X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=kubernetes%2Fcommon%2Fcommon%2Ftemplates%2F_pod.tpl;h=810350bfa689e5c173a19c581ddf9522796b4651;hb=refs%2Fheads%2Fmaster;hp=de2548562d474ea1d4b7b20e88701772e9d89ede;hpb=7cccd2a303d4f61dee5aa2ab5da701bd9e18fec8;p=oom.git diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl index de2548562d..6feb91bd0c 100644 --- a/kubernetes/common/common/templates/_pod.tpl +++ b/kubernetes/common/common/templates/_pod.tpl @@ -36,35 +36,77 @@ {{- $global := . }} {{- range $index, $port := $ports }} {{- if (include "common.needTLS" $global) }} -- containerPort: {{ $port.port }} +- containerPort: {{ default $port.port $port.internal_port }} {{- else }} -- containerPort: {{ default $port.port $port.plain_port }} +- containerPort: {{ default (default $port.port $port.internal_port) (default $port.plain_port $port.internal_plain_port) }} {{- end }} name: {{ $port.name }} {{- if (and $port.plain_port (and (include "common.needTLS" $global) $both_tls_and_plain)) }} -- containerPort: {{ $port.plain_port }} +- containerPort: {{ default $port.plain_port $port.internal_plain_port }} name: {{ $port.name }}-plain {{- end }} +{{- if $port.l4_protocol }} + protocol: {{ $port.l4_protocol }} +{{- end }} {{- end }} {{- end -}} {{/* Generate securityContext for pod + required variables: user_id, group_id + optional variables: fsgroup_id, runAsNonRoot, seccompProfileType + Example in values.yaml + securityContext: + user_id: 70 + group_id: 70 + # fsgroup_id: 70 + # runAsNonRoot: true + # seccompProfileType: "RuntimeDefault" */}} {{- define "common.podSecurityContext" -}} securityContext: runAsUser: {{ .Values.securityContext.user_id }} runAsGroup: {{ .Values.securityContext.group_id }} - fsGroup: {{ .Values.securityContext.group_id }} + fsGroup: {{ default .Values.securityContext.group_id .Values.securityContext.fsgroup_id }} + runAsNonRoot: {{ hasKey .Values.securityContext "runAsNonRoot" | ternary .Values.securityContext.runAsNonRoot true }} + seccompProfile: + type: {{ default "RuntimeDefault" .Values.securityContext.seccompProfileType }} {{- end }} {{/* - Generate securityContext for container + Generate securityContext for container (optional) + predefined variables: capabilities.drop + optional variables: readOnlyRootFilesystem, privileged, allowPrivilegeEscalation + Example in values.yaml + containerSecurityContext: + capabilities: + privileged: false + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false */}} {{- define "common.containerSecurityContext" -}} securityContext: +{{- if not .Values.containerSecurityContext }} readOnlyRootFilesystem: true privileged: false allowPrivilegeEscalation: false +{{- else }} + readOnlyRootFilesystem: {{ hasKey .Values.containerSecurityContext "readOnlyRootFilesystem" | ternary .Values.containerSecurityContext.readOnlyRootFilesystem false }} + privileged: {{ hasKey .Values.containerSecurityContext "privileged" | ternary .Values.containerSecurityContext.privileged false }} + allowPrivilegeEscalation: {{ hasKey .Values.containerSecurityContext "allowPrivilegeEscalation" | ternary .Values.containerSecurityContext.allowPrivilegeEscalation false }} + runAsNonRoot: {{ hasKey .Values.containerSecurityContext "runAsNonRoot" | ternary .Values.containerSecurityContext.runAsNonRoot true }} +{{- if hasKey .Values.containerSecurityContext "runAsUser" }} + runAsUser: {{ .Values.containerSecurityContext.runAsUser }} +{{- end }} +{{- if hasKey .Values.containerSecurityContext "runAsGroup" }} + runAsGroup: {{ .Values.containerSecurityContext.runAsGroup }} +{{- end }} +{{- end }} + capabilities: + drop: + - ALL + - CAP_NET_RAW {{- end }} -