From 3afbf32c3c995902e11ffe49f891d7845f2cbb0b Mon Sep 17 00:00:00 2001 From: ishitasequeira Date: Mon, 8 Jan 2024 17:01:06 -0500 Subject: [PATCH 1/3] add list permissions for deployments to application controller Signed-off-by: ishitasequeira --- .../argocd-application-controller-role.yaml | 8 +++ manifests/core-install.yaml | 8 +++ .../ha/base/redis-ha/chart/upstream.yaml | 52 +++---------------- manifests/ha/install.yaml | 8 +++ manifests/ha/namespace-install.yaml | 8 +++ manifests/install.yaml | 8 +++ manifests/namespace-install.yaml | 8 +++ 7 files changed, 54 insertions(+), 46 deletions(-) diff --git a/manifests/base/application-controller/argocd-application-controller-role.yaml b/manifests/base/application-controller/argocd-application-controller-role.yaml index 27e0bc7bfe9cb..a672268eb1dd9 100644 --- a/manifests/base/application-controller/argocd-application-controller-role.yaml +++ b/manifests/base/application-controller/argocd-application-controller-role.yaml @@ -36,3 +36,11 @@ rules: verbs: - create - list +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch diff --git a/manifests/core-install.yaml b/manifests/core-install.yaml index c9028a44a1ae0..08d7d972e6362 100644 --- a/manifests/core-install.yaml +++ b/manifests/core-install.yaml @@ -20595,6 +20595,14 @@ rules: verbs: - create - list +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/manifests/ha/base/redis-ha/chart/upstream.yaml b/manifests/ha/base/redis-ha/chart/upstream.yaml index 1d0e4b3c247f8..32c040d2d8447 100644 --- a/manifests/ha/base/redis-ha/chart/upstream.yaml +++ b/manifests/ha/base/redis-ha/chart/upstream.yaml @@ -1094,13 +1094,7 @@ spec: args: - /readonly/haproxy_init.sh securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + null volumeMounts: - name: config-volume mountPath: /readonly @@ -1112,13 +1106,7 @@ spec: image: haproxy:2.6.14-alpine imagePullPolicy: IfNotPresent securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + null livenessProbe: httpGet: path: /healthz @@ -1216,14 +1204,7 @@ spec: args: - /readonly-config/init.sh securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault + null env: - name: SENTINEL_ID_0 value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6 @@ -1248,14 +1229,7 @@ spec: args: - /data/conf/redis.conf securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault + null livenessProbe: initialDelaySeconds: 30 periodSeconds: 15 @@ -1305,14 +1279,7 @@ spec: args: - /data/conf/sentinel.conf securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault + null livenessProbe: initialDelaySeconds: 30 periodSeconds: 15 @@ -1356,14 +1323,7 @@ spec: args: - /readonly-config/fix-split-brain.sh securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault + null env: - name: SENTINEL_ID_0 value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6 diff --git a/manifests/ha/install.yaml b/manifests/ha/install.yaml index 81f365bb8a86d..a7086ae8a6c06 100644 --- a/manifests/ha/install.yaml +++ b/manifests/ha/install.yaml @@ -20631,6 +20631,14 @@ rules: verbs: - create - list +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/manifests/ha/namespace-install.yaml b/manifests/ha/namespace-install.yaml index ad1a7baa8b017..01a8da2ffd7b9 100644 --- a/manifests/ha/namespace-install.yaml +++ b/manifests/ha/namespace-install.yaml @@ -109,6 +109,14 @@ rules: verbs: - create - list +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/manifests/install.yaml b/manifests/install.yaml index 3d1bbf942afb5..8d30e076d8bf7 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -20622,6 +20622,14 @@ rules: verbs: - create - list +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/manifests/namespace-install.yaml b/manifests/namespace-install.yaml index 6fa2cdb2b6de0..76301680f195a 100644 --- a/manifests/namespace-install.yaml +++ b/manifests/namespace-install.yaml @@ -100,6 +100,14 @@ rules: verbs: - create - list +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role From c674c0b2c67a3fffe359dd48996e7b3823a0d3ec Mon Sep 17 00:00:00 2001 From: ishitasequeira Date: Mon, 8 Jan 2024 17:08:46 -0500 Subject: [PATCH 2/3] revert redis-ha chart changes Signed-off-by: ishitasequeira --- .../ha/base/redis-ha/chart/upstream.yaml | 50 ++++++++++++++++--- 1 file changed, 43 insertions(+), 7 deletions(-) diff --git a/manifests/ha/base/redis-ha/chart/upstream.yaml b/manifests/ha/base/redis-ha/chart/upstream.yaml index 32c040d2d8447..7cab93e81762f 100644 --- a/manifests/ha/base/redis-ha/chart/upstream.yaml +++ b/manifests/ha/base/redis-ha/chart/upstream.yaml @@ -1094,7 +1094,13 @@ spec: args: - /readonly/haproxy_init.sh securityContext: - null + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - name: config-volume mountPath: /readonly @@ -1106,7 +1112,13 @@ spec: image: haproxy:2.6.14-alpine imagePullPolicy: IfNotPresent securityContext: - null + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault livenessProbe: httpGet: path: /healthz @@ -1204,7 +1216,13 @@ spec: args: - /readonly-config/init.sh securityContext: - null + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault env: - name: SENTINEL_ID_0 value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6 @@ -1218,9 +1236,9 @@ spec: readOnly: true - name: data mountPath: /data + containers: - containers: - name: redis image: redis:7.0.14-alpine imagePullPolicy: IfNotPresent @@ -1229,7 +1247,13 @@ spec: args: - /data/conf/redis.conf securityContext: - null + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault livenessProbe: initialDelaySeconds: 30 periodSeconds: 15 @@ -1279,7 +1303,13 @@ spec: args: - /data/conf/sentinel.conf securityContext: - null + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault livenessProbe: initialDelaySeconds: 30 periodSeconds: 15 @@ -1323,7 +1353,13 @@ spec: args: - /readonly-config/fix-split-brain.sh securityContext: - null + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault env: - name: SENTINEL_ID_0 value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6 From 85b858dc5d6f5aefbb5db8c1c35a9df450096adf Mon Sep 17 00:00:00 2001 From: ishitasequeira Date: Mon, 8 Jan 2024 17:17:42 -0500 Subject: [PATCH 3/3] revert redis-ha chart changes Signed-off-by: ishitasequeira --- manifests/ha/base/redis-ha/chart/upstream.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/manifests/ha/base/redis-ha/chart/upstream.yaml b/manifests/ha/base/redis-ha/chart/upstream.yaml index 7cab93e81762f..1d0e4b3c247f8 100644 --- a/manifests/ha/base/redis-ha/chart/upstream.yaml +++ b/manifests/ha/base/redis-ha/chart/upstream.yaml @@ -1221,8 +1221,9 @@ spec: drop: - ALL runAsNonRoot: true + runAsUser: 1000 seccompProfile: - type: RuntimeDefault + type: RuntimeDefault env: - name: SENTINEL_ID_0 value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6 @@ -1236,9 +1237,9 @@ spec: readOnly: true - name: data mountPath: /data - containers: + containers: - name: redis image: redis:7.0.14-alpine imagePullPolicy: IfNotPresent @@ -1252,6 +1253,7 @@ spec: drop: - ALL runAsNonRoot: true + runAsUser: 1000 seccompProfile: type: RuntimeDefault livenessProbe: @@ -1308,6 +1310,7 @@ spec: drop: - ALL runAsNonRoot: true + runAsUser: 1000 seccompProfile: type: RuntimeDefault livenessProbe: @@ -1358,8 +1361,9 @@ spec: drop: - ALL runAsNonRoot: true + runAsUser: 1000 seccompProfile: - type: RuntimeDefault + type: RuntimeDefault env: - name: SENTINEL_ID_0 value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6