/probeTemplates/_httpGet.tpl b/library/common/1.0.0/templates/lib/container/probes/_httpGet.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/container/probeTemplates/_httpGet.tpl rename to library/common/1.0.0/templates/lib/container/probes/_httpGet.tpl diff --git a/library/common/1.0.0/templates/lib/container/probeTemplates/_tcp.tpl b/library/common/1.0.0/templates/lib/container/probes/_tcp.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/container/probeTemplates/_tcp.tpl rename to library/common/1.0.0/templates/lib/container/probes/_tcp.tpl diff --git a/library/common/1.0.0/templates/lib/container/probeTemplates/_timeouts.tpl b/library/common/1.0.0/templates/lib/container/probes/_timeouts.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/container/probeTemplates/_timeouts.tpl rename to library/common/1.0.0/templates/lib/container/probes/_timeouts.tpl diff --git a/library/common/1.0.0/templates/lib/container/probeTemplates/_udp.tpl b/library/common/1.0.0/templates/lib/container/probes/_udp.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/container/probeTemplates/_udp.tpl rename to library/common/1.0.0/templates/lib/container/probes/_udp.tpl diff --git a/library/common/1.0.0/templates/lib/chart/_annotations.tpl b/library/common/1.0.0/templates/lib/general/_annotations.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/chart/_annotations.tpl rename to library/common/1.0.0/templates/lib/general/_annotations.tpl diff --git a/library/common/1.0.0/templates/lib/chart/_capabilities.tpl b/library/common/1.0.0/templates/lib/general/_capabilities.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/chart/_capabilities.tpl rename to library/common/1.0.0/templates/lib/general/_capabilities.tpl diff --git a/library/common/1.0.0/templates/lib/chart/_labels.tpl b/library/common/1.0.0/templates/lib/general/_labels.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/chart/_labels.tpl rename to library/common/1.0.0/templates/lib/general/_labels.tpl diff --git a/library/common/1.0.0/templates/lib/chart/_names.tpl b/library/common/1.0.0/templates/lib/general/_names.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/chart/_names.tpl rename to library/common/1.0.0/templates/lib/general/_names.tpl diff --git a/library/common/1.0.0/templates/lib/controller/_pod.tpl b/library/common/1.0.0/templates/lib/general/_pod.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/controller/_pod.tpl rename to library/common/1.0.0/templates/lib/general/_pod.tpl diff --git a/library/common/1.0.0/templates/lib/controller/_container.tpl b/library/common/1.0.0/templates/lib/pod/_container.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/controller/_container.tpl rename to library/common/1.0.0/templates/lib/pod/_container.tpl diff --git a/library/common/1.0.0/templates/lib/chart/_dns.tpl b/library/common/1.0.0/templates/lib/pod/_dns.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/chart/_dns.tpl rename to library/common/1.0.0/templates/lib/pod/_dns.tpl diff --git a/library/common/1.0.0/templates/lib/chart/_hostAliases.tpl b/library/common/1.0.0/templates/lib/pod/_hostAliases.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/chart/_hostAliases.tpl rename to library/common/1.0.0/templates/lib/pod/_hostAliases.tpl diff --git a/library/common/1.0.0/templates/lib/chart/_nodeSelector.tpl b/library/common/1.0.0/templates/lib/pod/_nodeSelector.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/chart/_nodeSelector.tpl rename to library/common/1.0.0/templates/lib/pod/_nodeSelector.tpl diff --git a/library/common/1.0.0/templates/lib/chart/_podAnnotations.tpl b/library/common/1.0.0/templates/lib/pod/_podAnnotations.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/chart/_podAnnotations.tpl rename to library/common/1.0.0/templates/lib/pod/_podAnnotations.tpl diff --git a/library/common/1.0.0/templates/lib/chart/_podLabels.tpl b/library/common/1.0.0/templates/lib/pod/_podLabels.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/chart/_podLabels.tpl rename to library/common/1.0.0/templates/lib/pod/_podLabels.tpl diff --git a/library/common/1.0.0/templates/lib/pod/_podSecurityContext.tpl b/library/common/1.0.0/templates/lib/pod/_podSecurityContext.tpl new file mode 100644 index 0000000000..946508994a --- /dev/null +++ b/library/common/1.0.0/templates/lib/pod/_podSecurityContext.tpl @@ -0,0 +1,19 @@ +{{/* A dict podSecContext is expected with keys line runAsUser */}} +{{- define "ix.v1.common.container.podSecurityContext" -}} + {{- $podSecCont := .podSecCont -}} +runAsUser: {{ required " value is required." $podSecCont.runAsUser }} +runAsGroup: {{ required " value is required." $podSecCont.runAsGroup }} +fsGroup: {{ required " value is required." $podSecCont.fsGroup }} + {{- with $podSecCont.supplementalGroups }} +supplementalGroups: + {{- range . }} + - {{ . }} + {{- end -}} + {{- end -}} + {{- with $podSecCont.fsGroupChangePolicy -}} + {{- if not (has . (list "Always" "OnRootMismatch")) -}} + {{- fail "Invalid option for fsGroupChangePolicy. Valid options are and ." -}} + {{- end }} +fsGroupChangePolicy: {{ . }} + {{- end -}} +{{- end -}} diff --git a/library/common/1.0.0/templates/lib/chart/_tolerations.tpl b/library/common/1.0.0/templates/lib/pod/_tolerations.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/chart/_tolerations.tpl rename to library/common/1.0.0/templates/lib/pod/_tolerations.tpl diff --git a/library/common/1.0.0/templates/lib/controller/_volumes.tpl b/library/common/1.0.0/templates/lib/pod/_volumes.tpl similarity index 100% rename from library/common/1.0.0/templates/lib/controller/_volumes.tpl rename to library/common/1.0.0/templates/lib/pod/_volumes.tpl diff --git a/library/common/1.0.0/templates/class/serviceTemplates/_endpoints.tpl b/library/common/1.0.0/templates/lib/service/_endpoints.tpl similarity index 100% rename from library/common/1.0.0/templates/class/serviceTemplates/_endpoints.tpl rename to library/common/1.0.0/templates/lib/service/_endpoints.tpl diff --git a/library/common/1.0.0/templates/class/serviceTemplates/_externalIPs.tpl b/library/common/1.0.0/templates/lib/service/_externalIPs.tpl similarity index 100% rename from library/common/1.0.0/templates/class/serviceTemplates/_externalIPs.tpl rename to library/common/1.0.0/templates/lib/service/_externalIPs.tpl diff --git a/library/common/1.0.0/templates/class/serviceTemplates/_sessionAffinity.tpl b/library/common/1.0.0/templates/lib/service/_sessionAffinity.tpl similarity index 100% rename from library/common/1.0.0/templates/class/serviceTemplates/_sessionAffinity.tpl rename to library/common/1.0.0/templates/lib/service/_sessionAffinity.tpl