From fec27ccdd5fc0c8fc4ff749697fd147407acfdc6 Mon Sep 17 00:00:00 2001 From: Andreas Geissler Date: Wed, 14 Aug 2024 13:13:41 +0200 Subject: [COMMON][TIMESCALEDB] TemporalDB and securityContext settings - make pod/containerSecurityContext settings more configurable in _pod.tpl - fix MariaDB statefulset - Fix temporal statefulset to comply with security rules - Set timescaleDB via RepositoryGenerator Issue-ID: OOM-3310 Change-Id: I870f1e835020c2b30225741e700d1a6abfba8ad3 Signed-off-by: Andreas Geissler --- kubernetes/common/common/Chart.yaml | 2 +- kubernetes/common/common/templates/_pod.tpl | 41 +++++++++++++++++++--- kubernetes/common/mariadb-galera/Chart.yaml | 2 +- .../mariadb-galera/templates/statefulset.yaml | 3 +- kubernetes/common/mariadb-galera/values.yaml | 5 ++- kubernetes/common/timescaledb/Chart.yaml | 2 +- .../common/timescaledb/templates/statefulset.yaml | 24 ++++--------- kubernetes/common/timescaledb/values.yaml | 13 ++++--- kubernetes/onap/values.yaml | 1 - 9 files changed, 59 insertions(+), 34 deletions(-) diff --git a/kubernetes/common/common/Chart.yaml b/kubernetes/common/common/Chart.yaml index 986b96fa13..c8609d6a80 100644 --- a/kubernetes/common/common/Chart.yaml +++ b/kubernetes/common/common/Chart.yaml @@ -17,4 +17,4 @@ apiVersion: v2 description: Common templates for inclusion in other charts name: common -version: 13.2.4 +version: 13.2.5 diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl index 0a1d0abdf6..743e3db1df 100644 --- a/kubernetes/common/common/templates/_pod.tpl +++ b/kubernetes/common/common/templates/_pod.tpl @@ -53,25 +53,58 @@ {{/* Generate securityContext for pod + required variables: user_id, group_id + optional variables: fsgroup_id, runAsNonRoot, seccompProfileType + Example in values.yaml + securityContext: + user_id: 70 + group_id: 70 + # fsgroup_id: 70 + # runAsNonRoot: true + # seccompProfileType: "RuntimeDefault" */}} {{- define "common.podSecurityContext" -}} securityContext: runAsUser: {{ .Values.securityContext.user_id }} runAsGroup: {{ .Values.securityContext.group_id }} - fsGroup: {{ .Values.securityContext.group_id }} - runAsNonRoot: true + fsGroup: {{ default .Values.securityContext.group_id .Values.securityContext.fsgroup_id }} + runAsNonRoot: {{ hasKey .Values.securityContext "runAsNonRoot" | ternary .Values.securityContext.runAsNonRoot true }} seccompProfile: - type: RuntimeDefault + type: {{ default "RuntimeDefault" .Values.securityContext.seccompProfileType }} {{- end }} {{/* - Generate securityContext for container + Generate securityContext for container (optional) + predefined variables: capabilities.drop + optional variables: readOnlyRootFilesystem, privileged, allowPrivilegeEscalation + Example in values.yaml + containerSecurityContext: + capabilities: + privileged: false + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false */}} {{- define "common.containerSecurityContext" -}} securityContext: +{{- if not .Values.containerSecurityContext }} readOnlyRootFilesystem: true privileged: false allowPrivilegeEscalation: false +{{- else }} + readOnlyRootFilesystem: {{ hasKey .Values.containerSecurityContext "readOnlyRootFilesystem" | ternary .Values.containerSecurityContext.readOnlyRootFilesystem false }} + privileged: {{ hasKey .Values.containerSecurityContext "privileged" | ternary .Values.containerSecurityContext.privileged false }} + allowPrivilegeEscalation: {{ hasKey .Values.containerSecurityContext "allowPrivilegeEscalation" | ternary .Values.containerSecurityContext.allowPrivilegeEscalation false }} + runAsNonRoot: {{ hasKey .Values.containerSecurityContext "runAsNonRoot" | ternary .Values.containerSecurityContext.runAsNonRoot true }} +{{- if .Values.containerSecurityContext.runAsUser }} + runAsUser: {{ .Values.containerSecurityContext.runAsUser }} +{{- end }} +{{- if .Values.containerSecurityContext.runAsGroup }} + runAsGroup: {{ .Values.containerSecurityContext.runAsGroup }} +{{ end }} +{{- end }} capabilities: drop: - ALL diff --git a/kubernetes/common/mariadb-galera/Chart.yaml b/kubernetes/common/mariadb-galera/Chart.yaml index d97aa0ecea..41d11a646e 100644 --- a/kubernetes/common/mariadb-galera/Chart.yaml +++ b/kubernetes/common/mariadb-galera/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: Chart for MariaDB Galera cluster name: mariadb-galera -version: 13.2.1 +version: 13.2.2 keywords: - mariadb - mysql diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index 2b8951979d..66ce8abc6e 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -66,6 +66,7 @@ spec: runAsGroup: {{ .Values.securityContext.group_id }} readOnlyRootFilesystem: false runAsUser: 0 + runAsNonRoot: false seccompProfile: type: RuntimeDefault volumeMounts: @@ -181,7 +182,7 @@ spec: successThreshold: {{ .Values.startupProbe.successThreshold }} failureThreshold: {{ .Values.startupProbe.failureThreshold }} {{- end }} - {{ include "common.securityContext" . | indent 10 | trim }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} resources: {{ include "common.resources" . | nindent 12 }} volumeMounts: - name: previous-boot diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index d8303dd5fd..faab7af1b3 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -217,10 +217,13 @@ serviceAccount: ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## securityContext: - enabled: true user_id: 10001 group_id: 10001 +# Old Bitnami Chart does not work without Filesystem access +containerSecurityContext: + readOnlyFileSystem: false + ## Database credentials for root (admin) user ## rootUser: diff --git a/kubernetes/common/timescaledb/Chart.yaml b/kubernetes/common/timescaledb/Chart.yaml index b0569eb662..8ce460061d 100644 --- a/kubernetes/common/timescaledb/Chart.yaml +++ b/kubernetes/common/timescaledb/Chart.yaml @@ -22,7 +22,7 @@ apiVersion: v2 appVersion: "1.0" description: ONAP timescaledb name: timescaledb -version: 13.0.0 +version: 13.0.1 dependencies: - name: common diff --git a/kubernetes/common/timescaledb/templates/statefulset.yaml b/kubernetes/common/timescaledb/templates/statefulset.yaml index 1d161f3945..031241dbaf 100644 --- a/kubernetes/common/timescaledb/templates/statefulset.yaml +++ b/kubernetes/common/timescaledb/templates/statefulset.yaml @@ -29,27 +29,12 @@ spec: metadata: {{- include "common.templateMetadata" (dict "ignoreHelmChart" true "dot" . ) | nindent 6 }} spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} - {{ include "common.podSecurityContext" . | indent 10 | trim}} - initContainers: - # we shouldn't need this but for unknown reason, it's fsGroup is not - # applied - - name: fix-permission - command: - - /bin/sh - args: - - -c - - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /var/lib/postgresql/data - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - securityContext: - runAsUser: 0 - volumeMounts: - - mountPath: /var/lib/postgresql/data - name: {{ include "common.fullname" . }} + {{ include "common.podSecurityContext" . | indent 6 | trim}} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim}} ports: {{ include "common.containerPorts" . | nindent 12 }} livenessProbe: exec: @@ -80,10 +65,15 @@ spec: mountPath: /docker-entrypoint-initdb.d - name: {{ include "common.fullname" . }} mountPath: /var/lib/postgresql/data + - name: var-run + mountPath: /var/run/postgresql volumes: - name: {{ include "common.fullname" . }}-init configMap: name: {{ include "common.fullname" . }}-init + - name: var-run + emptyDir: + sizeLimit: {{ .Values.dirSizes.varDir.sizeLimit }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/kubernetes/common/timescaledb/values.yaml b/kubernetes/common/timescaledb/values.yaml index 2643f55062..35beab7ea1 100644 --- a/kubernetes/common/timescaledb/values.yaml +++ b/kubernetes/common/timescaledb/values.yaml @@ -21,9 +21,9 @@ global: persistence: {} ################################################################# -# Secrets. +# Image ############################################################## -image: timescale/timescaledb:2.5.1-pg14 +image: timescale/timescaledb:2.16.1-pg14 pullPolicy: Always containerPorts: 5432 @@ -41,11 +41,6 @@ securityContext: # Uid and gid to run the entrypoint of the container process (uid 70 is postgres user and gid 70 is postgres group) user_id: 70 group_id: 70 - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true flavor: small @@ -114,6 +109,10 @@ config: pgRootUserName: postgres pgDatabase: timescaledb +dirSizes: + varDir: + sizeLimit: 64Mi + secrets: - uid: root-creds type: basicAuth diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index 663712cac5..6ca0e26b1e 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -97,7 +97,6 @@ global: mariadbImage: bitnami/mariadb:10.5.8 # mongodb server image - mongodbImage: percona/percona-server-mongodb:7.0.5-3 # nginx server image -- cgit 1.2.3-korg