[STRIMZI] Solve Security Policy violations

- add securityContext settings to Operator and strimzi resources
- add resources settings
- update documents to use a new strimzi-kafka operator version in Oslo

Issue-ID: OOM-3311

Change-Id: Ie6e4c30495e500781d898aed31bd74f2f4f3c708
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>

diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst
index 1137723..5020e22 100644 (file)
--- a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst
+++ b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst
@@ -48,9 +48,9 @@ The versions of software that are supported and tested by OOM are as follows:
   ==============     ===========  =======  ========  ========  =============  ========
   Release            Kubernetes   Helm     kubectl   Docker    Cert-Manager   Strimzi
   ==============     ===========  =======  ========  ========  =============  ========
-  London             1.23.8       3.8.2    1.23.x    20.10.x   1.12.2         0.35.0
   Montreal           1.27.5       3.12.3   1.27.x    20.10.x   1.13.2         0.36.1
   New Delhi          1.28.6       3.13.1   1.28.x    20.10.x   1.14.4         0.41.0
+  Oslo               1.28.6       3.13.1   1.28.x    20.10.x   1.14.4         0.43.0
   ==============     ===========  =======  ========  ========  =============  ========
 
 .. table:: OOM Software Requirements (production)
@@ -58,9 +58,9 @@ The versions of software that are supported and tested by OOM are as follows:
   ==============     ======  ============ ==============
   Release            Istio   Gateway-API  Keycloak
   ==============     ======  ============ ==============
-  London             1.17.2  v0.6.2       19.0.3-legacy
   Montreal           1.19.3  v1.0.0       19.0.3-legacy
   New Delhi          1.21.0  v1.0.0       22.0.4
+  Oslo               1.23.0  v1.0.0       22.0.4
   ==============     ======  ============ ==============
 
 .. table:: OOM Software Requirements (optional)
@@ -68,7 +68,7 @@ The versions of software that are supported and tested by OOM are as follows:
   ==============     ================= ========== =================
   Release            Prometheus Stack  K8ssandra  MariaDB-Operator
   ==============     ================= ========== =================
-  London             45.x              1.6.1
   Montreal           45.x              1.10.2     0.23.1
   New Delhi          45.x              1.16.0     0.28.1
+  Oslo               45.x              1.19.0     0.30.0
   ==============     ================= ========== =================

diff --git a/kubernetes/strimzi/Chart.yaml b/kubernetes/strimzi/Chart.yaml
index 1b927d6..180b42b 100644 (file)
--- a/kubernetes/strimzi/Chart.yaml
+++ b/kubernetes/strimzi/Chart.yaml
@@ -15,7 +15,7 @@
 apiVersion: v2
 description: ONAP Strimzi Kafka
 name: strimzi
-version: 13.0.1
+version: 13.0.2
 
 dependencies:
   - name: common
@@ -31,4 +31,3 @@ dependencies:
     version: ~13.x-0
     repository: 'file://components/strimzi-kafka-bridge'
     condition: strimzi-kafka-bridge.enabled
-

diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml
index e254d99..ca4a4e9 100644 (file)
--- a/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml
+++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml
@@ -15,7 +15,7 @@
 apiVersion: v2
 description: ONAP Strimzi Kafka Bridge
 name: strimzi-kafka-bridge
-version: 13.0.0
+version: 13.0.1
 
 dependencies:
   - name: common

diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml
index 25fbf3d..7f4dea4 100644 (file)
--- a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml
+++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml
@@ -21,4 +21,3 @@ metadata:
   namespace: {{ include "common.namespace" . }}
 data:
 {{ tpl (.Files.Glob "resources/config/log4j2.properties").AsConfig . | indent 2 }}
-

diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml
index b081e29..8364dfe 100644 (file)
--- a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml
+++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml
@@ -34,6 +34,18 @@ spec:
       configMapKeyRef:
         key: log4j2.properties
         name: {{ include "common.fullname" . }}-kb-logging-cm
+  resources:
+    requests:
+      cpu: {{ .Values.resources.requests.cpu }}
+      memory: {{ .Values.resources.requests.memory }}
+    limits:
+      cpu: {{ .Values.resources.limits.cpu }}
+      memory: {{ .Values.resources.limits.memory }}
   template:
     pod:
       {{- include "common.imagePullSecrets" . | nindent 6 }}
+      securityContext:
+        {{- toYaml .Values.pod.securityContext | nindent 8 }}
+    bridgeContainer:
+      securityContext:
+        {{- toYaml .Values.bridgeContainer.securityContext | nindent 8 }}

diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml
index 8a4c4cd..fa7b10a 100644 (file)
--- a/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml
+++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml
@@ -33,3 +33,27 @@ config:
 # nameOverride is required to avoid duplication
 # in pod and service names ie ...-bridge-bridge-{random hex}
 nameOverride: strimzi-kafka
+
+resources:
+  limits:
+    cpu: '2'
+    memory: 2Gi
+  requests:
+    cpu: 100m
+    memory: 1Gi
+
+pod:
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
+bridgeContainer:
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsGroup: 1001
+    runAsNonRoot: true
+    runAsUser: 1001
+    capabilities:
+      drop:
+        - ALL
+        - CAP_NET_RAW

diff --git a/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml
index 12c742e..1e59dc6 100644 (file)
--- a/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml
+++ b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml
@@ -17,4 +17,4 @@ lowercaseOutputName: true
 rules:
   - pattern: kafka.cruisecontrol<name=(.+)><>(\w+)
     name: kafka_cruisecontrol_$1_$2
-    type: GAUGE
\ No newline at end of file
+    type: GAUGE

diff --git a/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml
index 7ad971f..8db35a9 100644 (file)
--- a/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml
+++ b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml
@@ -134,4 +134,4 @@ rules:
     name: kafka_$1_$2_$3
     type: GAUGE
     labels:
-      quantile: "0.$4"
\ No newline at end of file
+      quantile: "0.$4"

diff --git a/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml
index 6a1eab7..d5bf27f 100644 (file)
--- a/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml
+++ b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml
@@ -41,4 +41,4 @@ rules:
     type: GAUGE
     labels:
       replicaId: "$2"
-      memberType: "$3"
\ No newline at end of file
+      memberType: "$3"

