diff options
author | Lukasz Rajewski <lukasz.rajewski@t-mobile.pl> | 2024-09-12 06:34:41 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2024-09-12 06:34:41 +0000 |
commit | 0765a2124569cfa38a2828f2c9d88cf8cca8eedc (patch) | |
tree | 90c78e2dfe39dd6e97b476d246a0b70b2b20d274 /kubernetes | |
parent | 6de7e5a6e6f8b06ee420b5926efd3d53c639e1b1 (diff) | |
parent | 4b5e5842a6a83ded838417aa863530c0ebd1ab5e (diff) |
Merge "[STRIMZI] Solve Security Policy violations"
Diffstat (limited to 'kubernetes')
10 files changed, 247 insertions, 14 deletions
diff --git a/kubernetes/strimzi/Chart.yaml b/kubernetes/strimzi/Chart.yaml index 1b927d6c4d..180b42bff9 100644 --- a/kubernetes/strimzi/Chart.yaml +++ b/kubernetes/strimzi/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v2 description: ONAP Strimzi Kafka name: strimzi -version: 13.0.1 +version: 13.0.2 dependencies: - name: common @@ -31,4 +31,3 @@ dependencies: version: ~13.x-0 repository: 'file://components/strimzi-kafka-bridge' condition: strimzi-kafka-bridge.enabled - diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml index e254d99710..ca4a4e94d3 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v2 description: ONAP Strimzi Kafka Bridge name: strimzi-kafka-bridge -version: 13.0.0 +version: 13.0.1 dependencies: - name: common diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml index 25fbf3df77..7f4dea46e1 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml @@ -21,4 +21,3 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{ tpl (.Files.Glob "resources/config/log4j2.properties").AsConfig . | indent 2 }} - diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml index b081e290e3..8364dfe58f 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml @@ -34,6 +34,18 @@ spec: configMapKeyRef: key: log4j2.properties name: {{ include "common.fullname" . }}-kb-logging-cm + resources: + requests: + cpu: {{ .Values.resources.requests.cpu }} + memory: {{ .Values.resources.requests.memory }} + limits: + cpu: {{ .Values.resources.limits.cpu }} + memory: {{ .Values.resources.limits.memory }} template: pod: {{- include "common.imagePullSecrets" . | nindent 6 }} + securityContext: + {{- toYaml .Values.pod.securityContext | nindent 8 }} + bridgeContainer: + securityContext: + {{- toYaml .Values.bridgeContainer.securityContext | nindent 8 }} diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml index 8a4c4cdc6c..fa7b10aa22 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml @@ -33,3 +33,27 @@ config: # nameOverride is required to avoid duplication # in pod and service names ie ...-bridge-bridge-{random hex} nameOverride: strimzi-kafka + +resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + +pod: + securityContext: + seccompProfile: + type: RuntimeDefault +bridgeContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW diff --git a/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml index 12c742ef35..1e59dc67a0 100644 --- a/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml +++ b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml @@ -17,4 +17,4 @@ lowercaseOutputName: true rules: - pattern: kafka.cruisecontrol<name=(.+)><>(\w+) name: kafka_cruisecontrol_$1_$2 - type: GAUGE
\ No newline at end of file + type: GAUGE diff --git a/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml index 7ad971fc16..8db35a9c8d 100644 --- a/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml +++ b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml @@ -134,4 +134,4 @@ rules: name: kafka_$1_$2_$3 type: GAUGE labels: - quantile: "0.$4"
\ No newline at end of file + quantile: "0.$4" diff --git a/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml index 6a1eab7825..d5bf27f44d 100644 --- a/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml +++ b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml @@ -41,4 +41,4 @@ rules: type: GAUGE labels: replicaId: "$2" - memberType: "$3"
\ No newline at end of file + memberType: "$3" diff --git a/kubernetes/strimzi/templates/strimzi-kafka.yaml b/kubernetes/strimzi/templates/strimzi-kafka.yaml index aee4696fe0..5f5fcd553a 100644 --- a/kubernetes/strimzi/templates/strimzi-kafka.yaml +++ b/kubernetes/strimzi/templates/strimzi-kafka.yaml @@ -20,6 +20,13 @@ spec: kafka: version: {{ .Values.config.kafkaVersion }} replicas: {{ .Values.replicaCount }} + resources: + limits: + cpu: {{ .Values.kafka.resources.limits.cpu }} + memory: {{ .Values.kafka.resources.limits.memory }} + requests: + cpu: {{ .Values.kafka.resources.requests.cpu }} + memory: {{ .Values.kafka.resources.requests.memory }} listeners: - name: plain port: {{ .Values.config.kafkaInternalPort }} @@ -71,8 +78,7 @@ spec: pod: {{- include "common.imagePullSecrets" . | nindent 8 }} securityContext: - runAsUser: 0 - fsGroup: 0 + {{- toYaml .Values.kafka.template.pod.securityContext | nindent 10 }} {{- if .Values.affinity.podAntiAffinity.enabled }} affinity: podAntiAffinity: @@ -85,6 +91,9 @@ spec: - {{ include "common.fullname" . }}-kafka topologyKey: "kubernetes.io/hostname" {{- end }} + kafkaContainer: + securityContext: + {{- toYaml .Values.kafka.template.kafkaContainer.securityContext | nindent 10 }} config: default.replication.factor: {{ .Values.replicaCount }} min.insync.replicas: {{ (eq 1.0 (.Values.replicaCount)) | ternary 1 (sub .Values.replicaCount 1) }} @@ -116,8 +125,7 @@ spec: pod: {{- include "common.imagePullSecrets" . | nindent 8 }} securityContext: - runAsUser: 0 - fsGroup: 0 + {{- toYaml .Values.zookeeper.template.pod.securityContext | nindent 10 }} {{- if .Values.affinity.podAntiAffinity.enabled }} affinity: podAntiAffinity: @@ -130,6 +138,9 @@ spec: - {{ include "common.fullname" . }}-zookeeper topologyKey: "kubernetes.io/hostname" {{- end }} + zookeeperContainer: + securityContext: + {{- toYaml .Values.zookeeper.template.zookeeperContainer.securityContext | nindent 10 }} replicas: {{ .Values.replicaCount }} config: ssl.hostnameVerification: false @@ -149,30 +160,76 @@ spec: configMapKeyRef: name: {{ include "common.fullname" . }} key: zookeeper-metrics-config.yml + resources: + limits: + cpu: {{ .Values.zookeeper.resources.limits.cpu }} + memory: {{ .Values.zookeeper.resources.limits.memory }} + requests: + cpu: {{ .Values.zookeeper.resources.requests.cpu }} + memory: {{ .Values.zookeeper.resources.requests.memory }} {{- end }} entityOperator: template: pod: {{- include "common.imagePullSecrets" . | nindent 8 }} - topicOperator: {} - userOperator: {} + securityContext: + {{- toYaml .Values.entityOperator.template.pod.securityContext | nindent 10 }} + topicOperatorContainer: + securityContext: + {{- toYaml .Values.entityOperator.template.topicOperatorContainer.securityContext | nindent 10 }} + userOperatorContainer: + securityContext: + {{- toYaml .Values.entityOperator.template.userOperatorContainer.securityContext | nindent 10 }} + topicOperator: + resources: + limits: + cpu: {{ .Values.entityOperator.template.topicOperator.resources.limits.cpu }} + memory: {{ .Values.entityOperator.template.topicOperator.resources.limits.memory }} + requests: + cpu: {{ .Values.entityOperator.template.topicOperator.resources.requests.cpu }} + memory: {{ .Values.entityOperator.template.topicOperator.resources.requests.memory }} + userOperator: + resources: + limits: + cpu: {{ .Values.entityOperator.template.userOperator.resources.limits.cpu }} + memory: {{ .Values.entityOperator.template.userOperator.resources.limits.memory }} + requests: + cpu: {{ .Values.entityOperator.template.userOperator.resources.requests.cpu }} + memory: {{ .Values.entityOperator.template.userOperator.resources.requests.memory }} {{- if .Values.cruiseControl.enabled }} cruiseControl: template: pod: {{- include "common.imagePullSecrets" . | nindent 8 }} + securityContext: + {{- toYaml .Values.cruiseControl.template.pod.securityContext | nindent 10 }} + cruiseControlContainer: + securityContext: + {{- toYaml .Values.cruiseControl.template.cruiseControlContainer.securityContext | nindent 10 }} metricsConfig: type: {{ .Values.cruiseControl.metricsConfig.type }} valueFrom: configMapKeyRef: name: {{ include "common.fullname" . }} key: cruisecontrol-metrics-config.yml + resources: + limits: + cpu: {{ .Values.cruiseControl.template.resources.limits.cpu }} + memory: {{ .Values.cruiseControl.template.resources.limits.memory }} + requests: + cpu: {{ .Values.cruiseControl.template.resources.requests.cpu }} + memory: {{ .Values.cruiseControl.template.resources.requests.memory }} {{- end }} {{- if .Values.metrics.kafkaExporter.enabled }} kafkaExporter: template: pod: {{- include "common.imagePullSecrets" . | nindent 8 }} + securityContext: + {{- toYaml .Values.cruiseControl.template.pod.securityContext | nindent 10 }} + container: + securityContext: + {{- toYaml .Values.kafkaExporter.template.container.securityContext | nindent 10 }} topicRegex: {{ .Values.metrics.kafkaExporter.topicRegex }} groupRegex: {{ .Values.metrics.kafkaExporter.groupRegex }} resources: diff --git a/kubernetes/strimzi/values.yaml b/kubernetes/strimzi/values.yaml index 3cced3e41a..fe3ca852a9 100644 --- a/kubernetes/strimzi/values.yaml +++ b/kubernetes/strimzi/values.yaml @@ -33,7 +33,7 @@ affinity: podAntiAffinity: enabled: true config: - kafkaVersion: 3.7.0 + kafkaVersion: 3.8.0 authType: simple saslMechanism: &saslMech scram-sha-512 kafkaInternalPort: &plainPort 9092 @@ -141,6 +141,29 @@ cruiseControl: # ref. https://strimzi.io/blog/2020/06/15/cruise-control/ kafkaRebalance: enabled: false + template: + pod: + securityContext: + seccompProfile: + type: RuntimeDefault + cruiseControlContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi ###################### # Component overrides @@ -151,3 +174,122 @@ strimzi-kafka-bridge: saslMechanism: *saslMech kafkaInternalPort: *plainPort strimziKafkaAdminUser: *adminUser + +kafka: + template: + pod: + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + seccompProfile: + type: RuntimeDefault + kafkaContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + #runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + +zookeeper: + template: + pod: + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + seccompProfile: + type: RuntimeDefault + zookeeperContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + #runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + +entityOperator: + template: + pod: + securityContext: + seccompProfile: + type: RuntimeDefault + topicOperatorContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + userOperatorContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + topicOperator: + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + userOperator: + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + +kafkaExporter: + template: + pod: + securityContext: + seccompProfile: + type: RuntimeDefault + container: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW |