[Multicloud] Fix Kyverno Policy violations

Add SecurityContext to deployments Issue-ID: OOM-3318 Change-Id: Ie4cfa869628d030c2047f3dd954d77786ab88c53 Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
author: Andreas Geissler <andreas-geissler@telekom.de> 2024-10-22 11:33:38 +0200
committer: Andreas Geissler <andreas-geissler@telekom.de> 2024-10-22 12:12:04 +0200
commit: 6fd282196ba84cfd299ce172c197711e793e6887 (patch)
tree: 8b5a3f3cf762e729ba2fed767228c63980ed63fb /kubernetes/multicloud/components
parent: 1e2a197128b2d4faf9b2938aaeed50a5b3d164ad (diff)
5 files changed, 42 insertions, 3 deletions
diff --git a/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml b/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml
index b825f67969..64c8d5a7fe 100644
--- a/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml
+++ b/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml
@@ -1,5 +1,6 @@
 # Copyright (c) 2019, CMCC Technologies Co., Ltd.
 # Modifications Copyright © 2021 Orange
+# Modifications Copyright © 2024 Deutsche Telekom
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
diff --git a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml
index 5dc375290a..588fa906c3 100644
--- a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml
+++ b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml
@@ -1,6 +1,7 @@
 # Copyright 2019 Intel Corporation, Inc
 # Modifications Copyright © 2021 Orange
 # Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,7 +18,7 @@
 apiVersion: v2
 description: ONAP Multicloud Kubernetes Plugin
 name: multicloud-k8s
-version: 13.1.0
+version: 13.1.1
 
 dependencies:
   - name: common
diff --git a/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json b/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json
index d6fa40d471..08c228f2eb 100644
--- a/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json
+++ b/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json
@@ -8,4 +8,4 @@
     "database-address": "multicloud-k8s-mongo",
     "etcd-ip": "multicloud-k8s-etcd",
     "plugin-dir": "/opt/multicloud/k8splugin/plugins"
-}
-\ No newline at end of file
+}
diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml
index 9881a13615..f2ed9daa81 100644
--- a/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml
+++ b/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml
@@ -1,5 +1,6 @@
 {{/*
 # Copyright 2019 Intel Corporation, Inc
+# Modifications Copyright © 2024 Deutsche Telekom
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -23,6 +24,7 @@ spec:
   template:
     metadata: {{- include "common.templateMetadata" . | nindent 6 }}
     spec:
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
       containers:
       - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
@@ -30,6 +32,7 @@ spec:
         command: ["/opt/multicloud/k8splugin/k8plugin"]
         workingDir: /opt/multicloud/k8splugin
         ports: {{ include "common.containerPorts" . | nindent 10  }}
+        {{ include "common.containerSecurityContext" . | indent 10 | trim }}
         {{- if eq .Values.liveness.enabled true }}
         livenessProbe:
           tcpSocket:
@@ -60,10 +63,26 @@ spec:
         name: framework-artifactbroker
         command: ["/opt/app/distribution/bin/artifact-dist.sh"]
         args: ["/opt/app/distribution/etc/mounted/config.json"]
+        {{ include "common.containerSecurityContext" . | indent 10 | trim }}
+        resources: {{ include "common.resources" . | nindent 10 }}
         ports:
         - containerPort: {{ .Values.artifactbroker.internalPort }}
           protocol: TCP
+        {{- if eq .Values.liveness.enabled true }}
+        livenessProbe:
+          tcpSocket:
+            port: {{ .Values.artifactbroker.internalPort }}
+          initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
+          periodSeconds: {{ .Values.liveness.periodSeconds }}
+        {{ end -}}
+        readinessProbe:
+          tcpSocket:
+            port: {{ .Values.artifactbroker.internalPort }}
+          initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readiness.periodSeconds }}
         volumeMounts:
+        - mountPath: "{{ .Values.log.path }}"
+          name: framework-log
         - mountPath: /opt/app/distribution/etc/mounted/config.json
           name: {{ include "common.name" .}}
           subPath: config.json
@@ -77,9 +96,13 @@ spec:
               key: sasl.jaas.config
       serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
       volumes:
+      - name: framework-log
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.logSizeLimit }}
       - name : {{ include "common.name" . }}
         configMap:
           name: {{ include "common.fullname" . }}
       - name: artifact-data
-        emptyDir: {}
+        emptyDir:
+          sizeLimit: {{ .Values.volumes.artifactDataSizeLimit }}
       {{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/multicloud/components/multicloud-k8s/values.yaml b/kubernetes/multicloud/components/multicloud-k8s/values.yaml
index 5c9c0ad864..57becb2077 100644
--- a/kubernetes/multicloud/components/multicloud-k8s/values.yaml
+++ b/kubernetes/multicloud/components/multicloud-k8s/values.yaml
@@ -1,4 +1,5 @@
 # Copyright 2019 Intel Corporation, Inc
+# Modifications Copyright © 2024 Deutsche Telekom
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -59,6 +60,14 @@ nodeSelector: {}
 
 affinity: {}
 
+securityContext:
+  user_id: 999
+  group_id: 999
+
+volumes:
+  artifactDataSizeLimit: 100Mi
+  logSizeLimit: 100Mi
+
 # probe configuration parameters
 liveness:
   initialDelaySeconds: 10
@@ -70,6 +79,7 @@ liveness:
 readiness:
   initialDelaySeconds: 10
   periodSeconds: 30
+  enabled: true
 
 service:
   type: NodePort
@@ -181,3 +191,7 @@ serviceAccount:
   nameOverride: multicloud-k8s
   roles:
     - read
+
+#Log configuration
+log:
+  path: /var/log/onap
author	Andreas Geissler <andreas-geissler@telekom.de>	2024-10-22 11:33:38 +0200
committer	Andreas Geissler <andreas-geissler@telekom.de>	2024-10-22 12:12:04 +0200
commit	6fd282196ba84cfd299ce172c197711e793e6887 (patch)
tree	8b5a3f3cf762e729ba2fed767228c63980ed63fb /kubernetes/multicloud/components
parent	1e2a197128b2d4faf9b2938aaeed50a5b3d164ad (diff)