adapt for openshift

equinixmetal-helm · Sep 5, 2024 · 540abae · 540abae
1 parent 4212891
commit 540abae
Show file tree

Hide file tree

Showing 5 changed files with 87 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -100,11 +100,11 @@ please refer to [the official krakend documentation](https://www.krakend.io/docs
 | podDisruptionBudget.minAvailable | int | `1` | minimum available pods |
 | podDisruptionBudget.unhealthyPodEvictionPolicy | string | `""` | UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods should be considered for eviction |
 | podLabels | object | `{}` | Labels to use for the krakend pod |
-| podSecurityContext | object | `{}` | The securityContext to use for the krakend pod |
+| podSecurityContext | object | `{"enabled":false}` | The securityContext to use for the krakend pod |
 | readinessProbe | object | `{"httpGet":{"path":"/__health","port":"http"}}` | The readinessProbe to use for the krakend pod |
 | replicaCount | int | `1` | Number of replicas to deploy |
 | resources | object | `{}` | The resources to use for the krakend pod |
-| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"add":["NET_BIND_SERVICE"],"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":1000}` | The securityContext to use for the krakend container |
+| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"add":["NET_BIND_SERVICE"],"drop":["ALL"]},"enabled":true,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":1000}` | The securityContext to use for the krakend container |
 | service | object | `{"annotations":{},"externalTrafficPolicy":"","metrics":{"enabled":false,"port":9100,"targetPort":9100},"port":80,"targetPort":8080,"type":"ClusterIP"}` | The service settings to use for the krakend service |
 | service.annotations | object | `{}` | The annotations to use for the service |
 | service.externalTrafficPolicy | string | `""` | The External Traffic Policy of the service |
@@ -128,6 +128,23 @@ please refer to [the official krakend documentation](https://www.krakend.io/docs
 | tolerations | object | `[]` | The tolerations to use for the krakend pod |
 | topologySpreadConstraints | array | `[]` | The topologySpreadConstraints to use for the krakend pod |
 
+### Openshift
+
+This chart automatically detects its installation on an openshift cluster, in which case the following properties are removed from the securityContext of pods/containers:
+
+- fsGroup
+- runAsUser
+- runAsGroup
+
+You can force openshift detection with the following value:
+
+```yaml
+global:
+  compatibility:
+    openshift:
+      adaptSecurityContext: "force"
+```
+
 ## Development
 
 ### Prerequisites

diff --git a/README.md.gotmpl b/README.md.gotmpl
@@ -51,6 +51,23 @@ please refer to [the official krakend documentation](https://www.krakend.io/docs
 
 {{ template "chart.valuesSection" . }}
 
+### Openshift
+
+This chart automatically detects its installation on an openshift cluster, in which case the following properties are removed from the securityContext of pods/containers:
+
+- fsGroup
+- runAsUser
+- runAsGroup
+
+You can force openshift detection with the following value:
+
+```yaml
+global:
+  compatibility:
+    openshift:
+      adaptSecurityContext: "force"
+```
+
 ## Development
 
 ### Prerequisites

diff --git a/templates/_compatibility.tpl b/templates/_compatibility.tpl
@@ -0,0 +1,42 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/* 
+Return true if the detected platform is Openshift
+Usage:
+{{- include "common.compatibility.isOpenshift" . -}}
+*/}}
+{{- define "common.compatibility.isOpenshift" -}}
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+{{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
+Usage:
+{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
+*/}}
+{{- define "common.compatibility.renderSecurityContext" -}}
+{{- $adaptedContext := .secContext -}}
+
+{{- if (((.context.Values.global).compatibility).openshift) -}}
+  {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}}
+    {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
+    {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
+    {{- if not .secContext.seLinuxOptions -}}
+    {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
+    {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{/* Remove fields that are disregarded when running the container in privileged mode */}}
+{{- if $adaptedContext.privileged -}}
+  {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}}
+{{- end -}}
+{{- omit $adaptedContext "enabled" | toYaml -}}
+{{- end -}}
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
@@ -47,12 +47,14 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "krakend.serviceAccountName" . }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- if .Values.securityContext.enabled }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.securityContext "context" $) | nindent 12 }}
+          {{- end }}
           image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command: [ "/usr/bin/krakend" ]

diff --git a/values.yaml b/values.yaml
@@ -147,11 +147,13 @@ deploymentAnnotations: {}
 podLabels: {}
 
 # -- (object) The securityContext to use for the krakend pod
-podSecurityContext: {}
+podSecurityContext:
+  enabled: false
   # fsGroup: 2000
 
 # -- (object) The securityContext to use for the krakend container
 securityContext:
+  enabled: true
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000