From b13a175668e8d120046462f08f6a78b43ddc05cf Mon Sep 17 00:00:00 2001 From: mosad Date: Fri, 29 May 2020 12:35:45 +0200 Subject: [PATCH] Reshape security context for AWX containers --- installer/roles/kubernetes/defaults/main.yml | 10 +++++++ .../kubernetes/templates/deployment.yml.j2 | 30 ++++++++++++++++++- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/installer/roles/kubernetes/defaults/main.yml b/installer/roles/kubernetes/defaults/main.yml index 701a659ad7..3bb3aacbf4 100644 --- a/installer/roles/kubernetes/defaults/main.yml +++ b/installer/roles/kubernetes/defaults/main.yml @@ -16,12 +16,19 @@ kubernetes_web_image: "{{ tower_package_name | default('ansible/awx_web') }}" web_mem_request: 1 web_cpu_request: 500 +web_security_context_enabled: true +web_security_context_privileged: false task_mem_request: 2 task_cpu_request: 1500 +task_security_context_enabled: true +task_security_context_privileged: false redis_mem_request: 2 redis_cpu_request: 500 +redis_security_context_enabled: true +redis_security_context_privileged: false +redis_security_context_user: 1001 kubernetes_redis_image: "redis" kubernetes_redis_image_tag: "latest" @@ -29,6 +36,9 @@ kubernetes_redis_config_mount_path: "/usr/local/etc/redis/redis.conf" memcached_mem_request: 1 memcached_cpu_request: 500 +memcached_security_context_enabled: true +memcached_security_context_privileged: false +memcached_security_context_user: 1001 kubernetes_memcached_version: "latest" kubernetes_memcached_image: "memcached" diff --git a/installer/roles/kubernetes/templates/deployment.yml.j2 b/installer/roles/kubernetes/templates/deployment.yml.j2 index f5cf12cb99..9334a44a50 100644 --- a/installer/roles/kubernetes/templates/deployment.yml.j2 +++ b/installer/roles/kubernetes/templates/deployment.yml.j2 @@ -89,6 +89,12 @@ spec: {% endif %} containers: - name: {{ kubernetes_deployment_name }}-web +{% if web_security_context_enabled is defined and web_security_context_enabled | bool %} + securityContext: +{% if web_security_context_privileged is defined %} + privileged: {{ web_security_context_privileged }} +{% endif %} +{% endif %} image: "{{ kubernetes_web_image }}:{{ kubernetes_web_version }}" imagePullPolicy: Always ports: @@ -178,8 +184,12 @@ spec: cpu: "{{ web_cpu_limit }}m" {% endif %} - name: {{ kubernetes_deployment_name }}-task +{% if task_security_context_enabled is defined and task_security_context_enabled | bool %} securityContext: - privileged: true +{% if task_security_context_privileged is defined %} + privileged: {{ task_security_context_privileged }} +{% endif %} +{% endif %} image: "{{ kubernetes_task_image }}:{{ kubernetes_task_version }}" command: - /usr/bin/launch_awx_task.sh @@ -270,6 +280,15 @@ spec: cpu: "{{ task_cpu_limit }}m" {% endif %} - name: {{ kubernetes_deployment_name }}-redis +{% if redis_security_context_enabled is defined and redis_security_context_enabled | bool %} + securityContext: +{% if redis_security_context_privileged is defined %} + privileged: {{ redis_security_context_privileged }} +{% endif %} +{% if redis_security_context_user is defined %} + runAsUser: {{ redis_security_context_user }} +{% endif %} +{% endif %} image: {{ kubernetes_redis_image }}:{{ kubernetes_redis_image_tag }} imagePullPolicy: Always args: ["redis-server", "{{ kubernetes_redis_config_mount_path }}"] @@ -295,6 +314,15 @@ spec: cpu: "{{ redis_cpu_limit }}m" {% endif %} - name: {{ kubernetes_deployment_name }}-memcached +{% if memcached_security_context_enabled is defined and memcached_security_context_enabled | bool %} + securityContext: +{% if memcached_security_context_privileged is defined %} + privileged: {{ memcached_security_context_privileged }} +{% endif %} +{% if memcached_security_context_user is defined %} + runAsUser: {{ memcached_security_context_user }} +{% endif %} +{% endif %} image: "{{ kubernetes_memcached_image }}:{{ kubernetes_memcached_version }}" imagePullPolicy: Always command: