aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Geissler <andreas-geissler@telekom.de>2024-08-19 16:30:45 +0200
committerAndreas Geissler <andreas-geissler@telekom.de>2024-09-11 09:19:27 +0200
commit4b5e5842a6a83ded838417aa863530c0ebd1ab5e (patch)
tree3300fa07ab7e3e81918f5abac9f4057b0b91551a
parent99742597c9e2702221de7e35c089c1fe4124d48a (diff)
[STRIMZI] Solve Security Policy violations
- add securityContext settings to Operator and strimzi resources - add resources settings - update documents to use a new strimzi-kafka operator version in Oslo Issue-ID: OOM-3311 Change-Id: Ie6e4c30495e500781d898aed31bd74f2f4f3c708 Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
-rw-r--r--docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst6
-rw-r--r--kubernetes/strimzi/Chart.yaml3
-rw-r--r--kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml2
-rw-r--r--kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml1
-rw-r--r--kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml12
-rw-r--r--kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml24
-rw-r--r--kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml2
-rw-r--r--kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml2
-rw-r--r--kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml2
-rw-r--r--kubernetes/strimzi/templates/strimzi-kafka.yaml69
-rw-r--r--kubernetes/strimzi/values.yaml144
11 files changed, 250 insertions, 17 deletions
diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst
index 11377235bc..5020e22563 100644
--- a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst
+++ b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst
@@ -48,9 +48,9 @@ The versions of software that are supported and tested by OOM are as follows:
============== =========== ======= ======== ======== ============= ========
Release Kubernetes Helm kubectl Docker Cert-Manager Strimzi
============== =========== ======= ======== ======== ============= ========
- London 1.23.8 3.8.2 1.23.x 20.10.x 1.12.2 0.35.0
Montreal 1.27.5 3.12.3 1.27.x 20.10.x 1.13.2 0.36.1
New Delhi 1.28.6 3.13.1 1.28.x 20.10.x 1.14.4 0.41.0
+ Oslo 1.28.6 3.13.1 1.28.x 20.10.x 1.14.4 0.43.0
============== =========== ======= ======== ======== ============= ========
.. table:: OOM Software Requirements (production)
@@ -58,9 +58,9 @@ The versions of software that are supported and tested by OOM are as follows:
============== ====== ============ ==============
Release Istio Gateway-API Keycloak
============== ====== ============ ==============
- London 1.17.2 v0.6.2 19.0.3-legacy
Montreal 1.19.3 v1.0.0 19.0.3-legacy
New Delhi 1.21.0 v1.0.0 22.0.4
+ Oslo 1.23.0 v1.0.0 22.0.4
============== ====== ============ ==============
.. table:: OOM Software Requirements (optional)
@@ -68,7 +68,7 @@ The versions of software that are supported and tested by OOM are as follows:
============== ================= ========== =================
Release Prometheus Stack K8ssandra MariaDB-Operator
============== ================= ========== =================
- London 45.x 1.6.1
Montreal 45.x 1.10.2 0.23.1
New Delhi 45.x 1.16.0 0.28.1
+ Oslo 45.x 1.19.0 0.30.0
============== ================= ========== =================
diff --git a/kubernetes/strimzi/Chart.yaml b/kubernetes/strimzi/Chart.yaml
index 1b927d6c4d..180b42bff9 100644
--- a/kubernetes/strimzi/Chart.yaml
+++ b/kubernetes/strimzi/Chart.yaml
@@ -15,7 +15,7 @@
apiVersion: v2
description: ONAP Strimzi Kafka
name: strimzi
-version: 13.0.1
+version: 13.0.2
dependencies:
- name: common
@@ -31,4 +31,3 @@ dependencies:
version: ~13.x-0
repository: 'file://components/strimzi-kafka-bridge'
condition: strimzi-kafka-bridge.enabled
-
diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml
index e254d99710..ca4a4e94d3 100644
--- a/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml
+++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml
@@ -15,7 +15,7 @@
apiVersion: v2
description: ONAP Strimzi Kafka Bridge
name: strimzi-kafka-bridge
-version: 13.0.0
+version: 13.0.1
dependencies:
- name: common
diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml
index 25fbf3df77..7f4dea46e1 100644
--- a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml
+++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml
@@ -21,4 +21,3 @@ metadata:
namespace: {{ include "common.namespace" . }}
data:
{{ tpl (.Files.Glob "resources/config/log4j2.properties").AsConfig . | indent 2 }}
-
diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml
index b081e290e3..8364dfe58f 100644
--- a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml
+++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml
@@ -34,6 +34,18 @@ spec:
configMapKeyRef:
key: log4j2.properties
name: {{ include "common.fullname" . }}-kb-logging-cm
+ resources:
+ requests:
+ cpu: {{ .Values.resources.requests.cpu }}
+ memory: {{ .Values.resources.requests.memory }}
+ limits:
+ cpu: {{ .Values.resources.limits.cpu }}
+ memory: {{ .Values.resources.limits.memory }}
template:
pod:
{{- include "common.imagePullSecrets" . | nindent 6 }}
+ securityContext:
+ {{- toYaml .Values.pod.securityContext | nindent 8 }}
+ bridgeContainer:
+ securityContext:
+ {{- toYaml .Values.bridgeContainer.securityContext | nindent 8 }}
diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml
index 8a4c4cdc6c..fa7b10aa22 100644
--- a/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml
+++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml
@@ -33,3 +33,27 @@ config:
# nameOverride is required to avoid duplication
# in pod and service names ie ...-bridge-bridge-{random hex}
nameOverride: strimzi-kafka
+
+resources:
+ limits:
+ cpu: '2'
+ memory: 2Gi
+ requests:
+ cpu: 100m
+ memory: 1Gi
+
+pod:
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
+bridgeContainer:
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 1001
+ runAsNonRoot: true
+ runAsUser: 1001
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
diff --git a/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml
index 12c742ef35..1e59dc67a0 100644
--- a/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml
+++ b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml
@@ -17,4 +17,4 @@ lowercaseOutputName: true
rules:
- pattern: kafka.cruisecontrol<name=(.+)><>(\w+)
name: kafka_cruisecontrol_$1_$2
- type: GAUGE \ No newline at end of file
+ type: GAUGE
diff --git a/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml
index 7ad971fc16..8db35a9c8d 100644
--- a/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml
+++ b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml
@@ -134,4 +134,4 @@ rules:
name: kafka_$1_$2_$3
type: GAUGE
labels:
- quantile: "0.$4" \ No newline at end of file
+ quantile: "0.$4"
diff --git a/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml
index 6a1eab7825..d5bf27f44d 100644
--- a/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml
+++ b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml
@@ -41,4 +41,4 @@ rules:
type: GAUGE
labels:
replicaId: "$2"
- memberType: "$3" \ No newline at end of file
+ memberType: "$3"
diff --git a/kubernetes/strimzi/templates/strimzi-kafka.yaml b/kubernetes/strimzi/templates/strimzi-kafka.yaml
index aee4696fe0..5f5fcd553a 100644
--- a/kubernetes/strimzi/templates/strimzi-kafka.yaml
+++ b/kubernetes/strimzi/templates/strimzi-kafka.yaml
@@ -20,6 +20,13 @@ spec:
kafka:
version: {{ .Values.config.kafkaVersion }}
replicas: {{ .Values.replicaCount }}
+ resources:
+ limits:
+ cpu: {{ .Values.kafka.resources.limits.cpu }}
+ memory: {{ .Values.kafka.resources.limits.memory }}
+ requests:
+ cpu: {{ .Values.kafka.resources.requests.cpu }}
+ memory: {{ .Values.kafka.resources.requests.memory }}
listeners:
- name: plain
port: {{ .Values.config.kafkaInternalPort }}
@@ -71,8 +78,7 @@ spec:
pod:
{{- include "common.imagePullSecrets" . | nindent 8 }}
securityContext:
- runAsUser: 0
- fsGroup: 0
+ {{- toYaml .Values.kafka.template.pod.securityContext | nindent 10 }}
{{- if .Values.affinity.podAntiAffinity.enabled }}
affinity:
podAntiAffinity:
@@ -85,6 +91,9 @@ spec:
- {{ include "common.fullname" . }}-kafka
topologyKey: "kubernetes.io/hostname"
{{- end }}
+ kafkaContainer:
+ securityContext:
+ {{- toYaml .Values.kafka.template.kafkaContainer.securityContext | nindent 10 }}
config:
default.replication.factor: {{ .Values.replicaCount }}
min.insync.replicas: {{ (eq 1.0 (.Values.replicaCount)) | ternary 1 (sub .Values.replicaCount 1) }}
@@ -116,8 +125,7 @@ spec:
pod:
{{- include "common.imagePullSecrets" . | nindent 8 }}
securityContext:
- runAsUser: 0
- fsGroup: 0
+ {{- toYaml .Values.zookeeper.template.pod.securityContext | nindent 10 }}
{{- if .Values.affinity.podAntiAffinity.enabled }}
affinity:
podAntiAffinity:
@@ -130,6 +138,9 @@ spec:
- {{ include "common.fullname" . }}-zookeeper
topologyKey: "kubernetes.io/hostname"
{{- end }}
+ zookeeperContainer:
+ securityContext:
+ {{- toYaml .Values.zookeeper.template.zookeeperContainer.securityContext | nindent 10 }}
replicas: {{ .Values.replicaCount }}
config:
ssl.hostnameVerification: false
@@ -149,30 +160,76 @@ spec:
configMapKeyRef:
name: {{ include "common.fullname" . }}
key: zookeeper-metrics-config.yml
+ resources:
+ limits:
+ cpu: {{ .Values.zookeeper.resources.limits.cpu }}
+ memory: {{ .Values.zookeeper.resources.limits.memory }}
+ requests:
+ cpu: {{ .Values.zookeeper.resources.requests.cpu }}
+ memory: {{ .Values.zookeeper.resources.requests.memory }}
{{- end }}
entityOperator:
template:
pod:
{{- include "common.imagePullSecrets" . | nindent 8 }}
- topicOperator: {}
- userOperator: {}
+ securityContext:
+ {{- toYaml .Values.entityOperator.template.pod.securityContext | nindent 10 }}
+ topicOperatorContainer:
+ securityContext:
+ {{- toYaml .Values.entityOperator.template.topicOperatorContainer.securityContext | nindent 10 }}
+ userOperatorContainer:
+ securityContext:
+ {{- toYaml .Values.entityOperator.template.userOperatorContainer.securityContext | nindent 10 }}
+ topicOperator:
+ resources:
+ limits:
+ cpu: {{ .Values.entityOperator.template.topicOperator.resources.limits.cpu }}
+ memory: {{ .Values.entityOperator.template.topicOperator.resources.limits.memory }}
+ requests:
+ cpu: {{ .Values.entityOperator.template.topicOperator.resources.requests.cpu }}
+ memory: {{ .Values.entityOperator.template.topicOperator.resources.requests.memory }}
+ userOperator:
+ resources:
+ limits:
+ cpu: {{ .Values.entityOperator.template.userOperator.resources.limits.cpu }}
+ memory: {{ .Values.entityOperator.template.userOperator.resources.limits.memory }}
+ requests:
+ cpu: {{ .Values.entityOperator.template.userOperator.resources.requests.cpu }}
+ memory: {{ .Values.entityOperator.template.userOperator.resources.requests.memory }}
{{- if .Values.cruiseControl.enabled }}
cruiseControl:
template:
pod:
{{- include "common.imagePullSecrets" . | nindent 8 }}
+ securityContext:
+ {{- toYaml .Values.cruiseControl.template.pod.securityContext | nindent 10 }}
+ cruiseControlContainer:
+ securityContext:
+ {{- toYaml .Values.cruiseControl.template.cruiseControlContainer.securityContext | nindent 10 }}
metricsConfig:
