diff options
author | Andreas Geissler <andreas-geissler@telekom.de> | 2024-08-19 16:30:45 +0200 |
---|---|---|
committer | Andreas Geissler <andreas-geissler@telekom.de> | 2024-09-11 09:19:27 +0200 |
commit | 4b5e5842a6a83ded838417aa863530c0ebd1ab5e (patch) | |
tree | 3300fa07ab7e3e81918f5abac9f4057b0b91551a | |
parent | 99742597c9e2702221de7e35c089c1fe4124d48a (diff) |
[STRIMZI] Solve Security Policy violations
- add securityContext settings to Operator and strimzi resources
- add resources settings
- update documents to use a new strimzi-kafka operator version in Oslo
Issue-ID: OOM-3311
Change-Id: Ie6e4c30495e500781d898aed31bd74f2f4f3c708
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
11 files changed, 250 insertions, 17 deletions
diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst index 11377235bc..5020e22563 100644 --- a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst +++ b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst @@ -48,9 +48,9 @@ The versions of software that are supported and tested by OOM are as follows: ============== =========== ======= ======== ======== ============= ======== Release Kubernetes Helm kubectl Docker Cert-Manager Strimzi ============== =========== ======= ======== ======== ============= ======== - London 1.23.8 3.8.2 1.23.x 20.10.x 1.12.2 0.35.0 Montreal 1.27.5 3.12.3 1.27.x 20.10.x 1.13.2 0.36.1 New Delhi 1.28.6 3.13.1 1.28.x 20.10.x 1.14.4 0.41.0 + Oslo 1.28.6 3.13.1 1.28.x 20.10.x 1.14.4 0.43.0 ============== =========== ======= ======== ======== ============= ======== .. table:: OOM Software Requirements (production) @@ -58,9 +58,9 @@ The versions of software that are supported and tested by OOM are as follows: ============== ====== ============ ============== Release Istio Gateway-API Keycloak ============== ====== ============ ============== - London 1.17.2 v0.6.2 19.0.3-legacy Montreal 1.19.3 v1.0.0 19.0.3-legacy New Delhi 1.21.0 v1.0.0 22.0.4 + Oslo 1.23.0 v1.0.0 22.0.4 ============== ====== ============ ============== .. table:: OOM Software Requirements (optional) @@ -68,7 +68,7 @@ The versions of software that are supported and tested by OOM are as follows: ============== ================= ========== ================= Release Prometheus Stack K8ssandra MariaDB-Operator ============== ================= ========== ================= - London 45.x 1.6.1 Montreal 45.x 1.10.2 0.23.1 New Delhi 45.x 1.16.0 0.28.1 + Oslo 45.x 1.19.0 0.30.0 ============== ================= ========== ================= diff --git a/kubernetes/strimzi/Chart.yaml b/kubernetes/strimzi/Chart.yaml index 1b927d6c4d..180b42bff9 100644 --- a/kubernetes/strimzi/Chart.yaml +++ b/kubernetes/strimzi/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v2 description: ONAP Strimzi Kafka name: strimzi -version: 13.0.1 +version: 13.0.2 dependencies: - name: common @@ -31,4 +31,3 @@ dependencies: version: ~13.x-0 repository: 'file://components/strimzi-kafka-bridge' condition: strimzi-kafka-bridge.enabled - diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml index e254d99710..ca4a4e94d3 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v2 description: ONAP Strimzi Kafka Bridge name: strimzi-kafka-bridge -version: 13.0.0 +version: 13.0.1 dependencies: - name: common diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml index 25fbf3df77..7f4dea46e1 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml @@ -21,4 +21,3 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{ tpl (.Files.Glob "resources/config/log4j2.properties").AsConfig . | indent 2 }} - diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml index b081e290e3..8364dfe58f 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml @@ -34,6 +34,18 @@ spec: configMapKeyRef: key: log4j2.properties name: {{ include "common.fullname" . }}-kb-logging-cm + resources: + requests: + cpu: {{ .Values.resources.requests.cpu }} + memory: {{ .Values.resources.requests.memory }} + limits: + cpu: {{ .Values.resources.limits.cpu }} + memory: {{ .Values.resources.limits.memory }} template: pod: {{- include "common.imagePullSecrets" . | nindent 6 }} + securityContext: + {{- toYaml .Values.pod.securityContext | nindent 8 }} + bridgeContainer: + securityContext: + {{- toYaml .Values.bridgeContainer.securityContext | nindent 8 }} diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml index 8a4c4cdc6c..fa7b10aa22 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml @@ -33,3 +33,27 @@ config: # nameOverride is required to avoid duplication # in pod and service names ie ...