Skip to content

Commit

Permalink
Added container level security context for task and web deployments
Browse files Browse the repository at this point in the history 
Signed-off-by: Gaurav Dasson <[email protected]>
  • Loading branch information
Gaurav Dasson committed Mar 1, 2024
1 parent 607a7ca commit 596a0e1
Show file tree
Hide file tree
Showing 7 changed files with 147 additions and 18 deletions.
34 changes: 31 additions & 3 deletions config/crd/bases/awx.ansible.com_awxs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,9 +47,13 @@ spec:
description: apiVersion of the deployment type
type: string
task_privileged:
description: If a privileged security context should be enabled
description: (Deprecated) If a privileged security context should be enabled
type: boolean
default: false
task_security_context:
description: Key/values that will be set under the container-level securityContext field
type: object
x-kubernetes-preserve-unknown-fields: true
admin_user:
description: Username to use for the admin account
type: string
Expand Down Expand Up @@ -1614,12 +1618,20 @@ spec:
ee_extra_volume_mounts:
description: Specify volume mounts to be added to Execution container
type: string
ee_security_context:
description: Key/values that will be set under the container-level securityContext field
type: object
x-kubernetes-preserve-unknown-fields: true
task_extra_volume_mounts:
description: Specify volume mounts to be added to Task container
type: string
web_extra_volume_mounts:
description: Specify volume mounts to be added to the Web container
type: string
web_security_context:
description: Key/values that will be set under the container-level securityContext field
type: object
x-kubernetes-preserve-unknown-fields: true
postgres_extra_volume_mounts:
description: Specify volume mounts to be added to Postgres container
type: string
Expand All @@ -1644,17 +1656,25 @@ spec:
rsyslog_extra_volume_mounts:
description: Specify volume mounts to be added to the Rsyslog container
type: string
rsyslog_security_context:
description: Key/values that will be set under the container-level securityContext field
type: object
x-kubernetes-preserve-unknown-fields: true
redis_image:
description: Registry path to the redis container to use
type: string
redis_image_version:
description: Redis container image version to use
type: string
redis_capabilities:
description: Redis container capabilities
description: (Deprecated) Redis container capabilities
type: array
items:
type: string
redis_security_context:
description: Key/values that will be set under the container-level securityContext field
type: object
x-kubernetes-preserve-unknown-fields: true
init_container_image:
description: Registry path to the init container to use
type: string
Expand All @@ -1667,6 +1687,10 @@ spec:
init_container_extra_volume_mounts:
description: Specify volume mounts to be added to the init container
type: string
init_security_context:
description: Key/values that will be set under the container-level securityContext field
type: object
x-kubernetes-preserve-unknown-fields: true
init_projects_container_image:
description: Registry path to the init projects container to use
type: string
Expand Down Expand Up @@ -1798,7 +1822,11 @@ spec:
description: Set session cookie secure mode for web
type: string
postgres_security_context_settings:
description: Key/values that will be set under the pod-level securityContext field
description: (Deprecated) Key/values that will be set under the pod-level securityContext field
type: object
x-kubernetes-preserve-unknown-fields: true
postgres_security_context:
description: Key/values that will be set under the container-level securityContext field
type: object
x-kubernetes-preserve-unknown-fields: true
receptor_log_level:
Expand Down
41 changes: 38 additions & 3 deletions config/manifests/bases/awx-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,11 +104,16 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Security Context Settings
- displayName: PostgreSQL Security Context Settings (Deprecated)
path: postgres_security_context_settings
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Security Context
path: postgres_security_context
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: PostgreSQL Image
path: postgres_image
x-descriptors:
Expand Down Expand Up @@ -435,6 +440,11 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: Web Security Context Settings
path: web_security_context
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Task Container Resource Requirements
path: task_resource_requirements
x-descriptors:
Expand All @@ -457,11 +467,21 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: Redis Security Context Settings
path: redis_security_context
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Rsyslog Container Resource Requirements
path: rsyslog_resource_requirements
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- displayName: Rsyslog Security Context Settings
path: rsyslog_security_context
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: The PostgreSQL container is not used when an external DB is configured
displayName: PostgreSQL Container Resource Requirements
path: postgres_resource_requirements
Expand Down Expand Up @@ -545,7 +565,7 @@ spec:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Should the task container deployed with privileged level?
- displayName: Should the task container deployed with privileged level? (Deprecated)
path: task_privileged
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
Expand Down Expand Up @@ -586,7 +606,7 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Redis Capabilities
- displayName: Redis Capabilities (Deprecated)
path: redis_capabilities
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
Expand Down Expand Up @@ -745,6 +765,11 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: EE Security Context Settings
path: ee_security_context
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Registry path to the Execution Environment container to use
displayName: EE Images
path: ee_images
Expand Down Expand Up @@ -776,6 +801,11 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Task Security Context Settings
path: task_security_context
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Web Args
path: web_args
x-descriptors:
Expand Down Expand Up @@ -981,6 +1011,11 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- displayName: Init Security Context Settings
path: init_security_context
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:hidden
- description: Secret where can be found the trusted Certificate Authority Bundle
path: bundle_cacert_secret
x-descriptors:
Expand Down
16 changes: 11 additions & 5 deletions docs/user-guide/advanced-configuration/security-context.md
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,17 @@
#### Service Account

It is possible to modify some `SecurityContext` proprieties of the various deployments and stateful sets if needed.
It is possible to modify some `SecurityContext` properties of the various deployments and stateful sets if needed.

| Name | Description | Default |
| ---------------------------------- | -------------------------------------------- | ------- |
| security_context_settings | SecurityContext for Task and Web deployments | {} |
| postgres_security_context_settings | SecurityContext for Task and Web deployments | {} |
| Name | Description | Default |
| ---------------------------------- | -------------------------------------------------------------------- | ------- |
| security_context_settings | Pod Level SecurityContext for Task and Web deployments | {} |
| postgres_security_context | SecurityContext for Task and Web deployments | {} |
| web_security_context | Container Level SecurityContext for Web deployment | {} |
| redis_security_context | Redis Container Level SecurityContext for Task and Web deployments | {} |
| rsyslog_security_context | Rsyslog Container Level SecurityContext for Task and Web deployments | {} |
| ee_security_context | EE Container Level SecurityContext for Task deployments | {} |
| task_security_context | Container Level SecurityContext for Task deployment | {} |
| init_security_context | Init Container Level SecurityContext for Task and Web deployments | {} |


Example configuration securityContext for the Task and Web deployments:
Expand Down
9 changes: 8 additions & 1 deletion roles/installer/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -441,7 +441,14 @@ garbage_collect_secrets: false
development_mode: false

security_context_settings: {}
postgres_security_context_settings: {}
postgres_security_context_settings: {} # Deprecated

Check warning on line 444 in roles/installer/defaults/main.yml

View workflow job for this annotation

GitHub Actions / molecule (--skip-tags=replicas) 

444:40 [comments] too few spaces before comment

Check warning on line 444 in roles/installer/defaults/main.yml

View workflow job for this annotation

GitHub Actions / molecule (-t replicas) 

444:40 [comments] too few spaces before comment
postgres_security_context: {}
redis_security_context: {}
init_security_context: {}
task_security_context: {}
rsyslog_security_context: {}
web_security_context: {}
ee_security_context: {}

# Set no_log settings on certain tasks
no_log: true
Expand Down
33 changes: 30 additions & 3 deletions roles/installer/templates/deployments/task.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,10 @@ spec:
image: '{{ _init_container_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ init_container_resource_requirements }}
{% if init_security_context|length %}
securityContext:
{{ init_security_context | to_yaml | indent(12,true) }}
{%- endif %}
command:
- /bin/sh
- -c
Expand Down Expand Up @@ -124,6 +128,10 @@ spec:
image: '{{ _init_projects_container_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ init_container_resource_requirements }}
{% if init_security_context|length %}
securityContext:
{{ init_security_context | to_yaml | indent(12,true) }}
{%- endif %}
command:
- /bin/sh
- -c
Expand All @@ -143,10 +151,16 @@ spec:
- image: '{{ _redis_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
name: redis
{% if redis_capabilities is defined and redis_capabilities %}
{% if redis_security_context|length or redis_capabilities is defined %}
securityContext:
{% if redis_security_context|length %}
{{ redis_security_context | to_nice_yaml | indent(12,true) }}
{%- endif %}
{% if redis_capabilities is defined and redis_capabilities %}
capabilities:
add: {{ redis_capabilities }}
add:
{{ redis_capabilities | to_yaml | indent(16,true) }}
{%- endif %}
{% endif %}
args: ["redis-server", "/etc/redis.conf"]
volumeMounts:
Expand Down Expand Up @@ -179,10 +193,15 @@ spec:
- image: '{{ _image }}'
name: '{{ ansible_operator_meta.name }}-task'
imagePullPolicy: '{{ image_pull_policy }}'
{% if task_privileged == true %}
{% if task_security_context|length or task_privileged == true %}
securityContext:
{% if task_security_context|length %}
{{ task_security_context | to_yaml | indent(12,true) }}
{%- endif %}
{% if task_privileged == true %}
privileged: true
{% endif %}
{% endif %}
{% if task_command %}
command: {{ task_command }}
{% endif %}
Expand Down Expand Up @@ -282,6 +301,10 @@ spec:
name: '{{ ansible_operator_meta.name }}-ee'
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ ee_resource_requirements }}
{% if ee_security_context|length %}
securityContext:
{{ ee_security_context | to_yaml | indent(12,true) }}
{%- endif %}
args:
- /bin/sh
- -c
Expand Down Expand Up @@ -354,6 +377,10 @@ spec:
{% endif %}
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ rsyslog_resource_requirements }}
{% if rsyslog_security_context|length %}
securityContext:
{{ rsyslog_security_context | to_yaml | indent(12,true) }}
{%- endif %}
volumeMounts:
- name: "{{ ansible_operator_meta.name }}-application-credentials"
mountPath: "/etc/tower/conf.d/credentials.py"
Expand Down
27 changes: 25 additions & 2 deletions roles/installer/templates/deployments/web.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,10 @@ spec:
image: '{{ _init_container_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ init_container_resource_requirements }}
{% if init_security_context|length %}
securityContext:
{{ init_security_context | to_yaml | indent(12,true) }}
{%- endif %}
command:
- /bin/sh
- -c
Expand Down Expand Up @@ -114,6 +118,10 @@ spec:
image: '{{ _init_projects_container_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ init_container_resource_requirements }}
{% if init_security_context|length %}
securityContext:
{{ init_security_context | to_yaml | indent(12,true) }}
{%- endif %}
command:
- /bin/sh
- -c
Expand All @@ -133,10 +141,16 @@ spec:
- image: '{{ _redis_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
name: redis
{% if redis_capabilities is defined and redis_capabilities %}
{% if redis_security_context|length or redis_capabilities is defined %}
securityContext:
{% if redis_security_context|length %}
{{ redis_security_context | to_nice_yaml | indent(12,true) }}
{%- endif %}
{% if redis_capabilities is defined and redis_capabilities %}
capabilities:
add: {{ redis_capabilities }}
add:
{{ redis_capabilities | to_yaml | indent(16,true) }}
{%- endif %}
{% endif %}
args: ["redis-server", "/etc/redis.conf"]
volumeMounts:
Expand Down Expand Up @@ -261,6 +275,10 @@ spec:
{{ web_extra_env | indent(width=12, first=True) }}
{% endif %}
resources: {{ web_resource_requirements }}
{% if web_security_context|length %}
securityContext:
{{ web_security_context | to_yaml | indent(12,true) }}
{%- endif %}
- image: '{{ _image }}'
name: '{{ ansible_operator_meta.name }}-rsyslog'
{% if rsyslog_command %}
Expand All @@ -270,6 +288,11 @@ spec:
args: {{ rsyslog_args }}
{% endif %}
imagePullPolicy: '{{ image_pull_policy }}'
resources: {{ rsyslog_resource_requirements }}
{% if rsyslog_security_context|length %}
securityContext:
{{ rsyslog_security_context | to_yaml | indent(12,true) }}
{%- endif %}
volumeMounts:
- name: "{{ ansible_operator_meta.name }}-application-credentials"
mountPath: "/etc/tower/conf.d/credentials.py"
Expand Down
5 changes: 4 additions & 1 deletion roles/installer/templates/statefulsets/postgres.yaml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,10 @@ spec:
- image: '{{ _postgres_image }}'
imagePullPolicy: '{{ image_pull_policy }}'
name: postgres
{% if postgres_security_context_settings|length %}
{% if postgres_security_context|length %}
securityContext:
{{ postgres_security_context | to_nice_yaml | indent(12) }}
{% elif postgres_security_context_settings|length %}
securityContext:
{{ postgres_security_context_settings | to_nice_yaml | indent(12) }}
{% endif %}
Expand Down

0 comments on commit 596a0e1

Please sign in to comment.