Merge pull request #7188 from mo-saeed/devel

Reshape security context for AWX containers
2026-01-11 01:57:35 -03:30 · 2020-06-11 15:26:58 -04:00 · 2020-06-11 15:26:58 -04:00 · e035eea95a
commit e035eea95a
parent cb1a3e4199 eb5970b4a1
2 changed files with 95 additions and 1 deletions
--- a/installer/roles/kubernetes/defaults/main.yml
+++ b/installer/roles/kubernetes/defaults/main.yml
@ -14,14 +14,25 @@ kubernetes_awx_image: "{{ tower_package_name | default('ansible/awx') }}"
 kubernetes_web_image: "{{ kubernetes_awx_image }}"
 kubernetes_task_image: "{{ kubernetes_awx_image }}"

+awx_psp_create: false
+awx_psp_name: 'awx'
+awx_psp_privileged: true
+
 web_mem_request: 1
 web_cpu_request: 500
+web_security_context_enabled: true
+web_security_context_privileged: false

 task_mem_request: 2
 task_cpu_request: 1500
+task_security_context_enabled: true
+task_security_context_privileged: true

 redis_mem_request: 2
 redis_cpu_request: 500
+redis_security_context_enabled: true
+redis_security_context_privileged: false
+redis_security_context_user: 1001

 kubernetes_redis_image: "redis"
 kubernetes_redis_image_tag: "latest"
--- a/installer/roles/kubernetes/templates/deployment.yml.j2
+++ b/installer/roles/kubernetes/templates/deployment.yml.j2
@ -15,6 +15,70 @@ imagePullSecrets:
  - name: "{{ kubernetes_image_pull_secrets }}"
 {% endif %}

+{% if awx_psp_create is defined and awx_psp_create | bool %}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ awx_psp_name }}-psp
+spec:
+{% if awx_psp_privileged is defined %}
+  privileged: {{ awx_psp_privileged }}
+  allowPrivilegeEscalation: {{ awx_psp_privileged }}
+{% endif %}
+  requiredDropCapabilities:
+    - ALL
+  volumes:
+    - 'configMap'
+    - 'emptyDir'
+    - 'projected'
+    - 'secret'
+    - 'downwardAPI'
+    - 'persistentVolumeClaim'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: {{ kubernetes_namespace }}
+  name: {{ awx_psp_name }}-role
+rules:
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  resourceNames:
+  - {{ awx_psp_name }}-psp
+  verbs:
+  - use
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ awx_psp_name }}-role-binding
+  namespace: {{ kubernetes_namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ awx_psp_name }}-role
+subjects:
+- kind: ServiceAccount
+  name: awx
+  namespace: {{ kubernetes_namespace }}
+{% endif %}
+
 ---
 apiVersion: {{ kubernetes_deployment_api_version }}
 kind: Deployment
@ -89,6 +153,12 @@ spec:
 {% endif %}
      containers:
        - name: {{ kubernetes_deployment_name }}-web
+{% if web_security_context_enabled is defined and web_security_context_enabled | bool %}
+          securityContext:
+{% if web_security_context_privileged is defined %}
+            privileged: {{ web_security_context_privileged }}
+{% endif %}
+{% endif %}
          image: "{{ kubernetes_awx_image }}:{{ kubernetes_web_version }}"
          imagePullPolicy: Always
          ports:
@ -175,8 +245,12 @@ spec:
              cpu: "{{ web_cpu_limit }}m"
 {% endif %}
        - name: {{ kubernetes_deployment_name }}-task
+{% if task_security_context_enabled is defined and task_security_context_enabled | bool %}
          securityContext:
-            privileged: true
+{% if task_security_context_privileged is defined %}
+            privileged: {{ task_security_context_privileged }}
+{% endif %}
+{% endif %}
          image: "{{ kubernetes_task_image }}:{{ kubernetes_task_version }}"
          command:
            - /usr/bin/launch_awx_task.sh
@ -264,6 +338,15 @@ spec:
              cpu: "{{ task_cpu_limit }}m"
 {% endif %}
        - name: {{ kubernetes_deployment_name }}-redis
+{% if redis_security_context_enabled is defined and redis_security_context_enabled | bool %}
+          securityContext:
+{% if redis_security_context_privileged is defined %}
+            privileged: {{ redis_security_context_privileged }}
+{% endif %}
+{% if redis_security_context_user is defined %}
+            runAsUser: {{ redis_security_context_user }}
+{% endif %}
+{% endif %}
          image: {{ kubernetes_redis_image }}:{{ kubernetes_redis_image_tag }}
          imagePullPolicy: Always
          args: ["redis-server", "{{ kubernetes_redis_config_mount_path }}"]