-bridge-bridge-{random hex} nameOverride: strimzi-kafka + +resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + +pod: + securityContext: + seccompProfile: + type: RuntimeDefault +bridgeContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW diff --git a/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml index 12c742ef35..1e59dc67a0 100644 --- a/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml +++ b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml @@ -17,4 +17,4 @@ lowercaseOutputName: true rules: - pattern: kafka.cruisecontrol<name=(.+)><>(\w+) name: kafka_cruisecontrol_$1_$2 - type: GAUGE
\ No newline at end of file + type: GAUGE diff --git a/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml index 7ad971fc16..8db35a9c8d 100644 --- a/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml +++ b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml @@ -134,4 +134,4 @@ rules: name: kafka_$1_$2_$3 type: GAUGE labels: - quantile: "0.$4"
\ No newline at end of file + quantile: "0.$4" diff --git a/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml index 6a1eab7825..d5bf27f44d 100644 --- a/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml +++ b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml @@ -41,4 +41,4 @@ rules: type: GAUGE labels: replicaId: "$2" - memberType: "$3"
\ No newline at end of file + memberType: "$3" diff --git a/kubernetes/strimzi/templates/strimzi-kafka.yaml b/kubernetes/strimzi/templates/strimzi-kafka.yaml index aee4696fe0..5f5fcd553a 100644 --- a/kubernetes/strimzi/templates/strimzi-kafka.yaml +++ b/kubernetes/strimzi/templates/strimzi-kafka.yaml @@ -20,6 +20,13 @@ spec: kafka: version: {{ .Values.config.kafkaVersion }} replicas: {{ .Values.replicaCount }} + resources: + limits: + cpu: {{ .Values.kafka.resources.limits.cpu }} + memory: {{ .Values.kafka.resources.limits.memory }} + requests: + cpu: {{ .Values.kafka.resources.requests.cpu }} + memory: {{ .Values.kafka.resources.requests.memory }} listeners: - name: plain port: {{ .Values.config.kafkaInternalPort }} @@ -71,8 +78,7 @@ spec: pod: {{- include "common.imagePullSecrets" . | nindent 8 }} securityContext: - runAsUser: 0 - fsGroup: 0 + {{- toYaml .Values.kafka.template.pod.securityContext | nindent 10 }} {{- if .Values.affinity.podAntiAffinity.enabled }} affinity: podAntiAffinity: @@ -85,6 +91,9 @@ spec: - {{ include "common.fullname" . }}-kafka topologyKey: "kubernetes.io/hostname" {{- end }} + kafkaContainer: + securityContext: + {{- toYaml .Values.kafka.template.kafkaContainer.securityContext | nindent 10 }} config: default.replication.factor: {{ .Values.replicaCount }} min.insync.replicas: {{ (eq 1.0 (.Values.replicaCount)) | ternary 1 (sub .Values.replicaCount 1) }} @@ -116,8 +125,7 @@ spec: pod: {{- include "common.imagePullSecrets" . | nindent 8 }} securityContext: - runAsUser: 0 - fsGroup: 0 + {{- toYaml .Values.zookeeper.template.pod.securityContext | nindent 10 }} {{- if .Values.affinity.podAntiAffinity.enabled }} affinity: podAntiAffinity: @@ -130,6 +138,9 @@ spec: - {{ include "common.fullname" . }}-zookeeper topologyKey: "kubernetes.io/hostname" {{- end }} + zookeeperContainer: + securityContext: + {{- toYaml .Values.zookeeper.template.zookeeperContainer.securityContext | nindent 10 }} replicas: {{ .Values.replicaCount }} config: ssl.hostnameVerification: false @@ -149,30 +160,76 @@ spec: configMapKeyRef: name: {{ include "common.fullname" . }} key: zookeeper-metrics-config.yml + resources: + limits: + cpu: {{ .Values.zookeeper.resources.limits.cpu }} + memory: {{ .Values.zookeeper.resources.limits.memory }} + requests: + cpu: {{ .Values.zookeeper.resources.requests.cpu }} + memory: {{ .Values.zookeeper.resources.requests.memory }} {{- end }} entityOperator: template: pod: {{- include "common.imagePullSecrets" . | nindent 8 }} - topicOperator: {} - userOperator: {} + securityContext: + {{- toYaml .Values.entityOperator.template.pod.securityContext | nindent 10 }} + topicOperatorContainer: + securityContext: + {{- toYaml .Values.entityOperator.template.topicOperatorContainer.securityContext | nindent 10 }} + userOperatorContainer: + securityContext: + {{- toYaml .Values.entityOperator.template.userOperatorContainer.securityContext | nindent 10 }} + topicOperator: + resources: + limits: + cpu: {{ .Values.entityOperator.template.topicOperator.resources.limits.cpu }} + memory: {{ .Values.entityOperator.template.topicOperator.resources.limits.memory }} + requests: + cpu: {{ .Values.entityOperator.template.topicOperator.resources.requests.cpu }} + memory: {{ .Values.entityOperator.template.topicOperator.resources.requests.memory }} + userOperator: + resources: + limits: + cpu: {{ .Values.entityOperator.template.userOperator.resources.limits.cpu }} + memory: {{ .Values.entityOperator.template.userOperator.resources.limits.memory }} + requests: + cpu: {{ .Values.entityOperator.template.userOperator.resources.requests.cpu }} + memory: {{ .Values.entityOperator.template.userOperator.resources.requests.memory }} {{- if .Values.cruiseControl.enabled }} cruiseControl: template: pod: {{- include "common.imagePullSecrets" . | nindent 8 }} + securityContext: + {{- toYaml .Values.cruiseControl.template.pod.securityContext | nindent 10 }} + cruiseControlContainer: + securityContext: + {{- toYaml .Values.cruiseControl.template.cruiseControlContainer.securityContext | nindent 10 }} metricsConfig: type: {{ .Values.cruiseControl.metricsConfig.type }} valueFrom: configMapKeyRef: name: {{ include "common.fullname" . }} key: cruisecontrol-metrics-config.yml + resources: + limits: + cpu: {{ .Values.cruiseControl.template.resources.limits.cpu }} + memory: {{ .Values.cruiseControl.template.resources.limits.memory }} + requests: + cpu: {{ .Values.cruiseControl.template.resources.requests.cpu }} + memory: {{ .Values.cruiseControl.template.resources.requests.memory }} {{- end }} {{- if .Values.metrics.kafkaExporter.enabled }} kafkaExporter: template: pod: {{- include "common.imagePullSecrets" . | nindent 8 }} + securityContext: + {{- toYaml .Values.cruiseControl.template.pod.securityContext | nindent 10 }} + container: + securityContext: + {{- toYaml .Values.kafkaExporter.template.container.securityContext | nindent 10 }} topicRegex: {{ .Values.metrics.kafkaExporter.topicRegex }} groupRegex: {{ .Values.metrics.kafkaExporter.groupRegex }} resources: diff --git a/kubernetes/strimzi/values.yaml b/kubernetes/strimzi/values.yaml index 3cced3e41a..fe3ca852a9 100644 --- a/kubernetes/strimzi/values.yaml +++ b/kubernetes/strimzi/values.yaml @@ -33,7 +33,7 @@ affinity: podAntiAffinity: enabled: true config: - kafkaVersion: 3.7.0 + kafkaVersion: 3.8.0 authType: simple saslMechanism: &saslMech scram-sha-512 kafkaInternalPort: &plainPort 9092 @@ -141,6 +141,29 @@ cruiseControl: # ref. https://strimzi.io/blog/2020/06/15/cruise-control/ kafkaRebalance: enabled: false + template: + pod: + securityContext: + seccompProfile: + type: RuntimeDefault + cruiseControlContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi ###################### # Component overrides @@ -151,3 +174,122 @@ strimzi-kafka-bridge: saslMechanism: *saslMech kafkaInternalPort: *plainPort strimziKafkaAdminUser: *adminUser + +kafka: + template: + pod: + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + seccompProfile: + type: RuntimeDefault + kafkaContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + #runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + +zookeeper: + template: + pod: + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + seccompProfile: + type: RuntimeDefault + zookeeperContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + #runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + +entityOperator: + template: + pod: + securityContext: + seccompProfile: + type: RuntimeDefault + topicOperatorContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + userOperatorContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + topicOperator: + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + userOperator: + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + +kafkaExporter: + template: + pod: + securityContext: + seccompProfile: + type: RuntimeDefault + container: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW |