Skip to content

Commit

Permalink
Added container level security context for task and web deployments
Browse files Browse the repository at this point in the history 
Signed-off-by: Gaurav Dasson <gaurav.dasson@gmail.com>
  • Loading branch information
Gaurav Dasson committed Feb 24, 2024
1 parent 3d78e90 commit 8c36cc5
Show file tree
Hide file tree
Showing 6 changed files with 114 additions and 26 deletions.
33 changes: 24 additions & 9 deletions config/crd/bases/awx.ansible.com_awxs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,10 @@ spec:
api_version:
description: apiVersion of the deployment type
type: string
task_privileged:
description: If a privileged security context should be enabled
type: boolean
default: false
task_security_context_settings:
description: Key/values that will be set under the container-level securityContext field
type: object
x-kubernetes-preserve-unknown-fields: true
admin_user:
description: Username to use for the admin account
type: string
Expand Down Expand Up @@ -1614,12 +1614,20 @@ spec:
ee_extra_volume_mounts:
description: Specify volume mounts to be added to Execution container
type: string
ee_security_context_settings:
description: Key/values that will be set under the container-level securityContext field
type: object
x-kubernetes-preserve-unknown-fields: true
task_extra_volume_mounts:
description: Specify volume mounts to be added to Task container
type: string
web_extra_volume_mounts:
description: Specify volume mounts to be added to the Web container
type: string
web_security_context_settings:
description: Key/values that will be set under the container-level securityContext field
type: object
x-kubernetes-preserve-unknown-fields: true
postgres_extra_volume_mounts:
description: Specify volume mounts to be added to Postgres container
type: string
Expand All @@ -1644,17 +1652,20 @@ spec:
rsyslog_extra_volume_mounts:
description: Specify volume mounts to be added to the Rsyslog container
type: string
rsyslog_security_context_settings:
description: Key/values that will be set under the container-level securityContext field
type: object
x-kubernetes-preserve-unknown-fields: true
redis_image:
description: Registry path to the redis container to use
type: string
redis_image_version:
description: Redis container image version to use
type: string
redis_capabilities:
description: Redis container capabilities
type: array
items:
type: string
redis_security_context_settings:
description: Key/values that will be set under the container-level securityContext field
type: object
x-kubernetes-preserve-unknown-fields: true
init_container_image:
description: Registry path to the init container to use
type: string
Expand All @@ -1667,6 +1678,10 @@ spec:
init_container_extra_volume_mounts:
description: Specify volume mounts to be added to the init container
type: string
init_security_context_settings:
description: Key/values that will be set under the container-level securityContext field
type: object
x-kubernetes-preserve-unknown-fields: true
init_projects_container_image:
description: Registry path to the init projects container to use
type: string
Expand Down
30 changes: 30 additions & 0 deletions config/manifests/bases/awx-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -435,6 +435,11 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: Web Security Context Settings
path: web_security_context_settings
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Task Container Resource Requirements
path: task_resource_requirements
x-descriptors:
Expand All @@ -457,11 +462,21 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: Redis Security Context Settings
path: redis_security_context_settings
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Rsyslog Container Resource Requirements
path: rsyslog_resource_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: Rsyslog Security Context Settings
path: rsyslog_security_context_settings
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: The PostgreSQL container is not used when an external DB is configured
displayName: PostgreSQL Container Resource Requirements
path: postgres_resource_requirements
Expand Down Expand Up @@ -745,6 +760,11 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: EE Security Context Settings
path: ee_security_context_settings
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Registry path to the Execution Environment container to use
displayName: EE Images
path: ee_images
Expand Down Expand Up @@ -776,6 +796,11 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Task Security Context Settings
path: task_security_context_settings
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Web Args
path: web_args
x-descriptors:
Expand Down Expand Up @@ -982,6 +1007,11 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Init Security Context Settings
path: init_security_context_settings
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Secret where can be found the trusted Certificate Authority Bundle
path: bundle_cacert_secret
x-descriptors:
Expand Down
16 changes: 11 additions & 5 deletions docs/user-guide/advanced-configuration/security-context.md
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,17 @@
#### Service Account

It is possible to modify some `SecurityContext` proprieties of the various deployments and stateful sets if needed.
It is possible to modify some `SecurityContext` properties of the various deployments and stateful sets if needed.

| Name | Description | Default |
| ---------------------------------- | -------------------------------------------- | ------- |
| security_context_settings | SecurityContext for Task and Web deployments | {} |
| postgres_security_context_settings | SecurityContext for Task and Web deployments | {} |
| Name | Description | Default |
| ---------------------------------- | -------------------------------------------------------------------- | ------- |
| security_context_settings | Pod Level SecurityContext for Task and Web deployments | {} |
| postgres_security_context_settings | SecurityContext for Task and Web deployments | {} |
| web_security_context_settings | Container Level SecurityContext for Web deployment | {} |
| redis_security_context_settings | Redis Container Level SecurityContext for Task and Web deployments | {} |
| rsyslog_security_context_settings | Rsyslog Container Level SecurityContext for Task and Web deployments | {} |
| ee_security_context_settings | EE Container Level SecurityContext for Task deployments | {} |
| task_security_context_settings | Container Level SecurityContext for Task deployment | {} |
| init_security_context_settings | Init Container Level SecurityContext for Task and Web deployments | {} |


Example configuration securityContext for the Task and Web deployments:
Expand Down
8 changes: 7 additions & 1 deletion roles/installer/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ api_version: '{{ deployment_type }}.ansible.com/v1beta1'
database_name: "{{ deployment_type }}"
database_username: "{{ deployment_type }}"

task_privileged: false
service_type: ClusterIP
ingress_type: none
ingress_class_name: ''
Expand Down Expand Up @@ -327,6 +326,13 @@ session_cookie_secure: False
# Assign a preexisting priority class to the control plane pods
control_plane_priority_class: ''

redis_security_context_settings: {}
init_security_context_settings: {}
task_security_context_settings: {}
rsyslog_security_context_settings: {}
web_security_context_settings: {}
ee_security_context_settings: {}

redis_resource_requirements:
requests:
cpu: 50m
Expand Down
29 changes: 22 additions & 7 deletions roles/installer/templates/deployments/task.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,10 @@ spec:
image: '{{ _init_container_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ init_container_resource_requirements }}
{% if init_security_context_settings|length %}
securityContext:
{{ init_security_context_settings | to_yaml | indent(12,true) }}
{%- endif %}
command:
- /bin/sh
- -c
Expand Down Expand Up @@ -124,6 +128,10 @@ spec:
image: '{{ _init_projects_container_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ init_container_resource_requirements }}
{% if init_security_context_settings|length %}
securityContext:
{{ init_security_context_settings | to_yaml | indent(12,true) }}
{%- endif %}
command:
- /bin/sh
- -c
Expand All @@ -143,11 +151,10 @@ spec:
- image: '{{ _redis_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
name: redis
{% if redis_capabilities is defined and redis_capabilities %}
{% if redis_security_context_settings|length %}
securityContext:
capabilities:
add: {{ redis_capabilities }}
{% endif %}
{{ redis_security_context_settings | to_yaml | indent(12,true) }}
{%- endif %}
args: ["redis-server", "/etc/redis.conf"]
volumeMounts:
- name: {{ ansible_operator_meta.name }}-redis-config
Expand Down Expand Up @@ -179,10 +186,10 @@ spec:
- image: '{{ _image }}'
name: '{{ ansible_operator_meta.name }}-task'
imagePullPolicy: '{{ image_pull_policy }}'
{% if task_privileged == true %}
{% if task_security_context_settings|length %}
securityContext:
privileged: true
{% endif %}
{{ task_security_context_settings | to_yaml | indent(12,true) }}
{%- endif %}
{% if task_command %}
command: {{ task_command }}
{% endif %}
Expand Down Expand Up @@ -282,6 +289,10 @@ spec:
name: '{{ ansible_operator_meta.name }}-ee'
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ ee_resource_requirements }}
{% if ee_security_context_settings|length %}
securityContext:
{{ ee_security_context_settings | to_yaml | indent(12,true) }}
{%- endif %}
args:
- /bin/sh
- -c
Expand Down Expand Up @@ -354,6 +365,10 @@ spec:
{% endif %}
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ rsyslog_resource_requirements }}
{% if rsyslog_security_context_settings|length %}
securityContext:
{{ rsyslog_security_context_settings | to_yaml | indent(12,true) }}
{%- endif %}
volumeMounts:
- name: "{{ ansible_operator_meta.name }}-application-credentials"
mountPath: "/etc/tower/conf.d/credentials.py"
Expand Down
24 changes: 20 additions & 4 deletions roles/installer/templates/deployments/web.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,10 @@ spec:
image: '{{ _init_container_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ init_container_resource_requirements }}
{% if init_security_context_settings|length %}
securityContext:
{{ init_security_context_settings | to_yaml | indent(12,true) }}
{%- endif %}
command:
- /bin/sh
- -c
Expand Down Expand Up @@ -114,6 +118,10 @@ spec:
image: '{{ _init_projects_container_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ init_container_resource_requirements }}
{% if init_security_context_settings|length %}
securityContext:
{{ init_security_context_settings | to_yaml | indent(12,true) }}
{%- endif %}
command:
- /bin/sh
- -c
Expand All @@ -133,11 +141,10 @@ spec:
- image: '{{ _redis_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
name: redis
{% if redis_capabilities is defined and redis_capabilities %}
{% if redis_security_context_settings|length %}
securityContext:
capabilities:
add: {{ redis_capabilities }}
{% endif %}
{{ redis_security_context_settings | to_yaml | indent(12,true) }}
{%- endif %}
args: ["redis-server", "/etc/redis.conf"]
volumeMounts:
- name: {{ ansible_operator_meta.name }}-redis-config
Expand Down Expand Up @@ -261,6 +268,10 @@ spec:
{{ web_extra_env | indent(width=12, first=True) }}
{% endif %}
resources: {{ web_resource_requirements }}
{% if web_security_context_settings|length %}
securityContext:
{{ web_security_context_settings | to_yaml | indent(12,true) }}
{%- endif %}
- image: '{{ _image }}'
name: '{{ ansible_operator_meta.name }}-rsyslog'
{% if rsyslog_command %}
Expand All @@ -270,6 +281,11 @@ spec:
args: {{ rsyslog_args }}
{% endif %}
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ rsyslog_resource_requirements }}
{% if rsyslog_security_context_settings|length %}
securityContext:
{{ rsyslog_security_context_settings | to_yaml | indent(12,true) }}
{%- endif %}
volumeMounts:
- name: "{{ ansible_operator_meta.name }}-application-credentials"
mountPath: "/etc/tower/conf.d/credentials.py"
Expand Down

0 comments on commit 8c36cc5

Please sign in to comment.