From 7e1bac12f26f1e5e4247cd67b8e00359827e6058 Mon Sep 17 00:00:00 2001 From: MadhuriArugula Date: Mon, 22 Jul 2024 21:24:10 +0530 Subject: [PATCH] US-625432 Configure securityContext for Pega containers (#789) Co-authored-by: arugm Co-authored-by: PEGA-NarasimhaRao-Meda <109585795+PEGA-NarasimhaRao-Meda@users.noreply.github.com> --- charts/pega/templates/_pega-deployment.tpl | 4 + charts/pega/values.yaml | 27 ++++++ ...loyment_container_security_context_test.go | 85 +++++++++++++++++++ 3 files changed, 116 insertions(+) create mode 100644 terratest/src/test/pega/pega-tier-deployment_container_security_context_test.go diff --git a/charts/pega/templates/_pega-deployment.tpl b/charts/pega/templates/_pega-deployment.tpl index 7be6b9ea4..6bff86872 100644 --- a/charts/pega/templates/_pega-deployment.tpl +++ b/charts/pega/templates/_pega-deployment.tpl @@ -214,6 +214,10 @@ spec: envFrom: - configMapRef: name: {{ template "pegaEnvironmentConfig" .root }} +{{- if .node.containerSecurityContext }} + securityContext: +{{ toYaml .node.containerSecurityContext | indent 10 }} +{{- end }} resources: {{- if .node.resources }} {{ toYaml .node.resources | indent 10 }} diff --git a/charts/pega/values.yaml b/charts/pega/values.yaml index 246fd39de..246b1e3df 100644 --- a/charts/pega/values.yaml +++ b/charts/pega/values.yaml @@ -257,6 +257,15 @@ global: # runAsUser: 9001 # fsGroup: 0 + # To specify security settings for a Container, include the securityContext field in the Container manifest + # Security settings that you specify for a Container apply only to the pega container, + # and they override settings made at the Pod level when there is overlap. Container settings + # do not affect the Pod's Volumes. + # See, https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + # containerSecurityContext: + # capabilities: + # add: ["SYS_TIME"] + hpa: enabled: true # To configure behavior specifications for hpa, set the required scaleUp & scaleDown values. @@ -319,6 +328,15 @@ global: # runAsUser: 9001 # fsGroup: 0 + # To specify security settings for a Container, include the securityContext field in the Container manifest + # Security settings that you specify for a Container apply only to the pega container, + # and they override settings made at the Pod level when there is overlap. Container settings + # do not affect the Pod's Volumes. + # See, https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + # containerSecurityContext: + # capabilities: + # add: ["SYS_TIME"] + hpa: enabled: true @@ -381,6 +399,15 @@ global: # runAsUser: 9001 # fsGroup: 0 + # To specify security settings for a Container, include the securityContext field in the Container manifest + # Security settings that you specify for a Container apply only to the pega container, + # and they override settings made at the Pod level when there is overlap. Container settings + # do not affect the Pod's Volumes. + # See, https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + # containerSecurityContext: + # capabilities: + # add: ["SYS_TIME"] + replicas: 2 volumeClaimTemplate: diff --git a/terratest/src/test/pega/pega-tier-deployment_container_security_context_test.go b/terratest/src/test/pega/pega-tier-deployment_container_security_context_test.go new file mode 100644 index 000000000..6b596f78a --- /dev/null +++ b/terratest/src/test/pega/pega-tier-deployment_container_security_context_test.go @@ -0,0 +1,85 @@ +package pega + +import ( + "fmt" + "path/filepath" + "strings" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/stretchr/testify/require" + appsv1 "k8s.io/api/apps/v1" +) + +func TestPegaTierDeploymentContainerSecurityContext(t *testing.T) { + var supportedVendors = []string{"k8s", "openshift", "eks", "gke", "aks", "pks"} + var supportedOperations = []string{"deploy"} + var deploymentNames = []string{"myapp-dev"} + + helmChartPath, err := filepath.Abs(PegaHelmChartPath) + require.NoError(t, err) + + for _, vendor := range supportedVendors { + + var depObj appsv1.Deployment + + for _, operation := range supportedOperations { + + for _, depName := range deploymentNames { + + fmt.Println(vendor + "-" + operation) + + var options = &helm.Options{ + SetValues: map[string]string{ + "global.provider": vendor, + "global.actions.execute": operation, + "global.deployment.name": depName, + }, + } + + yamlContent := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-tier-deployment.yaml"}) + yamlSplit := strings.Split(yamlContent, "---") + UnmarshalK8SYaml(t, yamlSplit[1], &depObj) + require.Nil(t, depObj.Spec.Template.Spec.Containers[0].SecurityContext) + + } + } + } +} + +func TestPegaTierDeploymentSecurityContextForPegaContainer(t *testing.T) { + var supportedVendors = []string{"k8s", "openshift"} + var supportedOperations = []string{"deploy"} + var deploymentNames = []string{"myapp-dev"} + + helmChartPath, err := filepath.Abs(PegaHelmChartPath) + require.NoError(t, err) + + for _, vendor := range supportedVendors { + + var depObj appsv1.Deployment + + for _, operation := range supportedOperations { + + for _, depName := range deploymentNames { + + fmt.Println(vendor + "-" + operation) + + var options = &helm.Options{ + SetValues: map[string]string{ + "global.provider": vendor, + "global.actions.execute": operation, + "global.deployment.name": depName, + "global.tier[0].containerSecurityContext.runAsUser": "7009", + }, + } + + yamlContent := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-tier-deployment.yaml"}) + yamlSplit := strings.Split(yamlContent, "---") + UnmarshalK8SYaml(t, yamlSplit[1], &depObj) + + require.Equal(t, int64(7009), *depObj.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser) + } + } + } +}