type: {{ .Values.cruiseControl.metricsConfig.type }}
valueFrom:
configMapKeyRef:
name: {{ include "common.fullname" . }}
key: cruisecontrol-metrics-config.yml
+ resources:
+ limits:
+ cpu: {{ .Values.cruiseControl.template.resources.limits.cpu }}
+ memory: {{ .Values.cruiseControl.template.resources.limits.memory }}
+ requests:
+ cpu: {{ .Values.cruiseControl.template.resources.requests.cpu }}
+ memory: {{ .Values.cruiseControl.template.resources.requests.memory }}
{{- end }}
{{- if .Values.metrics.kafkaExporter.enabled }}
kafkaExporter:
template:
pod:
{{- include "common.imagePullSecrets" . | nindent 8 }}
+ securityContext:
+ {{- toYaml .Values.cruiseControl.template.pod.securityContext | nindent 10 }}
+ container:
+ securityContext:
+ {{- toYaml .Values.kafkaExporter.template.container.securityContext | nindent 10 }}
topicRegex: {{ .Values.metrics.kafkaExporter.topicRegex }}
groupRegex: {{ .Values.metrics.kafkaExporter.groupRegex }}
resources:
diff --git a/kubernetes/strimzi/values.yaml b/kubernetes/strimzi/values.yaml
index 3cced3e41a..fe3ca852a9 100644
--- a/kubernetes/strimzi/values.yaml
+++ b/kubernetes/strimzi/values.yaml
@@ -33,7 +33,7 @@ affinity:
podAntiAffinity:
enabled: true
config:
- kafkaVersion: 3.7.0
+ kafkaVersion: 3.8.0
authType: simple
saslMechanism: &saslMech scram-sha-512
kafkaInternalPort: &plainPort 9092
@@ -141,6 +141,29 @@ cruiseControl:
# ref. https://strimzi.io/blog/2020/06/15/cruise-control/
kafkaRebalance:
enabled: false
+ template:
+ pod:
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
+ cruiseControlContainer:
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 1001
+ runAsNonRoot: true
+ runAsUser: 1001
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ resources:
+ limits:
+ cpu: '2'
+ memory: 2Gi
+ requests:
+ cpu: 100m
+ memory: 1Gi
######################
# Component overrides
@@ -151,3 +174,122 @@ strimzi-kafka-bridge:
saslMechanism: *saslMech
kafkaInternalPort: *plainPort
strimziKafkaAdminUser: *adminUser
+
+kafka:
+ template:
+ pod:
+ securityContext:
+ runAsUser: 1001
+ runAsGroup: 1001
+ fsGroup: 1001
+ seccompProfile:
+ type: RuntimeDefault
+ kafkaContainer:
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ #runAsGroup: 1001
+ runAsNonRoot: true
+ runAsUser: 1001
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ resources:
+ limits:
+ cpu: '2'
+ memory: 2Gi
+ requests:
+ cpu: 100m
+ memory: 1Gi
+
+zookeeper:
+ template:
+ pod:
+ securityContext:
+ runAsUser: 1001
+ runAsGroup: 1001
+ fsGroup: 1001
+ seccompProfile:
+ type: RuntimeDefault
+ zookeeperContainer:
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ #runAsGroup: 1001
+ runAsNonRoot: true
+ runAsUser: 1001
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ resources:
+ limits:
+ cpu: '2'
+ memory: 2Gi
+ requests:
+ cpu: 100m
+ memory: 1Gi
+
+entityOperator:
+ template:
+ pod:
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
+ topicOperatorContainer:
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 1001
+ runAsNonRoot: true
+ runAsUser: 1001
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ userOperatorContainer:
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 1001
+ runAsNonRoot: true
+ runAsUser: 1001
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ topicOperator:
+ resources:
+ limits:
+ cpu: '2'
+ memory: 2Gi
+ requests:
+ cpu: 100m
+ memory: 1Gi
+ userOperator:
+ resources:
+ limits:
+ cpu: '2'
+ memory: 2Gi
+ requests:
+ cpu: 100m
+ memory: 1Gi
+
+kafkaExporter:
+ template:
+ pod:
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
+ container:
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 1001
+ runAsNonRoot: true
+ runAsUser: 1001
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW