X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=kubernetes%2Fcommon%2Fcommon%2Ftemplates%2F_pod.tpl;h=810350bfa689e5c173a19c581ddf9522796b4651;hb=refs%2Fheads%2Fmaster;hp=9329572a923cebdae5059b3da652001ba8a25e2f;hpb=1a3678797eae08ff2acd5c02aa25a21be5328d1a;p=oom.git diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl index 9329572a92..6feb91bd0c 100644 --- a/kubernetes/common/common/templates/_pod.tpl +++ b/kubernetes/common/common/templates/_pod.tpl @@ -19,10 +19,12 @@ Will use first ".Values.service.ports" list. Will append ports from ".Values.service.headlessPorts" only if port number is not already in port list. + Will add tls port AND plain port if both_tls_and_plain is set to true */}} {{- define "common.containerPorts" -}} {{- $ports := default (list) .Values.service.ports }} {{- $portsNumber := list }} +{{- $both_tls_and_plain:= default false .Values.service.both_tls_and_plain }} {{- range $index, $port := $ports }} {{- $portsNumber = append $portsNumber $port.port }} {{- end }} @@ -31,8 +33,80 @@ {{- $ports = append $ports $port }} {{- end }} {{- end }} +{{- $global := . }} {{- range $index, $port := $ports }} -- containerPort: {{ $port.port }} +{{- if (include "common.needTLS" $global) }} +- containerPort: {{ default $port.port $port.internal_port }} +{{- else }} +- containerPort: {{ default (default $port.port $port.internal_port) (default $port.plain_port $port.internal_plain_port) }} +{{- end }} name: {{ $port.name }} +{{- if (and $port.plain_port (and (include "common.needTLS" $global) $both_tls_and_plain)) }} +- containerPort: {{ default $port.plain_port $port.internal_plain_port }} + name: {{ $port.name }}-plain +{{- end }} +{{- if $port.l4_protocol }} + protocol: {{ $port.l4_protocol }} +{{- end }} {{- end }} {{- end -}} + +{{/* + Generate securityContext for pod + required variables: user_id, group_id + optional variables: fsgroup_id, runAsNonRoot, seccompProfileType + Example in values.yaml + securityContext: + user_id: 70 + group_id: 70 + # fsgroup_id: 70 + # runAsNonRoot: true + # seccompProfileType: "RuntimeDefault" +*/}} +{{- define "common.podSecurityContext" -}} +securityContext: + runAsUser: {{ .Values.securityContext.user_id }} + runAsGroup: {{ .Values.securityContext.group_id }} + fsGroup: {{ default .Values.securityContext.group_id .Values.securityContext.fsgroup_id }} + runAsNonRoot: {{ hasKey .Values.securityContext "runAsNonRoot" | ternary .Values.securityContext.runAsNonRoot true }} + seccompProfile: + type: {{ default "RuntimeDefault" .Values.securityContext.seccompProfileType }} +{{- end }} + +{{/* + Generate securityContext for container (optional) + predefined variables: capabilities.drop + optional variables: readOnlyRootFilesystem, privileged, allowPrivilegeEscalation + Example in values.yaml + containerSecurityContext: + capabilities: + privileged: false + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false +*/}} +{{- define "common.containerSecurityContext" -}} +securityContext: +{{- if not .Values.containerSecurityContext }} + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false +{{- else }} + readOnlyRootFilesystem: {{ hasKey .Values.containerSecurityContext "readOnlyRootFilesystem" | ternary .Values.containerSecurityContext.readOnlyRootFilesystem false }} + privileged: {{ hasKey .Values.containerSecurityContext "privileged" | ternary .Values.containerSecurityContext.privileged false }} + allowPrivilegeEscalation: {{ hasKey .Values.containerSecurityContext "allowPrivilegeEscalation" | ternary .Values.containerSecurityContext.allowPrivilegeEscalation false }} + runAsNonRoot: {{ hasKey .Values.containerSecurityContext "runAsNonRoot" | ternary .Values.containerSecurityContext.runAsNonRoot true }} +{{- if hasKey .Values.containerSecurityContext "runAsUser" }} + runAsUser: {{ .Values.containerSecurityContext.runAsUser }} +{{- end }} +{{- if hasKey .Values.containerSecurityContext "runAsGroup" }} + runAsGroup: {{ .Values.containerSecurityContext.runAsGroup }} +{{- end }} +{{- end }} + capabilities: + drop: + - ALL + - CAP_NET_RAW +{{- end }}