From ec0eb75f805fb3a873217050730b1e3a409928e0 Mon Sep 17 00:00:00 2001 From: John Mazzitelli Date: Fri, 16 Sep 2022 16:04:31 -0400 Subject: [PATCH] be able to supply your own security context for operator and server containers (#166) * be able to supply your own security context for operator and server pods fixes: https://github.com/kiali/kiali/issues/5455 * be able to ignore a user's attempt to override portions of the securityContext --- kiali-operator/templates/deployment.yaml | 6 ++++++ kiali-operator/values.yaml | 6 ++++++ kiali-server/templates/deployment.yaml | 4 ++++ kiali-server/values.yaml | 1 + 4 files changed, 17 insertions(+) diff --git a/kiali-operator/templates/deployment.yaml b/kiali-operator/templates/deployment.yaml index 32be341..87204b9 100644 --- a/kiali-operator/templates/deployment.yaml +++ b/kiali-operator/templates/deployment.yaml @@ -45,12 +45,16 @@ spec: - "--zap-log-level=info" - "--leader-election-id={{ include "kiali-operator.fullname" . }}" securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 10 }} + {{- else }} allowPrivilegeEscalation: false privileged: false runAsNonRoot: true capabilities: drop: - ALL + {{- end }} volumeMounts: - mountPath: /tmp/ansible-operator/runner name: runner @@ -69,6 +73,8 @@ spec: value: {{ .Values.allowAdHocKialiNamespace | quote }} - name: ALLOW_AD_HOC_KIALI_IMAGE value: {{ .Values.allowAdHocKialiImage | quote }} + - name: ALLOW_SECURITY_CONTEXT_OVERRIDE + value: {{ .Values.allowSecurityContextOverride | quote }} - name: PROFILE_TASKS_TASK_OUTPUT_LIMIT value: "100" - name: ANSIBLE_DEBUG_LOGS diff --git a/kiali-operator/values.yaml b/kiali-operator/values.yaml index ee34868..c0a946b 100644 --- a/kiali-operator/values.yaml +++ b/kiali-operator/values.yaml @@ -20,6 +20,7 @@ resources: affinity: {} replicaCount: 1 priorityClassName: "" +securityContext: {} # metrics.enabled: set to true if you want Prometheus to collect metrics from the operator metrics: @@ -67,6 +68,11 @@ allowAdHocKialiNamespace: true # You may want to disable this if you do not want users to install their own Kiali images. allowAdHocKialiImage: false +# allowSecurityContextOverride tells the operator to allow a user to be able to fully override the Kiali +# container securityContext. If this is false, certain securityContext settings must exist on the Kiali +# container and any attempt to override them will be ignored. +allowSecurityContextOverride: false + # For what a Kiali CR spec can look like, see: # https://github.com/kiali/kiali-operator/blob/master/deploy/kiali/kiali_cr.yaml cr: diff --git a/kiali-server/templates/deployment.yaml b/kiali-server/templates/deployment.yaml index a996115..15517b0 100644 --- a/kiali-server/templates/deployment.yaml +++ b/kiali-server/templates/deployment.yaml @@ -61,6 +61,9 @@ spec: - "-config" - "/kiali-configuration/config.yaml" securityContext: + {{- if .Values.deployment.security_context}} + {{- toYaml .Values.deployment.security_context | nindent 10 }} + {{- else }} allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true @@ -68,6 +71,7 @@ spec: capabilities: drop: - ALL + {{- end }} ports: - name: api-port containerPort: {{ .Values.server.port | default 20001 }} diff --git a/kiali-server/values.yaml b/kiali-server/values.yaml index b39049a..597deeb 100644 --- a/kiali-server/values.yaml +++ b/kiali-server/values.yaml @@ -70,6 +70,7 @@ deployment: limits: memory: "1Gi" secret_name: "kiali" + security_context: {} service_annotations: {} service_type: "" tolerations: []