From 013545ab19ff83dacacceaca251764c39b1cd1c8 Mon Sep 17 00:00:00 2001 From: Fiete Ostkamp Date: Wed, 6 Mar 2024 09:45:59 +0100 Subject: [PATCH] [AAI] Kyverno - disallow-host-path policy - remove hostPath mounting of /etc/localtime Issue-ID: AAI-3803 Change-Id: Ia5d1bfef1581a5e3f1b2ed3869ad1f840337f969 Signed-off-by: Fiete Ostkamp --- .../aai/components/aai-babel/templates/deployment.yaml | 6 ------ .../components/aai-graphadmin/templates/deployment.yaml | 6 ------ .../aai-graphadmin/templates/job-copy-db-backup.yaml | 6 ------ .../aai-graphadmin/templates/job-create-db.yaml | 6 ------ .../aai-graphadmin/templates/job-migration.yaml | 15 --------------- .../components/aai-modelloader/templates/deployment.yaml | 6 ------ .../components/aai-resources/templates/deployment.yaml | 6 ------ .../aai-schema-service/templates/deployment.yaml | 6 ------ .../components/aai-sparky-be/templates/deployment.yaml | 6 ------ .../components/aai-traversal/templates/deployment.yaml | 6 ------ .../aai/components/aai-traversal/templates/job.yaml | 6 ------ kubernetes/aai/templates/deployment.yaml | 6 ------ 12 files changed, 81 deletions(-) diff --git a/kubernetes/aai/components/aai-babel/templates/deployment.yaml b/kubernetes/aai/components/aai-babel/templates/deployment.yaml index 397e8fd556..7f088fc74f 100644 --- a/kubernetes/aai/components/aai-babel/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-babel/templates/deployment.yaml @@ -58,9 +58,6 @@ spec: - name: CONFIG_HOME value: /opt/app/babel/config volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/babel/config/application.properties name: config subPath: application.properties @@ -94,9 +91,6 @@ spec: {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: config configMap: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml index 1f666ddfcd..f65c15bcb8 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml @@ -123,9 +123,6 @@ spec: - name: INTERNAL_PORT_3 value: {{ .Values.service.internalPort3 | quote }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties @@ -196,9 +193,6 @@ spec: {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: logs emptyDir: {} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml index 7d73876d16..e6287dcace 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml @@ -101,9 +101,6 @@ spec: - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots name: snapshots - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties @@ -135,9 +132,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: logs emptyDir: {} - name: config diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml index ac40f095cb..c389d782d0 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml @@ -101,9 +101,6 @@ spec: - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties @@ -133,9 +130,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: logs emptyDir: {} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml index 6b7f89f733..49a4de3974 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml @@ -99,9 +99,6 @@ spec: - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties @@ -146,9 +143,6 @@ spec: - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties @@ -178,9 +172,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} @@ -262,9 +253,6 @@ spec: - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots name: snapshots - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties @@ -296,9 +284,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: {{ include "common.resources" . | nindent 10 }} - - name: localtime - hostPath: - path: /etc/localtime - name: logs emptyDir: {} - name: config diff --git a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml index b3fd237fb6..32839396b7 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml @@ -77,9 +77,6 @@ spec: name: {{ include "common.name" . }}-ku key: sasl.jaas.config volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/model-loader/config/model-loader.properties subPath: model-loader.properties name: prop-config @@ -93,9 +90,6 @@ spec: {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: prop-config configMap: name: {{ include "common.fullname" . }}-prop diff --git a/kubernetes/aai/components/aai-resources/templates/deployment.yaml b/kubernetes/aai/components/aai-resources/templates/deployment.yaml index 1e2880d529..8c44bc9f4a 100644 --- a/kubernetes/aai/components/aai-resources/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-resources/templates/deployment.yaml @@ -167,9 +167,6 @@ spec: - name: INTERNAL_PORT_3 value: {{ .Values.service.internalPort3 | quote }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/aai-resources/resources/etc/appprops/janusgraph-realtime.properties name: {{ include "common.fullname" . }}-config subPath: janusgraph-realtime.properties @@ -265,9 +262,6 @@ spec: {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: logs emptyDir: {} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} diff --git a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml index d0b81492aa..da1825ca3c 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml @@ -70,9 +70,6 @@ spec: - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/aai-schema-service/resources/etc/appprops/aaiconfig.properties name: aaiconfig-conf subPath: aaiconfig.properties @@ -126,9 +123,6 @@ spec: - name: aai-common-aai-auth-mount secret: secretName: aai-common-aai-auth - - name: localtime - hostPath: - path: /etc/localtime - name: logs emptyDir: {} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml index 1685bc5001..a8f76ed41b 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml @@ -67,9 +67,6 @@ spec: echo "*** actual launch of AAI Sparky BE" /opt/app/sparky/bin/start.sh volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: {{ .Values.log.path }} name: logs - mountPath: /opt/app/sparky/config/application.properties @@ -128,9 +125,6 @@ spec: {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: config configMap: name: {{ include "common.fullname" . }} diff --git a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml index d6e49acc4b..2057ef44f3 100644 --- a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml @@ -188,9 +188,6 @@ spec: - name: INTERNAL_PORT_3 value: {{ .Values.service.internalPort3 | quote }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/aai-traversal/resources/etc/appprops/janusgraph-realtime.properties name: {{ include "common.fullname" . }}-config subPath: janusgraph-realtime.properties @@ -292,9 +289,6 @@ spec: {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: logs emptyDir: {} - name: {{ include "common.fullname" . }}-logs-misc diff --git a/kubernetes/aai/components/aai-traversal/templates/job.yaml b/kubernetes/aai/components/aai-traversal/templates/job.yaml index ae8bd85a37..605042b364 100644 --- a/kubernetes/aai/components/aai-traversal/templates/job.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/job.yaml @@ -86,9 +86,6 @@ spec: value: {{ .Values.global.config.groupId | quote }} resources: {{ include "common.resources" . | nindent 10 }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/aai-traversal/resources/etc/appprops/janusgraph-realtime.properties name: {{ include "common.fullname" . }}-config subPath: janusgraph-realtime.properties @@ -115,9 +112,6 @@ spec: # so K8s doesn't restart unresponsive container serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logs-misc diff --git a/kubernetes/aai/templates/deployment.yaml b/kubernetes/aai/templates/deployment.yaml index 153947ebb1..c17fa22fa3 100644 --- a/kubernetes/aai/templates/deployment.yaml +++ b/kubernetes/aai/templates/deployment.yaml @@ -91,9 +91,6 @@ spec: image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /dev/log name: aai-service-log - mountPath: /usr/local/etc/haproxy/haproxy.cfg @@ -146,9 +143,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: aai-service-log hostPath: path: "/dev/log" -- 2.16.6