feat(lmutil): openshift templates (#78)

logicmonitor · Jan 17, 2023 · ed79522 · ed79522
1 parent 99e94d2
commit ed79522
Show file tree

Hide file tree

Showing 4 changed files with 183 additions and 2 deletions.
diff --git a/charts/lmutil/Chart.yaml b/charts/lmutil/Chart.yaml
@@ -15,7 +15,7 @@ type: library
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.2
+version: 0.1.4
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/lmutil/templates/_customizations.tpl b/charts/lmutil/templates/_customizations.tpl
@@ -0,0 +1,20 @@
+{{- define "lmutil.custom-pod-sec-context-nonroot" }}
+{{ if eq (include "lmutil.is-openshift" .) "true" }}
+runAsUser: 1000670001
+fsGroup: 1000670001
+runAsGroup: 1000670001
+runAsNonRoot: true
+{{- end }}
+{{- end }}
+
+
+{{- define "lmutil.custom-container-sec-context-nonroot" }}
+{{ if eq (include "lmutil.is-openshift" .) "true" }}
+allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+seccompProfile:
+  type: RuntimeDefault
+{{- end }}
+{{- end }}
diff --git a/charts/lmutil/templates/_openshift-scc.tpl b/charts/lmutil/templates/_openshift-scc.tpl
@@ -0,0 +1,130 @@
+{{- /*
+These templates take following arguments:
+1. top context
+2. name of the scc object
+3. service account users to associate with scc in format: "<namespace>:<service account name>"
+*/ -}}
+{{- define "lmutil.openshift-scc-nonroot-v2" -}}
+{{- $top := first . -}}
+{{- $name := (index . 1) -}}
+{{- $saUsers := (index . 2) -}}
+{{- if and (eq (include "lmutil.is-openshift" $top) "true") ($top.Capabilities.APIVersions.Has "security.openshift.io/v1") -}}
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+allowedCapabilities:
+  - NET_BIND_SERVICE
+  - NET_RAW
+apiVersion: security.openshift.io/v1
+defaultAddCapabilities: null
+fsGroup:
+  type: RunAsAny
+groups: [ ]
+kind: SecurityContextConstraints
+metadata:
+  labels:
+    {{ include "lmutil.generic.labels" $top | nindent 4 }}
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    kubernetes.io/description: nonroot provides all features of the restricted SCC
+      but allows users to run with any non-root UID.  The user must specify the UID
+      or it must be specified on the by the manifest of the container runtime. On
+      top of the legacy 'nonroot' SCC, it also requires to drop ALL capabilities and
+      does not allow privilege escalation binaries. It will also default the seccomp
+      profile to runtime/default if unset, otherwise this seccomp profile is required.
+  name: {{ $name }}
+priority: null
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+  - ALL
+runAsUser:
+  type: MustRunAsNonRoot
+seLinuxContext:
+  type: MustRunAs
+seccompProfiles:
+  - runtime/default
+supplementalGroups:
+  type: RunAsAny
+{{ if gt ($saUsers | len) 0 }}
+users:
+{{ range $saUsers }}
+  - system:serviceaccount:{{ . }}
+{{- end }}
+{{- end }}
+volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - persistentVolumeClaim
+  - projected
+  - secret
+{{- end -}}
+{{- end -}}
+
+
+{{- /*
+These templates take following arguments:
+1. top context
+2. name of the scc object
+3. service account users to associate with scc in format: "<namespace>:<service account name>"
+*/ -}}
+{{- define "lmutil.openshift-scc-anyuid" -}}
+{{- $top := first . -}}
+{{- $name := (index . 1) -}}
+{{- $saUsers := (index . 2) -}}
+{{- if and (eq (include "lmutil.is-openshift" $top) "true") ($top.Capabilities.APIVersions.Has "security.openshift.io/v1") -}}
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities:
+  - NET_RAW
+apiVersion: security.openshift.io/v1
+defaultAddCapabilities: null
+fsGroup:
+  type: RunAsAny
+groups:
+  - system:cluster-admins
+kind: SecurityContextConstraints
+metadata:
+  labels:
+    {{ include "lmutil.generic.labels" $top | nindent 4 }}
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    kubernetes.io/description: anyuid provides all features of the restricted SCC
+      but allows users to run with any UID and any GID.
+  name: {{ $name }}
+priority: 10
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+  - MKNOD
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+{{ if gt ($saUsers | len) 0 }}
+users:
+{{ range $saUsers }}
+  - system:serviceaccount:{{ . }}
+{{- end }}
+{{- end }}
+volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - persistentVolumeClaim
+  - projected
+  - secret
+{{- end -}}
+{{- end -}}
diff --git a/charts/lmutil/templates/_util.tpl b/charts/lmutil/templates/_util.tpl
@@ -40,6 +40,8 @@ Allow the release namespace to be overridden for multi-namespace deployments in
 {{- printf "%s" "eks" }}
 {{- else if contains "+vmware" .Capabilities.KubeVersion.Version }}
 {{- printf "%s" "vmware" }}
+{{- else if contains "-rancher" .Capabilities.KubeVersion.Version }}
+{{- printf "%s" "rancher" }}
 {{- else if contains "-mirantis" .Capabilities.KubeVersion.Version }}
 {{- printf "%s" "mirantis" }}
 {{- else if eq (include "lmutil.is-openshift" .) "true" }}
@@ -113,4 +115,33 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
-{{- end }}
+{{- end }}
+
+
+{{- /*
+lmutil.merge will merge two YAML templates and output the result.
+This takes an array of three values:
+- the top context
+- the template name of the overrides (destination)
+- the template name of the base (source)
+*/}}
+{{- define "lmutil.merge" -}}
+{{- $top := first . -}}
+{{- $overrides := fromYaml (include (index . 1) $top) | default (dict ) -}}
+{{- $tpl := fromYaml (include (index . 2) $top) | default (dict ) -}}
+{{- toYaml (merge $overrides $tpl) -}}
+{{- end -}}
+
+{{- define "lmutil.default-pod-sec-context-nonroot" }}
+{{- toYaml .Values.podSecurityContext | nindent 0 }}
+{{- end }}
+{{- define "lmutil.pod-sec-context-nonroot" -}}
+{{- include "lmutil.merge" (append . "lmutil.default-pod-sec-context-nonroot" ) -}}
+{{- end -}}
+
+{{- define "lmutil.default-container-sec-context-nonroot" }}
+{{- toYaml .Values.securityContext | nindent 0 }}
+{{- end }}
+{{- define "lmutil.container-sec-context-nonroot" -}}
+{{- include "lmutil.merge" (append . "lmutil.default-container-sec-context-nonroot" ) -}}
+{{- end -}}