Skip to content

Commit

Permalink
fix (charts): securityContext for PODs, not containers (#148)
Browse files Browse the repository at this point in the history
  • Loading branch information
@akafazov
akafazov authored Dec 19, 2024
1 parent 057a6d7 commit bf82980
Show file tree
Hide file tree
Showing 15 changed files with 56 additions and 81 deletions.
4 changes: 2 additions & 2 deletions charts/account-operator/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
apiVersion: v2
name: account-operator
description: A Helm chart for Kubernetes
description: A Helm chart to deploy OpenMFP Account-Operator
type: application
version: 0.5.23
version: 0.5.24
appVersion: "0.123.0"
dependencies:
- name: account-operator-crds
Expand Down
3 changes: 1 addition & 2 deletions charts/account-operator/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ spec:
traffic.sidecar.istio.io/excludeInboundPorts: "9443"
{{- end }}
spec:
serviceAccountName: {{ include "common.entity.name" . }}
{{ include "common.container.securityContext" . | nindent 6 }}
containers:
- args:
- operator
Expand All @@ -36,7 +36,6 @@ spec:
- '--health-probe-bind-address=:{{ include "common.getKeyValue" (dict "Values" .Values "key" "health.port") }}'
image: {{ .Values.image.name }}:{{ .Chart.AppVersion }}
name: manager
{{ include "common.container.securityContext" . | nindent 10 }}
ports:
{{ include "common.PortsMetricsHealth" . | nindent 10 }}
{{- if .Values.webhooks.enabled }}
Expand Down
39 changes: 18 additions & 21 deletions charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -291,13 +291,13 @@ operator match the snapshot:
control-plane: controller-manager
service: account-operator
spec:
automountServiceAccountToken: false
containers:
- args:
- operator
- --leader-elect
- --log-level=warn
- --health-probe-bind-address=:8081
automountServiceAccountToken: false
env:
- name: SUBROUTINES_NAMESPACE_ENABLED
value: "true"
Expand Down Expand Up @@ -353,19 +353,18 @@ operator match the snapshot:
requests:
cpu: 150m
memory: 128Mi
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: account-operator
startupProbe:
failureThreshold: 30
httpGet:
path: /readyz
port: 8081
periodSeconds: 10
volumeMounts: null
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: account-operator
terminationGracePeriodSeconds: 10
volumes: null
Expand Down Expand Up @@ -669,13 +668,13 @@ operator match the snapshot (with kubeconfigSecret):
control-plane: controller-manager
service: account-operator
spec:
automountServiceAccountToken: false
containers:
- args:
- operator
- --leader-elect
- --log-level=warn
- --health-probe-bind-address=:8081
automountServiceAccountToken: false
env:
- name: SUBROUTINES_NAMESPACE_ENABLED
value: "true"
Expand Down Expand Up @@ -733,12 +732,6 @@ operator match the snapshot (with kubeconfigSecret):
requests:
cpu: 40m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: account-operator
startupProbe:
failureThreshold: 30
httpGet:
Expand All @@ -748,6 +741,11 @@ operator match the snapshot (with kubeconfigSecret):
volumeMounts:
- mountPath: /api-kubeconfig
name: external-api-server
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: account-operator
terminationGracePeriodSeconds: 10
volumes:
Expand Down Expand Up @@ -1057,13 +1055,13 @@ operator match the snapshot with webhook enabled:
control-plane: controller-manager
service: account-operator
spec:
automountServiceAccountToken: false
containers:
- args:
- operator
- --leader-elect
- --log-level=warn
- --health-probe-bind-address=:8081
automountServiceAccountToken: false
env:
- name: SUBROUTINES_NAMESPACE_ENABLED
value: "true"
Expand Down Expand Up @@ -1122,12 +1120,6 @@ operator match the snapshot with webhook enabled:
requests:
cpu: 150m
memory: 128Mi
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: account-operator
startupProbe:
failureThreshold: 30
httpGet:
Expand All @@ -1138,6 +1130,11 @@ operator match the snapshot with webhook enabled:
- mountPath: /certs
name: cert
readOnly: true
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: account-operator
terminationGracePeriodSeconds: 10
volumes:
Expand Down
6 changes: 3 additions & 3 deletions charts/account-operator/tests/deployment_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,15 +54,15 @@ tests:
mountServiceAccountToken: true
asserts:
- equal:
path: spec.template.spec.containers[0].securityContext
path: spec.template.spec.securityContext
value:
runAsNonRoot: true
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
- equal:
path: spec.template.spec.containers[0].serviceAccountName
path: spec.template.spec.serviceAccountName
value: account-operator
- equal:
path: spec.template.spec.containers[0].automountServiceAccountToken
path: spec.template.spec.automountServiceAccountToken
value: true
2 changes: 1 addition & 1 deletion charts/common/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,4 @@ description: A Helm chart containing reuse templates

type: library

version: 0.2.1
version: 0.2.2
4 changes: 2 additions & 2 deletions charts/common/test-chart/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
version: 0.1.2

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand All @@ -25,5 +25,5 @@ appVersion: "1.16.0"

dependencies:
- name: common
version: 0.2.0
version: 0.2.1
repository: file://..
3 changes: 1 addition & 2 deletions charts/common/test-chart/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,11 @@ spec:
service: {{ include "common.entity.name" . }}
template:
spec:
serviceAccountName: {{ include "common.entity.name" . }}
{{ include "common.container.securityContext" . | nindent 6 }}
containers:
image: {{ include "common.image" . }}
imagePullPolicy: {{ include "common.imagePullPolicy" . }}
name: manager
{{ include "common.container.securityContext" . | nindent 10 }}
ports:
{{ include "common.PortsMetricsHealth" . | nindent 10 }}
{{ include "common.operatorHealthAndReadyness" . | nindent 10 }}
Expand Down
2 changes: 1 addition & 1 deletion charts/extension-manager-operator/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: extension-manager-operator
description: A Helm chart for extension-manager-operator which manages resources like ContentConfigurations and exposes REST `/validate` endpoint
type: application
version: 0.22.59
version: 0.22.60
appVersion: "0.86.0"
dependencies:
- name: extension-manager-operator-crds
Expand Down
4 changes: 1 addition & 3 deletions charts/extension-manager-operator/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ spec:
{{ .Values.deployment.template.annotations | toYaml | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "common.entity.name" . }}
{{ include "common.container.securityContext" . | nindent 6 }}
containers:
- args:
- operator
Expand All @@ -34,7 +34,6 @@ spec:
image: {{ .Values.image.name }}:{{ .Chart.AppVersion }}
imagePullPolicy: {{ include "common.imagePullPolicy" . }}
name: manager
{{ include "common.container.securityContext" . | nindent 10 }}
ports:
{{- include "common.PortsMetricsHealth" . | nindent 10 -}}
{{- include "common.operatorHealthAndReadyness" . | nindent 10 -}}
Expand All @@ -45,7 +44,6 @@ spec:
image: {{ .Values.image.name }}:{{ .Chart.AppVersion }}
imagePullPolicy: {{ include "common.imagePullPolicy" . }}
name: server
{{- include "common.container.securityContext" . | nindent 10 }}
ports:
- containerPort: {{ .Values.validationServer.port }}
{{- include "common.PortsMetricsHealth" . | nindent 10 -}}
Expand Down
13 changes: 6 additions & 7 deletions charts/extension-manager-operator/tests/__snapshot__/deployment_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,13 +81,13 @@ operator match the snapshot:
app: extension-manager-operator
service: extension-manager-operator
spec:
automountServiceAccountToken: true
containers:
- args:
- operator
- --leader-elect
- --log-level=
- --health-probe-bind-address=:8081
automountServiceAccountToken: true
image: ghcr.io/openmfp/extension-manager-operator:1.0.0
imagePullPolicy: Always
livenessProbe:
Expand Down Expand Up @@ -117,18 +117,17 @@ operator match the snapshot:
requests:
cpu: 40m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: extension-manager-operator
startupProbe:
failureThreshold: 30
httpGet:
path: /readyz
port: 8081
periodSeconds: 10
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: extension-manager-operator
terminationGracePeriodSeconds: 10
4: |
Expand Down
Binary file added charts/extension-manager-operator/tmpcharts-26486/extension-manager-operator-crds-0.1.6.tgz
View file
Binary file not shown.
2 changes: 1 addition & 1 deletion charts/portal/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
description: Helm Chart for the openmfp Portal
name: portal
version: 0.69.189
version: 0.69.190
appVersion: "0.258.0"
dependencies:
- name: common
Expand Down
4 changes: 1 addition & 3 deletions charts/portal/templates/deploy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,11 @@ spec:
labels:
app: {{ include "common.entity.name" . }}
spec:
serviceAccountName: {{ include "common.entity.name" . }}
{{- include "common.spec.securityContext" (dict "Values" .Values) | nindent 6 }}
{{ include "common.container.securityContext" . | nindent 6 }}
containers:
- name: {{ include "common.entity.name" . }}
image: {{ .Values.image.name }}:{{ .Chart.AppVersion }}
imagePullPolicy: {{ include "common.imagePullPolicy" . }}
{{ include "common.container.securityContext" . | nindent 8 }}
env:
- name: HTTP_PROTOCOL
value: {{ .Values.http.protocol }}
Expand Down
17 changes: 6 additions & 11 deletions charts/portal/tests/__snapshot__/deploy_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@ matches the snapshot:
labels:
app: portal
spec:
automountServiceAccountToken: true
containers:
- automountServiceAccountToken: true
env:
- env:
- name: HTTP_PROTOCOL
value: http
- name: OIDC_CLIENT_ID_OPENMFP
Expand Down Expand Up @@ -91,14 +91,9 @@ matches the snapshot:
requests:
cpu: 40m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: portal
securityContext:
fsGroup: 2000
runAsGroup: 3000
runAsUser: 1000
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: portal
34 changes: 12 additions & 22 deletions charts/portal/tests/__snapshot__/istio_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@ matches the snapshot:
labels:
app: portal
spec:
automountServiceAccountToken: true
containers:
- automountServiceAccountToken: true
env:
- env:
- name: HTTP_PROTOCOL
value: http
- name: OIDC_CLIENT_ID_OPENMFP
Expand Down Expand Up @@ -91,16 +91,11 @@ matches the snapshot:
requests:
cpu: 40m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: portal
securityContext:
fsGroup: 2000
runAsGroup: 3000
runAsUser: 1000
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: portal
2: |
apiVersion: rbac.authorization.k8s.io/v1
Expand Down Expand Up @@ -171,9 +166,9 @@ matches the snapshot with istio disabled:
labels:
app: portal
spec:
automountServiceAccountToken: true
containers:
- automountServiceAccountToken: true
env:
- env:
- name: HTTP_PROTOCOL
value: http
- name: OIDC_CLIENT_ID_OPENMFP
Expand Down Expand Up @@ -242,16 +237,11 @@ matches the snapshot with istio disabled:
requests:
cpu: 40m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: portal
securityContext:
fsGroup: 2000
runAsGroup: 3000
runAsUser: 1000
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: portal
2: |
apiVersion: rbac.authorization.k8s.io/v1
Expand Down

0 comments on commit bf82980

Please sign in to comment.