Calico: Fix security context

This PS fixes the use of the security context macros for the calico chart. Change-Id: I2ed8a5e994726b625d76a2c308895441c7d174a9 Signed-off-by: Pete Birley <[email protected]>
sitcnet · Apr 21, 2019 · eb58abb · eb58abb
1 parent 4e3359a
commit eb58abb
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 17 deletions.
diff --git a/calico/templates/daemonset-calico-etcd.yaml b/calico/templates/daemonset-calico-etcd.yaml
@@ -51,7 +51,7 @@ spec:
         # a failure.  This annotation works in tandem with the toleration below.
         scheduler.alpha.kubernetes.io/critical-pod: ''
     spec:
-{{ dict "envAll" $envAll "application" "calico" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+{{ dict "envAll" $envAll "application" "etcd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       tolerations:
         # This taint is set by all kubelets running `--cloud-provider=external`
@@ -76,7 +76,7 @@ spec:
         - name: calico-etcd
 {{ tuple $envAll "calico_etcd" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.calico_etcd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "calico" "container" "calico_etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "application" "etcd" "container" "calico_etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: CALICO_ETCD_IP
               valueFrom:

diff --git a/calico/templates/daemonset-calico-node.yaml b/calico/templates/daemonset-calico-node.yaml
@@ -119,8 +119,7 @@ spec:
 {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
 {{- end }}
     spec:
-      securityContext:
-        readOnlyRootFilesystem: true
+{{ dict "envAll" $envAll "application" "calico_node" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       nodeSelector:
         beta.kubernetes.io/os: linux
       hostNetwork: true
@@ -144,6 +143,7 @@ spec:
         - name: install-calicoctl
 {{ tuple $envAll "calico_ctl" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.calico_ctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_ctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/install-calicoctl.sh
           env:
@@ -206,6 +206,7 @@ spec:
         # and CNI network config file on each node.
         - name: install-cni
 {{ tuple $envAll "calico_cni" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "calico_node" "container" "install_cni" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command: ["/install-cni.sh"]
           env:
             # Prevents the container from sleeping forever.
@@ -310,6 +311,7 @@ spec:
         - name: calico-node
 {{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "calico_node" "container" "calico_node" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             # Values expanded explicitly from conf.node (some of which
             # might be derived from elsewhere, see values.yaml for an
@@ -348,14 +350,6 @@ spec:
                 fieldRef:
                   fieldPath: spec.nodeName
 
-          securityContext:
-            capabilities:
-              add:
-                - 'NET_ADMIN'
-                - 'SYS_ADMIN'
-          resources:
-            requests:
-              cpu: 250m
           livenessProbe:
             httpGet:
               path: /liveness

diff --git a/calico/templates/deployment-calico-kube-controllers.yaml b/calico/templates/deployment-calico-kube-controllers.yaml
@@ -93,8 +93,7 @@ spec:
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
-      securityContext:
-        readOnlyRootFilesystem: true
+{{ dict "envAll" $envAll "application" "kube_controllers" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       nodeSelector:
         beta.kubernetes.io/os: linux
       # The controllers must run in the host network namespace so that
@@ -117,6 +116,7 @@ spec:
         - name: calico-kube-controllers
 {{ tuple $envAll "calico_kube_controllers" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.calico_kube_controllers | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "kube_controllers" "container" "kube_controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             # The location of the Calico etcd cluster.
             - name: ETCD_ENDPOINTS

diff --git a/calico/templates/job-calico-settings.yaml b/calico/templates/job-calico-settings.yaml
@@ -39,6 +39,7 @@ spec:
       labels:
 {{ tuple $envAll "calico" "calico_settings" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "calico_settings" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       hostNetwork: true
       tolerations:
         - key: node-role.kubernetes.io/master
@@ -55,6 +56,7 @@ spec:
         - name: calico-settings
 {{ tuple $envAll "calico_settings" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.calico_settings | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "calico_settings" "container" "calico_settings" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: ETCD_ENDPOINTS
               valueFrom:

diff --git a/calico/values.yaml b/calico/values.yaml
@@ -38,12 +38,38 @@ images:
 
 pod:
   security_context:
-    calico:
+    etcd:
       pod:
         runAsUser: 0
       container:
         calico_etcd:
-          readOnlyRootFilesystem: true
+          readOnlyRootFilesystem: false
+    calico_node:
+      pod:
+        runAsUser: 0
+      container:
+        calico_ctl:
+          readOnlyRootFilesystem: false
+        install_cni:
+          readOnlyRootFilesystem: false
+        calico_node:
+          readOnlyRootFilesystem: false
+          capabilities:
+            add:
+              - 'NET_ADMIN'
+              - 'SYS_ADMIN'
+    kube_controllers:
+      pod:
+        runAsUser: 0
+      container:
+        kube_controller:
+          readOnlyRootFilesystem: false
+    calico_settings:
+      pod:
+        runAsUser: 0
+      container:
+        calico_settings:
+          readOnlyRootFilesystem: false
   resources:
     enabled: false
     jobs:
@@ -71,7 +97,7 @@ pod:
     calico_node:
       requests:
         memory: "128Mi"
-        cpu: "100m"
+        cpu: "250m"
       limits:
         memory: "1024Mi"
         cpu: "2000m"