diff --git a/kubernetes/strimzi/templates/strimzi-kafka.yaml b/kubernetes/strimzi/templates/strimzi-kafka.yaml
index aee4696..5f5fcd5 100644 (file)
--- a/kubernetes/strimzi/templates/strimzi-kafka.yaml
+++ b/kubernetes/strimzi/templates/strimzi-kafka.yaml
@@ -20,6 +20,13 @@ spec:
   kafka:
     version: {{ .Values.config.kafkaVersion }}
     replicas: {{ .Values.replicaCount }}
+    resources:
+      limits:
+        cpu: {{ .Values.kafka.resources.limits.cpu }}
+        memory: {{ .Values.kafka.resources.limits.memory }}
+      requests:
+        cpu: {{ .Values.kafka.resources.requests.cpu }}
+        memory: {{ .Values.kafka.resources.requests.memory }}
     listeners:
       - name: plain
         port: {{ .Values.config.kafkaInternalPort }}
@@ -71,8 +78,7 @@ spec:
       pod:
         {{- include "common.imagePullSecrets" . | nindent 8 }}
         securityContext:
-          runAsUser: 0
-          fsGroup: 0
+          {{- toYaml .Values.kafka.template.pod.securityContext | nindent 10 }}
         {{- if .Values.affinity.podAntiAffinity.enabled }}
         affinity:
           podAntiAffinity:
@@ -85,6 +91,9 @@ spec:
                         - {{ include "common.fullname" . }}-kafka
                 topologyKey: "kubernetes.io/hostname"
         {{- end }}
+      kafkaContainer:
+        securityContext:
+          {{- toYaml .Values.kafka.template.kafkaContainer.securityContext | nindent 10 }}
     config:
       default.replication.factor: {{ .Values.replicaCount }}
       min.insync.replicas: {{ (eq 1.0 (.Values.replicaCount)) | ternary 1 (sub .Values.replicaCount 1) }}
@@ -116,8 +125,7 @@ spec:
       pod:
         {{- include "common.imagePullSecrets" . | nindent 8 }}
         securityContext:
-          runAsUser: 0
-          fsGroup: 0
+          {{- toYaml .Values.zookeeper.template.pod.securityContext | nindent 10 }}
         {{- if .Values.affinity.podAntiAffinity.enabled }}
         affinity:
           podAntiAffinity:
@@ -130,6 +138,9 @@ spec:
                         - {{ include "common.fullname" . }}-zookeeper
                 topologyKey: "kubernetes.io/hostname"
         {{- end }}
+      zookeeperContainer:
+        securityContext:
+          {{- toYaml .Values.zookeeper.template.zookeeperContainer.securityContext | nindent 10 }}
     replicas: {{ .Values.replicaCount }}
     config:
       ssl.hostnameVerification: false
@@ -149,30 +160,76 @@ spec:
         configMapKeyRef:
           name: {{ include "common.fullname" . }}
           key: zookeeper-metrics-config.yml
+    resources:
+      limits:
+        cpu: {{ .Values.zookeeper.resources.limits.cpu }}
+        memory: {{ .Values.zookeeper.resources.limits.memory }}
+      requests:
+        cpu: {{ .Values.zookeeper.resources.requests.cpu }}
+        memory: {{ .Values.zookeeper.resources.requests.memory }}
     {{- end }}
   entityOperator:
     template:
       pod:
         {{- include "common.imagePullSecrets" . | nindent 8 }}
-    topicOperator: {}
-    userOperator: {}
+        securityContext:
+          {{- toYaml .Values.entityOperator.template.pod.securityContext | nindent 10 }}
+      topicOperatorContainer:
+        securityContext:
+          {{- toYaml .Values.entityOperator.template.topicOperatorContainer.securityContext | nindent 10 }}
+      userOperatorContainer:
+        securityContext:
+          {{- toYaml .Values.entityOperator.template.userOperatorContainer.securityContext | nindent 10 }}
+    topicOperator:
+      resources:
+        limits:
+          cpu: {{ .Values.entityOperator.template.topicOperator.resources.limits.cpu }}
+          memory: {{ .Values.entityOperator.template.topicOperator.resources.limits.memory }}
+        requests:
+          cpu: {{ .Values.entityOperator.template.topicOperator.resources.requests.cpu }}
+          memory: {{ .Values.entityOperator.template.topicOperator.resources.requests.memory }}
+    userOperator:
+      resources:
+        limits:
+          cpu: {{ .Values.entityOperator.template.userOperator.resources.limits.cpu }}
+          memory: {{ .Values.entityOperator.template.userOperator.resources.limits.memory }}
+        requests:
+          cpu: {{ .Values.entityOperator.template.userOperator.resources.requests.cpu }}
+          memory: {{ .Values.entityOperator.template.userOperator.resources.requests.memory }}
   {{- if .Values.cruiseControl.enabled }}
   cruiseControl:
     template:
       pod:
         {{- include "common.imagePullSecrets" . | nindent 8 }}
+        securityContext:
+          {{- toYaml .Values.cruiseControl.template.pod.securityContext | nindent 10 }}
+      cruiseControlContainer:
+        securityContext:
+          {{- toYaml .Values.cruiseControl.template.cruiseControlContainer.securityContext | nindent 10 }}
     metricsConfig:
       type: {{ .Values.cruiseControl.metricsConfig.type }}
       valueFrom:
         configMapKeyRef:
           name: {{ include "common.fullname" . }}
           key: cruisecontrol-metrics-config.yml
+    resources:
+      limits:
+        cpu: {{ .Values.cruiseControl.template.resources.limits.cpu }}
+        memory: {{ .Values.cruiseControl.template.resources.limits.memory }}
+      requests:
+        cpu: {{ .Values.cruiseControl.template.resources.requests.cpu }}
+        memory: {{ .Values.cruiseControl.template.resources.requests.memory }}
   {{- end }}
   {{- if .Values.metrics.kafkaExporter.enabled }}
   kafkaExporter:
     template:
       pod:
         {{- include "common.imagePullSecrets" . | nindent 8 }}
+        securityContext:
+          {{- toYaml .Values.cruiseControl.template.pod.securityContext | nindent 10 }}
+      container:
+        securityContext:
+          {{- toYaml .Values.kafkaExporter.template.container.securityContext | nindent 10 }}
     topicRegex: {{ .Values.metrics.kafkaExporter.topicRegex }}
     groupRegex: {{ .Values.metrics.kafkaExporter.groupRegex }}
     resources:

diff --git a/kubernetes/strimzi/values.yaml b/kubernetes/strimzi/values.yaml
index 3cced3e..fe3ca85 100644 (file)
--- a/kubernetes/strimzi/values.yaml
+++ b/kubernetes/strimzi/values.yaml
@@ -33,7 +33,7 @@ affinity:
   podAntiAffinity:
     enabled: true
 config:
-  kafkaVersion: 3.7.0
+  kafkaVersion: 3.8.0
   authType: simple
   saslMechanism: &saslMech scram-sha-512
   kafkaInternalPort: &plainPort 9092
@@ -141,6 +141,29 @@ cruiseControl:
   # ref. https://strimzi.io/blog/2020/06/15/cruise-control/
   kafkaRebalance:
     enabled: false
+  template:
+    pod:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+    cruiseControlContainer:
+      securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        runAsGroup: 1001
+        runAsNonRoot: true
+        runAsUser: 1001
+        capabilities:
+          drop:
+            - ALL
+            - CAP_NET_RAW
+    resources:
+      limits:
+        cpu: '2'
+        memory: 2Gi
+      requests:
+        cpu: 100m
+        memory: 1Gi
 
 ######################
 #  Component overrides
@@ -151,3 +174,122 @@ strimzi-kafka-bridge:
     saslMechanism: *saslMech
     kafkaInternalPort: *plainPort
     strimziKafkaAdminUser: *adminUser
+
+kafka:
+  template:
+    pod:
+      securityContext:
+        runAsUser: 1001
+        runAsGroup: 1001
+        fsGroup: 1001
+        seccompProfile:
+          type: RuntimeDefault
+    kafkaContainer:
+      securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        #runAsGroup: 1001
+        runAsNonRoot: true
+        runAsUser: 1001
+        capabilities:
+          drop:
+            - ALL
+            - CAP_NET_RAW
+  resources:
+    limits:
+      cpu: '2'
+      memory: 2Gi
+    requests:
+      cpu: 100m
+      memory: 1Gi
+
+zookeeper:
+  template:
+    pod:
+      securityContext:
+        runAsUser: 1001
+        runAsGroup: 1001
+        fsGroup: 1001
+        seccompProfile:
+          type: RuntimeDefault
+    zookeeperContainer:
+      securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        #runAsGroup: 1001
+        runAsNonRoot: true
+        runAsUser: 1001
+        capabilities:
+          drop:
+            - ALL
+            - CAP_NET_RAW
+  resources:
+    limits:
+      cpu: '2'
+      memory: 2Gi
+    requests:
+      cpu: 100m
+      memory: 1Gi
+
+entityOperator:
+  template:
+    pod:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+    topicOperatorContainer:
+      securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        runAsGroup: 1001
+        runAsNonRoot: true
+        runAsUser: 1001
+        capabilities:
+          drop:
+            - ALL
+            - CAP_NET_RAW
+    userOperatorContainer:
+      securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        runAsGroup: 1001
+        runAsNonRoot: true
+        runAsUser: 1001
+        capabilities:
+          drop:
+            - ALL
+            - CAP_NET_RAW
+    topicOperator:
+      resources:
+        limits:
+          cpu: '2'
+          memory: 2Gi
+        requests:
+          cpu: 100m
+          memory: 1Gi
+    userOperator:
+      resources:
+        limits:
+          cpu: '2'
+          memory: 2Gi
+        requests:
+          cpu: 100m
+          memory: 1Gi
+
+kafkaExporter:
+  template:
+    pod:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+    container:
+      securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        runAsGroup: 1001
+        runAsNonRoot: true
+        runAsUser: 1001
+        capabilities:
+          drop:
+            - ALL
+            - CAP_NET_RAW