From ed795223b2e48fdca2bbdb255a8373c49de2ee3d Mon Sep 17 00:00:00 2001 From: Vaibhav Kumbhar Date: Tue, 17 Jan 2023 13:51:42 +0530 Subject: [PATCH] feat(lmutil): openshift templates (#78) --- charts/lmutil/Chart.yaml | 2 +- charts/lmutil/templates/_customizations.tpl | 20 +++ charts/lmutil/templates/_openshift-scc.tpl | 130 ++++++++++++++++++++ charts/lmutil/templates/_util.tpl | 33 ++++- 4 files changed, 183 insertions(+), 2 deletions(-) create mode 100644 charts/lmutil/templates/_customizations.tpl create mode 100644 charts/lmutil/templates/_openshift-scc.tpl diff --git a/charts/lmutil/Chart.yaml b/charts/lmutil/Chart.yaml index 3d0b35c..0343690 100644 --- a/charts/lmutil/Chart.yaml +++ b/charts/lmutil/Chart.yaml @@ -15,7 +15,7 @@ type: library # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.2 +version: 0.1.4 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/lmutil/templates/_customizations.tpl b/charts/lmutil/templates/_customizations.tpl new file mode 100644 index 0000000..33077d1 --- /dev/null +++ b/charts/lmutil/templates/_customizations.tpl @@ -0,0 +1,20 @@ +{{- define "lmutil.custom-pod-sec-context-nonroot" }} +{{ if eq (include "lmutil.is-openshift" .) "true" }} +runAsUser: 1000670001 +fsGroup: 1000670001 +runAsGroup: 1000670001 +runAsNonRoot: true +{{- end }} +{{- end }} + + +{{- define "lmutil.custom-container-sec-context-nonroot" }} +{{ if eq (include "lmutil.is-openshift" .) "true" }} +allowPrivilegeEscalation: false +capabilities: + drop: + - ALL +seccompProfile: + type: RuntimeDefault +{{- end }} +{{- end }} diff --git a/charts/lmutil/templates/_openshift-scc.tpl b/charts/lmutil/templates/_openshift-scc.tpl new file mode 100644 index 0000000..c71b8d9 --- /dev/null +++ b/charts/lmutil/templates/_openshift-scc.tpl @@ -0,0 +1,130 @@ +{{- /* +These templates take following arguments: +1. top context +2. name of the scc object +3. service account users to associate with scc in format: ":" +*/ -}} +{{- define "lmutil.openshift-scc-nonroot-v2" -}} +{{- $top := first . -}} +{{- $name := (index . 1) -}} +{{- $saUsers := (index . 2) -}} +{{- if and (eq (include "lmutil.is-openshift" $top) "true") ($top.Capabilities.APIVersions.Has "security.openshift.io/v1") -}} +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: + - NET_BIND_SERVICE + - NET_RAW +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: [ ] +kind: SecurityContextConstraints +metadata: + labels: + {{ include "lmutil.generic.labels" $top | nindent 4 }} + annotations: + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + kubernetes.io/description: nonroot provides all features of the restricted SCC + but allows users to run with any non-root UID. The user must specify the UID + or it must be specified on the by the manifest of the container runtime. On + top of the legacy 'nonroot' SCC, it also requires to drop ALL capabilities and + does not allow privilege escalation binaries. It will also default the seccomp + profile to runtime/default if unset, otherwise this seccomp profile is required. + name: {{ $name }} +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: + - ALL +runAsUser: + type: MustRunAsNonRoot +seLinuxContext: + type: MustRunAs +seccompProfiles: + - runtime/default +supplementalGroups: + type: RunAsAny +{{ if gt ($saUsers | len) 0 }} +users: +{{ range $saUsers }} + - system:serviceaccount:{{ . }} +{{- end }} +{{- end }} +volumes: + - configMap + - downwardAPI + - emptyDir + - persistentVolumeClaim + - projected + - secret +{{- end -}} +{{- end -}} + + +{{- /* +These templates take following arguments: +1. top context +2. name of the scc object +3. service account users to associate with scc in format: ":" +*/ -}} +{{- define "lmutil.openshift-scc-anyuid" -}} +{{- $top := first . -}} +{{- $name := (index . 1) -}} +{{- $saUsers := (index . 2) -}} +{{- if and (eq (include "lmutil.is-openshift" $top) "true") ($top.Capabilities.APIVersions.Has "security.openshift.io/v1") -}} +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: + - NET_RAW +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: + - system:cluster-admins +kind: SecurityContextConstraints +metadata: + labels: + {{ include "lmutil.generic.labels" $top | nindent 4 }} + annotations: + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + kubernetes.io/description: anyuid provides all features of the restricted SCC + but allows users to run with any UID and any GID. + name: {{ $name }} +priority: 10 +readOnlyRootFilesystem: false +requiredDropCapabilities: + - MKNOD +runAsUser: + type: RunAsAny +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +{{ if gt ($saUsers | len) 0 }} +users: +{{ range $saUsers }} + - system:serviceaccount:{{ . }} +{{- end }} +{{- end }} +volumes: + - configMap + - downwardAPI + - emptyDir + - persistentVolumeClaim + - projected + - secret +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/lmutil/templates/_util.tpl b/charts/lmutil/templates/_util.tpl index c85c1ba..3ccb1d9 100644 --- a/charts/lmutil/templates/_util.tpl +++ b/charts/lmutil/templates/_util.tpl @@ -40,6 +40,8 @@ Allow the release namespace to be overridden for multi-namespace deployments in {{- printf "%s" "eks" }} {{- else if contains "+vmware" .Capabilities.KubeVersion.Version }} {{- printf "%s" "vmware" }} +{{- else if contains "-rancher" .Capabilities.KubeVersion.Version }} +{{- printf "%s" "rancher" }} {{- else if contains "-mirantis" .Capabilities.KubeVersion.Version }} {{- printf "%s" "mirantis" }} {{- else if eq (include "lmutil.is-openshift" .) "true" }} @@ -113,4 +115,33 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} + + +{{- /* +lmutil.merge will merge two YAML templates and output the result. +This takes an array of three values: +- the top context +- the template name of the overrides (destination) +- the template name of the base (source) +*/}} +{{- define "lmutil.merge" -}} +{{- $top := first . -}} +{{- $overrides := fromYaml (include (index . 1) $top) | default (dict ) -}} +{{- $tpl := fromYaml (include (index . 2) $top) | default (dict ) -}} +{{- toYaml (merge $overrides $tpl) -}} +{{- end -}} + +{{- define "lmutil.default-pod-sec-context-nonroot" }} +{{- toYaml .Values.podSecurityContext | nindent 0 }} +{{- end }} +{{- define "lmutil.pod-sec-context-nonroot" -}} +{{- include "lmutil.merge" (append . "lmutil.default-pod-sec-context-nonroot" ) -}} +{{- end -}} + +{{- define "lmutil.default-container-sec-context-nonroot" }} +{{- toYaml .Values.securityContext | nindent 0 }} +{{- end }} +{{- define "lmutil.container-sec-context-nonroot" -}} +{{- include "lmutil.merge" (append . "lmutil.default-container-sec-context-nonroot" ) -}} +{{- end -}} \ No newline at end of file