Merge "[AAI] Kyverno - disallow-host-path policy"

author Lukasz Rajewski <lukasz.rajewski@t-mobile.pl>

Mon, 25 Mar 2024 10:10:40 +0000 (10:10 +0000)

committer Gerrit Code Review <gerrit@onap.org>

Mon, 25 Mar 2024 10:10:40 +0000 (10:10 +0000)
author Lukasz Rajewski <lukasz.rajewski@t-mobile.pl>
Mon, 25 Mar 2024 10:10:40 +0000 (10:10 +0000)
committer Gerrit Code Review <gerrit@onap.org>
Mon, 25 Mar 2024 10:10:40 +0000 (10:10 +0000)
diff --combined kubernetes/aai/components/aai-babel/templates/deployment.yaml

index c62587e,7f088fc..24d34e8
--- 1/kubernetes/aai/components/aai-babel/templates/deployment.yaml
--- 2/kubernetes/aai/components/aai-babel/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-babel/templates/deployment.yaml
@@@ -58,9 -58,6 +58,6 @@@ spec
               - name: CONFIG_HOME
                 value: /opt/app/babel/config
             volumeMounts:
-           - mountPath: /etc/localtime
-             name: localtime
-             readOnly: true
             - mountPath: /opt/app/babel/config/application.properties
               name: config
               subPath: application.properties
@@@ -94,9 -91,6 +91,6 @@@
         {{ include "common.log.sidecar" . | nindent 8 }}
         serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
         volumes:
-         - name: localtime
-           hostPath:
-             path: /etc/localtime
           - name: config
             configMap:
               name: {{ include "common.fullname" . }}-configmap
@@@ -107,4 -101,5 +101,4 @@@
             emptyDir: {}
           {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }}
   
- -      imagePullSecrets:
- -      - name: "{{ include "common.namespace" . }}-docker-registry-key"
+ +      {{- include "common.imagePullSecrets" . | nindent 6 }}
diff --combined kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml

index 022e142,f65c15b..d3d236f
--- 1/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
--- 2/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
@@@ -123,9 -123,6 +123,6 @@@ spec
           - name: INTERNAL_PORT_3
             value: {{ .Values.service.internalPort3 | quote }}
           volumeMounts:
-         - mountPath: /etc/localtime
-           name: localtime
-           readOnly: true
           - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
             name: config
             subPath: janusgraph-realtime.properties
@@@ -196,9 -193,6 +193,6 @@@
         {{ include "common.log.sidecar" . | nindent 6 }}
         serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
         volumes:
-       - name: localtime
-         hostPath:
-           path: /etc/localtime
         - name: logs
           emptyDir: {}
         {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
@@@ -209,4 -203,5 +203,4 @@@
           configMap:
             name: {{ include "common.fullname" . }}-properties
         restartPolicy: {{ .Values.restartPolicy }}
- -      imagePullSecrets:
- -      - name: {{ include "common.namespace" . }}-docker-registry-key
+ +      {{- include "common.imagePullSecrets" . | nindent 6 }}
diff --combined kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml

index 6e6d537,e6287dc..85470b4
--- 1/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
--- 2/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
@@@ -101,9 -101,6 +101,6 @@@ spec
           - name: LOCAL_GROUP_ID
             value: {{ .Values.securityContext.group_id | quote }}
           volumeMounts:
-         - mountPath: /etc/localtime
-           name: localtime
-           readOnly: true
           - mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots
             name: snapshots
           - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
@@@ -135,9 -132,6 +132,6 @@@
         {{- end }}
         serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
         volumes:
-       - name: localtime
-         hostPath:
-           path: /etc/localtime
         - name: logs
           emptyDir: {}
         - name: config
@@@ -153,5 -147,6 +147,5 @@@
           persistentVolumeClaim:
             claimName: {{ include "common.fullname" . }}-migration
         restartPolicy: Never
- -      imagePullSecrets:
- -      - name: "{{ include "common.namespace" . }}-docker-registry-key"
+ +      {{- include "common.imagePullSecrets" . | nindent 6 }}
   {{ end }}
diff --combined kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml

index edc98b7,c389d78..31f9a59
--- 1/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
--- 2/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
@@@ -101,9 -101,6 +101,6 @@@ spec
           - name: LOCAL_GROUP_ID
             value: {{ .Values.securityContext.group_id | quote }}
           volumeMounts:
-         - mountPath: /etc/localtime
-           name: localtime
-           readOnly: true
           - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
             name: config
             subPath: janusgraph-realtime.properties
@@@ -133,9 -130,6 +130,6 @@@
         {{- end }}
         serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
         volumes:
-       - name: localtime
-         hostPath:
-           path: /etc/localtime
         {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
         - name: logs
           emptyDir: {}
@@@ -146,5 -140,6 +140,5 @@@
           configMap:
             name: {{ include "common.fullname" . }}-properties
         restartPolicy: Never
- -      imagePullSecrets:
- -      - name: {{ include "common.namespace" . }}-docker-registry-key
+ +      {{- include "common.imagePullSecrets" . | nindent 6 }}
   {{ end }}
diff --combined kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml

index 9bce98d,49a4de3..d4b48e6
--- 1/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
--- 2/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
@@@ -99,9 -99,6 +99,6 @@@ spec
           - name: LOCAL_GROUP_ID
             value: {{ .Values.securityContext.group_id | quote }}
           volumeMounts:
-         - mountPath: /etc/localtime
-           name: localtime
-           readOnly: true
           - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
             name: config
             subPath: janusgraph-realtime.properties
@@@ -146,9 -143,6 +143,6 @@@
           - name: LOCAL_GROUP_ID
             value: {{ .Values.securityContext.group_id | quote }}
           volumeMounts:
-         - mountPath: /etc/localtime
-           name: localtime
-           readOnly: true
           - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
             name: config
             subPath: janusgraph-realtime.properties
@@@ -178,9 -172,6 +172,6 @@@
         {{- end }}
         serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
         volumes:
-       - name: localtime
-         hostPath:
-           path: /etc/localtime
         {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }}
         - name: {{ include "common.fullname" . }}-logs
           emptyDir: {}
@@@ -194,7 -185,8 +185,7 @@@
           configMap:
             name: {{ include "common.fullname" . }}-properties
         restartPolicy: Never
- -      imagePullSecrets:
- -      - name: "{{ include "common.namespace" . }}-docker-registry-key"
+ +      {{- include "common.imagePullSecrets" . | nindent 6 }}
   ---
   apiVersion: batch/v1
   kind: Job
@@@ -261,9 -253,6 +252,6 @@@ spec
           - name: LOCAL_GROUP_ID
             value: {{ .Values.securityContext.group_id | quote }}
           volumeMounts:
-         - mountPath: /etc/localtime
-           name: localtime
-           readOnly: true
           - mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots
             name: snapshots
           - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
@@@ -295,9 -284,6 +283,6 @@@
         {{- end }}
         serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
         volumes: {{ include "common.resources" . | nindent 10 }}
-       - name: localtime
-         hostPath:
-           path: /etc/localtime
         - name: logs
           emptyDir: {}
         - name: config
@@@ -316,5 -302,6 +301,5 @@@
           persistentVolumeClaim:
             claimName: {{ include "common.fullname" . }}-migration
         restartPolicy: Never
- -      imagePullSecrets:
- -      - name: "{{ include "common.namespace" . }}-docker-registry-key"
+ +      {{- include "common.imagePullSecrets" . | nindent 6 }}
   {{ end }}
diff --combined kubernetes/aai/components/aai-modelloader/templates/deployment.yaml

index 705bd10,3283939..139c254
--- 1/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
--- 2/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
@@@ -77,9 -77,6 +77,6 @@@ spec
                 name: {{ include "common.name" . }}-ku
                 key: sasl.jaas.config
           volumeMounts:
-         - mountPath: /etc/localtime
-           name: localtime
-           readOnly: true
           - mountPath: /opt/app/model-loader/config/model-loader.properties
             subPath: model-loader.properties
             name: prop-config
@@@ -93,9 -90,6 +90,6 @@@
           {{ include "common.log.sidecar" . | nindent 6 }}
         serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
         volumes:
-       - name: localtime
-         hostPath:
-           path: /etc/localtime
         - name: prop-config
           configMap:
             name: {{ include "common.fullname" . }}-prop
@@@ -106,4 -100,5 +100,4 @@@
           configMap:
             name: {{ include "common.fullname" . }}-log
         restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }}
- -      imagePullSecrets:
- -      - name: "{{ include "common.namespace" . }}-docker-registry-key"
+ +      {{- include "common.imagePullSecrets" . | nindent 6 }}
diff --combined kubernetes/aai/components/aai-resources/templates/deployment.yaml

index 5d6e612,8c44bc9..bd642f3
--- 1/kubernetes/aai/components/aai-resources/templates/deployment.yaml
--- 2/kubernetes/aai/components/aai-resources/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-resources/templates/deployment.yaml
@@@ -167,9 -167,6 +167,6 @@@ spec
           - name: INTERNAL_PORT_3
             value: {{ .Values.service.internalPort3 | quote }}
           volumeMounts:
-         - mountPath: /etc/localtime
-           name: localtime
-           readOnly: true
           - mountPath: /opt/app/aai-resources/resources/etc/appprops/janusgraph-realtime.properties
             name: {{ include "common.fullname" . }}-config
             subPath: janusgraph-realtime.properties
@@@ -265,9 -262,6 +262,6 @@@
         {{ include "common.log.sidecar" . | nindent 6 }}
         serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
         volumes:
-       - name: localtime
-         hostPath:
-           path: /etc/localtime
         - name: logs
           emptyDir: {}
         {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
@@@ -275,4 -269,5 +269,4 @@@
           configMap:
             name: {{ include "common.fullname" . }}
         restartPolicy: {{ .Values.restartPolicy }}
- -      imagePullSecrets:
- -      - name: "{{ include "common.namespace" . }}-docker-registry-key"
+ +      {{- include "common.imagePullSecrets" . | nindent 6 }}
diff --combined kubernetes/aai/components/aai-schema-service/templates/deployment.yaml

index 0483def,da1825c..0ecc2b2
--- 1/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml
--- 2/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml
@@@ -70,9 -70,6 +70,6 @@@ spec
           - name: LOCAL_GROUP_ID
             value: {{ .Values.securityContext.group_id | quote }}
           volumeMounts:
-         - mountPath: /etc/localtime
-           name: localtime
-           readOnly: true
           - mountPath: /opt/app/aai-schema-service/resources/etc/appprops/aaiconfig.properties
             name: aaiconfig-conf
             subPath: aaiconfig.properties
@@@ -126,9 -123,6 +123,6 @@@
         - name: aai-common-aai-auth-mount
           secret:
             secretName: aai-common-aai-auth
-       - name: localtime
-         hostPath:
-           path: /etc/localtime
         - name: logs
           emptyDir: {}
         {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
@@@ -148,4 -142,5 +142,4 @@@
           configMap:
             name: {{ include "common.fullname" . }}-realm
         restartPolicy: {{ .Values.restartPolicy }}
- -      imagePullSecrets:
- -      - name: "{{ include "common.namespace" . }}-docker-registry-key"
+ +      {{- include "common.imagePullSecrets" . | nindent 6 }}
diff --combined kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml

index 54f93bc,a8f76ed..00e43d2
--- 1/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml
--- 2/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml
@@@ -67,9 -67,6 +67,6 @@@ spec
             echo "*** actual launch of AAI Sparky BE"
             /opt/app/sparky/bin/start.sh
           volumeMounts:
-         - mountPath: /etc/localtime
-           name: localtime
-           readOnly: true
           - mountPath: {{ .Values.log.path }}
             name: logs
           - mountPath:  /opt/app/sparky/config/application.properties
@@@ -128,9 -125,6 +125,6 @@@
         {{ include "common.log.sidecar" . | nindent 6 }}
         serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
         volumes:
-       - name: localtime
-         hostPath:
-           path: /etc/localtime
         - name: config
           configMap:
             name: {{ include "common.fullname" . }}
@@@ -140,4 -134,5 +134,4 @@@
         - name: modeldir
           emptyDir: {}
         restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }}
- -      imagePullSecrets:
- -      - name: "{{ include "common.namespace" . }}-docker-registry-key"
+ +      {{- include "common.imagePullSecrets" . | nindent 6 }}
diff --combined kubernetes/aai/components/aai-traversal/templates/deployment.yaml

index 55176bc,2057ef4..ddbc43b
--- 1/kubernetes/aai/components/aai-traversal/templates/deployment.yaml
--- 2/kubernetes/aai/components/aai-traversal/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml
@@@ -188,9 -188,6 +188,6 @@@ spec
           - name: INTERNAL_PORT_3
             value: {{ .Values.service.internalPort3 | quote }}
           volumeMounts:
-         - mountPath: /etc/localtime
-           name: localtime
-           readOnly: true
           - mountPath: /opt/app/aai-traversal/resources/etc/appprops/janusgraph-realtime.properties
             name: {{ include "common.fullname" . }}-config
             subPath: janusgraph-realtime.properties
@@@ -292,9 -289,6 +289,6 @@@
         {{ include "common.log.sidecar" . | nindent 6 }}
         serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
         volumes:
-       - name: localtime
-         hostPath:
-           path: /etc/localtime
         - name: logs
           emptyDir: {}
         - name: {{ include "common.fullname" . }}-logs-misc
@@@ -304,4 -298,5 +298,4 @@@
           configMap:
             name: {{ include "common.fullname" . }}
         restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }}
- -      imagePullSecrets:
- -      - name: "{{ include "common.namespace" . }}-docker-registry-key"
+ +      {{- include "common.imagePullSecrets" . | nindent 6 }}
diff --combined kubernetes/aai/components/aai-traversal/templates/job.yaml

index 687dcbf,605042b..06aa4af
--- 1/kubernetes/aai/components/aai-traversal/templates/job.yaml
--- 2/kubernetes/aai/components/aai-traversal/templates/job.yaml
+++ b/kubernetes/aai/components/aai-traversal/templates/job.yaml
@@@ -86,9 -86,6 +86,6 @@@ spec
             value: {{ .Values.global.config.groupId | quote }}
           resources: {{ include "common.resources" . | nindent 10 }}
           volumeMounts:
-         - mountPath: /etc/localtime
-           name: localtime
-           readOnly: true
           - mountPath: /opt/app/aai-traversal/resources/etc/appprops/janusgraph-realtime.properties
             name: {{ include "common.fullname" . }}-config
             subPath: janusgraph-realtime.properties
@@@ -115,9 -112,6 +112,6 @@@
           # so K8s doesn't restart unresponsive container
         serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
         volumes:
-       - name: localtime
-         hostPath:
-           path: /etc/localtime
         - name: {{ include "common.fullname" . }}-logs
           emptyDir: {}
         - name: {{ include "common.fullname" . }}-logs-misc
@@@ -127,5 -121,6 +121,5 @@@
           configMap:
             name: {{ include "common.fullname" . }}
         restartPolicy: OnFailure
- -      imagePullSecrets:
- -      - name: "{{ include "common.namespace" . }}-docker-registry-key"
+ +      {{- include "common.imagePullSecrets" . | nindent 6 }}
   {{ end }}
diff --combined kubernetes/aai/templates/deployment.yaml

index 5a7f38c,c17fa22..5b10c43
--- 1/kubernetes/aai/templates/deployment.yaml
--- 2/kubernetes/aai/templates/deployment.yaml
+++ b/kubernetes/aai/templates/deployment.yaml
@@@ -91,9 -91,6 +91,6 @@@ spec
           image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}"
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
           volumeMounts:
-         - mountPath: /etc/localtime
-           name: localtime
-           readOnly: true
           - mountPath: /dev/log
             name: aai-service-log
           - mountPath: /usr/local/etc/haproxy/haproxy.cfg
@@@ -146,13 -143,11 +143,10 @@@
         {{- end }}
         serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
         volumes:
-         - name: localtime
-           hostPath:
-             path: /etc/localtime
           - name: aai-service-log
             hostPath:
               path: "/dev/log"
           - name: haproxy-cfg
             configMap:
               name: aai-deployment-configmap
- -      imagePullSecrets:
- -      - name: "{{ include "common.namespace" . }}-docker-registry-key"
+ +      {{- include "common.imagePullSecrets" . | nindent 6 }}
author	Lukasz Rajewski <lukasz.rajewski@t-mobile.pl>
	Mon, 25 Mar 2024 10:10:40 +0000 (10:10 +0000)
committer	Gerrit Code Review <gerrit@onap.org>
	Mon, 25 Mar 2024 10:10:40 +0000 (10:10 +0000)
		1	2
kubernetes/aai/components/aai-babel/templates/deployment.yaml	patch \|	diff1 \|	diff2 \|	blob \| history
kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml	patch \|	diff1 \|	diff2 \|	blob \| history
kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml	patch \|	diff1 \|	diff2 \|	blob \| history
kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml	patch \|	diff1 \|	diff2 \|	blob \| history
kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml	patch \|	diff1 \|	diff2 \|	blob \| history
kubernetes/aai/components/aai-modelloader/templates/deployment.yaml	patch \|	diff1 \|	diff2 \|	blob \| history
kubernetes/aai/components/aai-resources/templates/deployment.yaml	patch \|	diff1 \|	diff2 \|	blob \| history
kubernetes/aai/components/aai-schema-service/templates/deployment.yaml	patch \|	diff1 \|	diff2 \|	blob \| history
kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml	patch \|	diff1 \|	diff2 \|	blob \| history
kubernetes/aai/components/aai-traversal/templates/deployment.yaml	patch \|	diff1 \|	diff2 \|	blob \| history
kubernetes/aai/components/aai-traversal/templates/job.yaml	patch \|	diff1 \|	diff2 \|	blob \| history
kubernetes/aai/templates/deployment.yaml	patch \|	diff1 \|	diff2 \|	blob \| history