From e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe Mon Sep 17 00:00:00 2001 From: "Suren A. Chilingaryan" Date: Tue, 20 Feb 2018 15:10:45 +0100 Subject: Handling GlusterFS storage security in OpenShift containers --- roles/ands_kaas/templates/0-gfs-volumes.yml.j2 | 9 ++++--- roles/ands_kaas/templates/6-kaas-pods.yml.j2 | 35 +++++++++++++++++++++----- 2 files changed, 34 insertions(+), 10 deletions(-) (limited to 'roles/ands_kaas/templates') diff --git a/roles/ands_kaas/templates/0-gfs-volumes.yml.j2 b/roles/ands_kaas/templates/0-gfs-volumes.yml.j2 index a162c8b..8e5842a 100644 --- a/roles/ands_kaas/templates/0-gfs-volumes.yml.j2 +++ b/roles/ands_kaas/templates/0-gfs-volumes.yml.j2 @@ -7,10 +7,11 @@ metadata: descriptions: "KATRIN Volumes" objects: {% for name, vol in (kaas_project_config.volumes | default(kaas_openshift_volumes)).iteritems() %} +{% set oc_name = vol.name | default(name) | regex_replace('_','-') %} - apiVersion: v1 kind: PersistentVolume metadata: - name: {{ vol.name | default(name) }} + name: {{ oc_name }} spec: persistentVolumeReclaimPolicy: Retain glusterfs: @@ -22,14 +23,14 @@ objects: capacity: storage: {{ vol.capacity | default(kaas_default_volume_capacity) }} claimRef: - name: {{ vol.name | default(name) }} + name: {{ oc_name }} namespace: {{ kaas_project }} - apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: {{ vol.name | default(name) }} + name: {{ oc_name }} spec: - volumeName: {{ vol.name | default(name) }} + volumeName: {{ oc_name }} accessModes: - {{ vol.access | default('ReadWriteMany') }} resources: diff --git a/roles/ands_kaas/templates/6-kaas-pods.yml.j2 b/roles/ands_kaas/templates/6-kaas-pods.yml.j2 index 479b343..d5418d3 100644 --- a/roles/ands_kaas/templates/6-kaas-pods.yml.j2 +++ b/roles/ands_kaas/templates/6-kaas-pods.yml.j2 @@ -36,7 +36,7 @@ objects: - apiVersion: v1 kind: Route metadata: - name: kaas + name: {{ pod.name | default(name) }} spec: host: {{ pod.service.host }} to: @@ -66,7 +66,7 @@ objects: - apiVersion: v1 kind: DeploymentConfig metadata: - name: kaas + name: {{ pod.name | default(name) }} spec: replicas: {{ pod.sched.replicas | default(1) }} selector: @@ -93,11 +93,32 @@ objects: {% for img in pod.images %} {% set imgidx = loop.index %} {% for vol in img.mappings %} + {% set oc_name = vol.name | default(name) | regex_replace('_','-') %} - name: vol-{{imgidx}}-{{loop.index}} persistentVolumeClaim: - claimName: {{ vol.name }} + claimName: {{ oc_name }} {% endfor %} {% endfor %} + {% endif %} + {% if (pod.groups is defined) or (pod.run_as is defined) %} + securityContext: + {% if (pod.run_as is defined) %} + {% if (kaas_project_config.uids | default(kaas_openshift_uids))[pod.run_as] is defined %} + - {{ (kaas_project_config.uids | default(kaas_openshift_uids))[pod.run_as].id }} + {% else %} + - pod.run_as + {% endif %} + {% endif %} + {% if (pod.groups is defined) %} + supplementalGroups: + {% for group in pod.groups %} + {% if (kaas_project_config.gids | default(kaas_openshift_gids))[group] is defined %} + - {{ (kaas_project_config.gids | default(kaas_openshift_gids))[group].id }} + {% else %} + - group + {% endif %} + {% endfor %} + {% endif %} {% endif %} containers: {% for img in pod.images %} @@ -118,10 +139,12 @@ objects: {% endif %} {% if img.env is defined %} env: - {% for env_name, env_val in img.env.iteritems() %} + {% for env_item in img.env %} + {% set env_name = env_item.name %} + {% set env_val = env_item.value %} {% set env_parts = (env_val | string).split('@') %} + - name: "{{ env_name }}" {% if env_parts[0] == "secret" %} - - name: {{ env_name }} {% set env_sec = (env_parts[1] | string).split('/') %} valueFrom: secretKeyRef: @@ -134,7 +157,7 @@ objects: name: {{ env_cm[0] }} key: {{ env_cm[1] }} {% else %} - value: {{ env_val }} + value: "{{ env_val }}" {% endif %} {% endfor %} {% endif %} -- cgit v1.2.3