From 2f8a4c8fcf0dc89dde9b5beef13b4acf59758716 Mon Sep 17 00:00:00 2001 From: devOpsHelm <54980549+devOpsHelm@users.noreply.github.com> Date: Tue, 3 Mar 2020 17:53:38 +0300 Subject: [PATCH] [stable/hazelcast-jet] Merge pull request #103 from eminn/security-context (#21219) * Merge pull request #103 from eminn/security-context Signed-off-by: devOpsHelm * Fixed linter error Signed-off-by: Emin Demirci Co-authored-by: Emin Demirci --- stable/hazelcast-jet/Chart.yaml | 2 +- stable/hazelcast-jet/README.adoc | 9 ++++-- .../management-center-deployment.yaml | 31 ++++++++++++++----- .../hazelcast-jet/templates/statefulset.yaml | 28 +++++++++++++---- stable/hazelcast-jet/values.yaml | 8 +++-- 5 files changed, 58 insertions(+), 20 deletions(-) diff --git a/stable/hazelcast-jet/Chart.yaml b/stable/hazelcast-jet/Chart.yaml index c219b5939897..ec5f8bedb9e3 100644 --- a/stable/hazelcast-jet/Chart.yaml +++ b/stable/hazelcast-jet/Chart.yaml @@ -4,7 +4,7 @@ tillerVersion: ">=2.7.2" kubeVersion: ">=1.9.0-0" description: Hazelcast Jet is an application embeddable, distributed computing engine built on top of Hazelcast In-Memory Data Grid (IMDG). With Hazelcast IMDG providing storage functionality, Hazelcast Jet performs parallel execution to enable data-intensive applications to operate in near real-time. name: hazelcast-jet -version: 1.4.0 +version: 1.4.1 keywords: - hazelcast - jet diff --git a/stable/hazelcast-jet/README.adoc b/stable/hazelcast-jet/README.adoc index cf38807d4360..9d07ba0bae29 100644 --- a/stable/hazelcast-jet/README.adoc +++ b/stable/hazelcast-jet/README.adoc @@ -191,13 +191,16 @@ generated using the fullname template |`+nil+` Hazelcast Jet Management Center |`+true+` |`+securityContext.runAsUser+` |User ID used to run the Hazelcast Jet and -Hazelcast Jet Management Center containers |`+1001+` +Hazelcast Jet Management Center containers |`+65534+` -| `securityContext.runAsGroup` |Primary Group ID used to run all processes in the +|`securityContext.runAsGroup` |Primary Group ID used to run all processes in the Hazelcast Jet and Hazelcast Jet Management Center containers | `+65534+` |`+securityContext.fsGroup+` |Group ID associated with the Hazelcast Jet and -Hazelcast Jet Management Center container |`+1001+` +Hazelcast Jet Management Center container |`+65534+` + +|`+securityContext.readOnlyRootFilesystem+` |Enables readOnlyRootFilesystem in +the Hazelcast Jet and Hazelcast Jet Management Center security containers |`+true+` |`+metrics.enabled+` |Turn on and off JMX Prometheus metrics available at `+/metrics+` |`+false+` diff --git a/stable/hazelcast-jet/templates/management-center-deployment.yaml b/stable/hazelcast-jet/templates/management-center-deployment.yaml index 686c5127417c..5816b431c14f 100644 --- a/stable/hazelcast-jet/templates/management-center-deployment.yaml +++ b/stable/hazelcast-jet/templates/management-center-deployment.yaml @@ -36,7 +36,17 @@ spec: nodeSelector: {{ toYaml .Values.managementcenter.nodeSelector | indent 8 }} {{- end }} - {{- if .Values.managementcenter.affinity }} + hostNetwork: false + hostPID: false + hostIPC: false + {{- if .Values.securityContext.enabled }} + securityContext: + runAsNonRoot: {{ if eq (int .Values.securityContext.runAsUser) 0 }}false{{ else }}true{{ end }} + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- end }} + {{- if .Values.managementcenter.affinity }} affinity: {{ toYaml .Values.managementcenter.affinity | indent 8 }} {{- end }} @@ -44,12 +54,6 @@ spec: tolerations: {{ toYaml .Values.managementcenter.tolerations | indent 8 }} {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - runAsGroup: {{ .Values.securityContext.runAsGroup }} - fsGroup: {{ .Values.securityContext.fsGroup }} - {{- end }} containers: - name: {{ template "hazelcast-jet-management-center.fullname" . }} image: "{{ .Values.managementcenter.image.repository }}:{{ .Values.managementcenter.image.tag }}" @@ -98,6 +102,19 @@ spec: {{- end }} - name: JAVA_OPTS value: " -Djet.clientConfig=/data/hazelcast-jet-management-center/hazelcast-client.yaml -DserviceName={{ template "hazelcast-jet.fullname" . }} -Dnamespace={{ .Release.Namespace }} {{ .Values.managementcenter.javaOpts }}" + {{- if .Values.securityContext.enabled }} + securityContext: + runAsNonRoot: {{ if eq (int .Values.securityContext.runAsUser) 0 }}false{{ else }}true{{ end }} + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + fsGroup: {{ .Values.securityContext.fsGroup }} + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + {{- end }} serviceAccountName: {{ template "hazelcast-jet.serviceAccountName" . }} volumes: - name: hazelcast-jet-management-center-storage diff --git a/stable/hazelcast-jet/templates/statefulset.yaml b/stable/hazelcast-jet/templates/statefulset.yaml index 319f679fa269..7012488287b9 100644 --- a/stable/hazelcast-jet/templates/statefulset.yaml +++ b/stable/hazelcast-jet/templates/statefulset.yaml @@ -39,6 +39,16 @@ spec: {{- if .Values.gracefulShutdown.enabled }} terminationGracePeriodSeconds: {{ .Values.gracefulShutdown.maxWaitSeconds }} {{- end }} + hostNetwork: false + hostPID: false + hostIPC: false + {{- if .Values.securityContext.enabled }} + securityContext: + runAsNonRoot: {{ if eq (int .Values.securityContext.runAsUser) 0 }}false{{ else }}true{{ end }} + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- end }} {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | indent 8 }} @@ -99,13 +109,19 @@ spec: - name: LOGGING_LEVEL value: {{ .Values.jet.loggingLevel }} {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + runAsNonRoot: {{ if eq (int .Values.securityContext.runAsUser) 0 }}false{{ else }}true{{ end }} + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + privileged: false + readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }} + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + {{- end }} serviceAccountName: {{ template "hazelcast-jet.serviceAccountName" . }} - {{- if .Values.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - runAsGroup: {{ .Values.securityContext.runAsGroup }} - fsGroup: {{ .Values.securityContext.fsGroup }} - {{- end }} volumes: - name: hazelcast-jet-storage configMap: diff --git a/stable/hazelcast-jet/values.yaml b/stable/hazelcast-jet/values.yaml index dbce6c33ab76..84857d484d2b 100644 --- a/stable/hazelcast-jet/values.yaml +++ b/stable/hazelcast-jet/values.yaml @@ -201,11 +201,13 @@ securityContext: # enabled is a flag to enable Security Context enabled: true # runAsUser is the user ID used to run the container - runAsUser: 1001 + runAsUser: 65534 # runAsGroup is the primary group ID used to run all processes within any container of the pod - runAsGroup: 1001 + runAsGroup: 65534 # fsGroup is the group ID associated with the container - fsGroup: 1001 + fsGroup: 65534 + # readOnlyRootFilesystem is a flag to enable readOnlyRootFilesystem for the Hazelcast security context + readOnlyRootFilesystem: true # Allows to enable a Prometheus to scrape pods metrics: