diff --git a/config/crd/bases/awx.ansible.com_awxs.yaml b/config/crd/bases/awx.ansible.com_awxs.yaml index e3387b26e..48da62632 100644 --- a/config/crd/bases/awx.ansible.com_awxs.yaml +++ b/config/crd/bases/awx.ansible.com_awxs.yaml @@ -46,10 +46,10 @@ spec: api_version: description: apiVersion of the deployment type type: string - task_privileged: - description: If a privileged security context should be enabled - type: boolean - default: false + task_security_context_settings: + description: Key/values that will be set under the container-level securityContext field + type: object + x-kubernetes-preserve-unknown-fields: true admin_user: description: Username to use for the admin account type: string @@ -1614,12 +1614,20 @@ spec: ee_extra_volume_mounts: description: Specify volume mounts to be added to Execution container type: string + ee_security_context_settings: + description: Key/values that will be set under the container-level securityContext field + type: object + x-kubernetes-preserve-unknown-fields: true task_extra_volume_mounts: description: Specify volume mounts to be added to Task container type: string web_extra_volume_mounts: description: Specify volume mounts to be added to the Web container type: string + web_security_context_settings: + description: Key/values that will be set under the container-level securityContext field + type: object + x-kubernetes-preserve-unknown-fields: true postgres_extra_volume_mounts: description: Specify volume mounts to be added to Postgres container type: string @@ -1644,17 +1652,20 @@ spec: rsyslog_extra_volume_mounts: description: Specify volume mounts to be added to the Rsyslog container type: string + rsyslog_security_context_settings: + description: Key/values that will be set under the container-level securityContext field + type: object + x-kubernetes-preserve-unknown-fields: true redis_image: description: Registry path to the redis container to use type: string redis_image_version: description: Redis container image version to use type: string - redis_capabilities: - description: Redis container capabilities - type: array - items: - type: string + redis_security_context_settings: + description: Key/values that will be set under the container-level securityContext field + type: object + x-kubernetes-preserve-unknown-fields: true init_container_image: description: Registry path to the init container to use type: string @@ -1667,6 +1678,10 @@ spec: init_container_extra_volume_mounts: description: Specify volume mounts to be added to the init container type: string + init_security_context_settings: + description: Key/values that will be set under the container-level securityContext field + type: object + x-kubernetes-preserve-unknown-fields: true init_projects_container_image: description: Registry path to the init projects container to use type: string diff --git a/config/manifests/bases/awx-operator.clusterserviceversion.yaml b/config/manifests/bases/awx-operator.clusterserviceversion.yaml index f99844ff5..9d4b2194d 100644 --- a/config/manifests/bases/awx-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/awx-operator.clusterserviceversion.yaml @@ -435,6 +435,11 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:advanced - urn:alm:descriptor:com.tectonic.ui:resourceRequirements + - displayName: Web Security Context Settings + path: web_security_context_settings + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:advanced + - urn:alm:descriptor:com.tectonic.ui:hidden - displayName: Task Container Resource Requirements path: task_resource_requirements x-descriptors: @@ -457,11 +462,21 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:advanced - urn:alm:descriptor:com.tectonic.ui:resourceRequirements + - displayName: Redis Security Context Settings + path: redis_security_context_settings + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:advanced + - urn:alm:descriptor:com.tectonic.ui:hidden - displayName: Rsyslog Container Resource Requirements path: rsyslog_resource_requirements x-descriptors: - urn:alm:descriptor:com.tectonic.ui:advanced - urn:alm:descriptor:com.tectonic.ui:resourceRequirements + - displayName: Rsyslog Security Context Settings + path: rsyslog_security_context_settings + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:advanced + - urn:alm:descriptor:com.tectonic.ui:hidden - description: The PostgreSQL container is not used when an external DB is configured displayName: PostgreSQL Container Resource Requirements path: postgres_resource_requirements @@ -745,6 +760,11 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:advanced - urn:alm:descriptor:com.tectonic.ui:hidden + - displayName: EE Security Context Settings + path: ee_security_context_settings + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:advanced + - urn:alm:descriptor:com.tectonic.ui:hidden - description: Registry path to the Execution Environment container to use displayName: EE Images path: ee_images @@ -776,6 +796,11 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:advanced - urn:alm:descriptor:com.tectonic.ui:hidden + - displayName: Task Security Context Settings + path: task_security_context_settings + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:advanced + - urn:alm:descriptor:com.tectonic.ui:hidden - displayName: Web Args path: web_args x-descriptors: @@ -982,6 +1007,11 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:advanced - urn:alm:descriptor:com.tectonic.ui:hidden + - displayName: Init Security Context Settings + path: init_security_context_settings + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:advanced + - urn:alm:descriptor:com.tectonic.ui:hidden - description: Secret where can be found the trusted Certificate Authority Bundle path: bundle_cacert_secret x-descriptors: diff --git a/docs/user-guide/advanced-configuration/security-context.md b/docs/user-guide/advanced-configuration/security-context.md index 9ab68ffcf..7b4de3a51 100644 --- a/docs/user-guide/advanced-configuration/security-context.md +++ b/docs/user-guide/advanced-configuration/security-context.md @@ -1,11 +1,17 @@ #### Service Account -It is possible to modify some `SecurityContext` proprieties of the various deployments and stateful sets if needed. +It is possible to modify some `SecurityContext` properties of the various deployments and stateful sets if needed. -| Name | Description | Default | -| ---------------------------------- | -------------------------------------------- | ------- | -| security_context_settings | SecurityContext for Task and Web deployments | {} | -| postgres_security_context_settings | SecurityContext for Task and Web deployments | {} | +| Name | Description | Default | +| ---------------------------------- | -------------------------------------------------------------------- | ------- | +| security_context_settings | Pod Level SecurityContext for Task and Web deployments | {} | +| postgres_security_context_settings | SecurityContext for Task and Web deployments | {} | +| web_security_context_settings | Container Level SecurityContext for Web deployment | {} | +| redis_security_context_settings | Redis Container Level SecurityContext for Task and Web deployments | {} | +| rsyslog_security_context_settings | Rsyslog Container Level SecurityContext for Task and Web deployments | {} | +| ee_security_context_settings | EE Container Level SecurityContext for Task deployments | {} | +| task_security_context_settings | Container Level SecurityContext for Task deployment | {} | +| init_security_context_settings | Init Container Level SecurityContext for Task and Web deployments | {} | Example configuration securityContext for the Task and Web deployments: diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml index b80d332ad..9d5c0bef7 100644 --- a/roles/installer/defaults/main.yml +++ b/roles/installer/defaults/main.yml @@ -6,7 +6,6 @@ api_version: '{{ deployment_type }}.ansible.com/v1beta1' database_name: "{{ deployment_type }}" database_username: "{{ deployment_type }}" -task_privileged: false service_type: ClusterIP ingress_type: none ingress_class_name: '' @@ -327,6 +326,13 @@ session_cookie_secure: False # Assign a preexisting priority class to the control plane pods control_plane_priority_class: '' +redis_security_context_settings: {} +init_security_context_settings: {} +task_security_context_settings: {} +rsyslog_security_context_settings: {} +web_security_context_settings: {} +ee_security_context_settings: {} + redis_resource_requirements: requests: cpu: 50m diff --git a/roles/installer/templates/deployments/task.yaml.j2 b/roles/installer/templates/deployments/task.yaml.j2 index cb57fbd13..326768b6e 100644 --- a/roles/installer/templates/deployments/task.yaml.j2 +++ b/roles/installer/templates/deployments/task.yaml.j2 @@ -78,6 +78,10 @@ spec: image: '{{ _init_container_image }}' imagePullPolicy: '{{ image_pull_policy }}' resources: {{ init_container_resource_requirements }} +{% if init_security_context_settings|length %} + securityContext: +{{ init_security_context_settings | to_yaml | indent(12,true) }} +{%- endif %} command: - /bin/sh - -c @@ -124,6 +128,10 @@ spec: image: '{{ _init_projects_container_image }}' imagePullPolicy: '{{ image_pull_policy }}' resources: {{ init_container_resource_requirements }} +{% if init_security_context_settings|length %} + securityContext: +{{ init_security_context_settings | to_yaml | indent(12,true) }} +{%- endif %} command: - /bin/sh - -c @@ -143,11 +151,10 @@ spec: - image: '{{ _redis_image }}' imagePullPolicy: '{{ image_pull_policy }}' name: redis -{% if redis_capabilities is defined and redis_capabilities %} +{% if redis_security_context_settings|length %} securityContext: - capabilities: - add: {{ redis_capabilities }} -{% endif %} +{{ redis_security_context_settings | to_yaml | indent(12,true) }} +{%- endif %} args: ["redis-server", "/etc/redis.conf"] volumeMounts: - name: {{ ansible_operator_meta.name }}-redis-config @@ -179,10 +186,10 @@ spec: - image: '{{ _image }}' name: '{{ ansible_operator_meta.name }}-task' imagePullPolicy: '{{ image_pull_policy }}' -{% if task_privileged == true %} +{% if task_security_context_settings|length %} securityContext: - privileged: true -{% endif %} +{{ task_security_context_settings | to_yaml | indent(12,true) }} +{%- endif %} {% if task_command %} command: {{ task_command }} {% endif %} @@ -282,6 +289,10 @@ spec: name: '{{ ansible_operator_meta.name }}-ee' imagePullPolicy: '{{ image_pull_policy }}' resources: {{ ee_resource_requirements }} +{% if ee_security_context_settings|length %} + securityContext: +{{ ee_security_context_settings | to_yaml | indent(12,true) }} +{%- endif %} args: - /bin/sh - -c @@ -354,6 +365,10 @@ spec: {% endif %} imagePullPolicy: '{{ image_pull_policy }}' resources: {{ rsyslog_resource_requirements }} +{% if rsyslog_security_context_settings|length %} + securityContext: +{{ rsyslog_security_context_settings | to_yaml | indent(12,true) }} +{%- endif %} volumeMounts: - name: "{{ ansible_operator_meta.name }}-application-credentials" mountPath: "/etc/tower/conf.d/credentials.py" diff --git a/roles/installer/templates/deployments/web.yaml.j2 b/roles/installer/templates/deployments/web.yaml.j2 index 1a7318348..275d487ab 100644 --- a/roles/installer/templates/deployments/web.yaml.j2 +++ b/roles/installer/templates/deployments/web.yaml.j2 @@ -85,6 +85,10 @@ spec: image: '{{ _init_container_image }}' imagePullPolicy: '{{ image_pull_policy }}' resources: {{ init_container_resource_requirements }} +{% if init_security_context_settings|length %} + securityContext: +{{ init_security_context_settings | to_yaml | indent(12,true) }} +{%- endif %} command: - /bin/sh - -c @@ -114,6 +118,10 @@ spec: image: '{{ _init_projects_container_image }}' imagePullPolicy: '{{ image_pull_policy }}' resources: {{ init_container_resource_requirements }} +{% if init_security_context_settings|length %} + securityContext: +{{ init_security_context_settings | to_yaml | indent(12,true) }} +{%- endif %} command: - /bin/sh - -c @@ -133,11 +141,10 @@ spec: - image: '{{ _redis_image }}' imagePullPolicy: '{{ image_pull_policy }}' name: redis -{% if redis_capabilities is defined and redis_capabilities %} +{% if redis_security_context_settings|length %} securityContext: - capabilities: - add: {{ redis_capabilities }} -{% endif %} +{{ redis_security_context_settings | to_yaml | indent(12,true) }} +{%- endif %} args: ["redis-server", "/etc/redis.conf"] volumeMounts: - name: {{ ansible_operator_meta.name }}-redis-config @@ -261,6 +268,10 @@ spec: {{ web_extra_env | indent(width=12, first=True) }} {% endif %} resources: {{ web_resource_requirements }} +{% if web_security_context_settings|length %} + securityContext: +{{ web_security_context_settings | to_yaml | indent(12,true) }} +{%- endif %} - image: '{{ _image }}' name: '{{ ansible_operator_meta.name }}-rsyslog' {% if rsyslog_command %} @@ -270,6 +281,11 @@ spec: args: {{ rsyslog_args }} {% endif %} imagePullPolicy: '{{ image_pull_policy }}' + resources: {{ rsyslog_resource_requirements }} +{% if rsyslog_security_context_settings|length %} + securityContext: +{{ rsyslog_security_context_settings | to_yaml | indent(12,true) }} +{%- endif %} volumeMounts: - name: "{{ ansible_operator_meta.name }}-application-credentials" mountPath: "/etc/tower/conf.d/credentials.py"