Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adapt for openshift #109

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 19 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -100,11 +100,11 @@ please refer to [the official krakend documentation](https://www.krakend.io/docs
| podDisruptionBudget.minAvailable | int | `1` | minimum available pods |
| podDisruptionBudget.unhealthyPodEvictionPolicy | string | `""` | UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods should be considered for eviction |
| podLabels | object | `{}` | Labels to use for the krakend pod |
| podSecurityContext | object | `{}` | The securityContext to use for the krakend pod |
| podSecurityContext | object | `{"enabled":false}` | The securityContext to use for the krakend pod |
| readinessProbe | object | `{"httpGet":{"path":"/__health","port":"http"}}` | The readinessProbe to use for the krakend pod |
| replicaCount | int | `1` | Number of replicas to deploy |
| resources | object | `{}` | The resources to use for the krakend pod |
| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"add":["NET_BIND_SERVICE"],"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":1000}` | The securityContext to use for the krakend container |
| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"add":["NET_BIND_SERVICE"],"drop":["ALL"]},"enabled":true,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":1000}` | The securityContext to use for the krakend container |
| service | object | `{"annotations":{},"externalTrafficPolicy":"","metrics":{"enabled":false,"port":9100,"targetPort":9100},"port":80,"targetPort":8080,"type":"ClusterIP"}` | The service settings to use for the krakend service |
| service.annotations | object | `{}` | The annotations to use for the service |
| service.externalTrafficPolicy | string | `""` | The External Traffic Policy of the service |
Expand All @@ -128,6 +128,23 @@ please refer to [the official krakend documentation](https://www.krakend.io/docs
| tolerations | object | `[]` | The tolerations to use for the krakend pod |
| topologySpreadConstraints | array | `[]` | The topologySpreadConstraints to use for the krakend pod |

### Openshift

This chart automatically detects its installation on an openshift cluster, in which case the following properties are removed from the securityContext of pods/containers:

- fsGroup
- runAsUser
- runAsGroup

You can force openshift detection with the following value:

```yaml
global:
compatibility:
openshift:
adaptSecurityContext: "force"
```

## Development

### Prerequisites
Expand Down
17 changes: 17 additions & 0 deletions README.md.gotmpl
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,23 @@ please refer to [the official krakend documentation](https://www.krakend.io/docs

{{ template "chart.valuesSection" . }}

### Openshift

This chart automatically detects its installation on an openshift cluster, in which case the following properties are removed from the securityContext of pods/containers:

- fsGroup
- runAsUser
- runAsGroup

You can force openshift detection with the following value:

```yaml
global:
compatibility:
openshift:
adaptSecurityContext: "force"
```

## Development

### Prerequisites
Expand Down
42 changes: 42 additions & 0 deletions templates/_compatibility.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
Baboulinet-33 marked this conversation as resolved.
Show resolved Hide resolved
SPDX-License-Identifier: APACHE-2.0
*/}}

{{/* vim: set filetype=mustache: */}}

{{/*
Return true if the detected platform is Openshift
Usage:
{{- include "common.compatibility.isOpenshift" . -}}
*/}}
{{- define "common.compatibility.isOpenshift" -}}
{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
{{- true -}}
{{- end -}}
{{- end -}}

{{/*
Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
Usage:
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
*/}}
{{- define "common.compatibility.renderSecurityContext" -}}
{{- $adaptedContext := .secContext -}}

{{- if (((.context.Values.global).compatibility).openshift) -}}
{{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}}
{{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
{{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
{{- if not .secContext.seLinuxOptions -}}
{{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
{{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/* Remove fields that are disregarded when running the container in privileged mode */}}
{{- if $adaptedContext.privileged -}}
{{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}}
{{- end -}}
{{- omit $adaptedContext "enabled" | toYaml -}}
{{- end -}}
10 changes: 6 additions & 4 deletions templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -47,12 +47,14 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "krakend.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- if .Values.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- if .Values.securityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.securityContext "context" $) | nindent 12 }}
JAORMX marked this conversation as resolved.
Show resolved Hide resolved
{{- end }}
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: [ "/usr/bin/krakend" ]
Expand Down
4 changes: 3 additions & 1 deletion values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -147,11 +147,13 @@ deploymentAnnotations: {}
podLabels: {}

# -- (object) The securityContext to use for the krakend pod
podSecurityContext: {}
podSecurityContext:
enabled: false
# fsGroup: 2000

# -- (object) The securityContext to use for the krakend container
securityContext:
enabled: true
JAORMX marked this conversation as resolved.
Show resolved Hide resolved
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
Expand Down
Loading