Skip to content

Commit

Permalink
Merge pull request rook#14867 from rook/mergify/bp/release-1.15/pr-14823
Browse files Browse the repository at this point in the history
core: define empty securityContext for pods to fix CIS 5.7.3 (backport rook#14823)
  • Loading branch information
mergify[bot] authored Oct 17, 2024
2 parents bf7f9eb + c55756c commit d22f420
Show file tree
Hide file tree
Showing 27 changed files with 29 additions and 2 deletions.
1 change: 1 addition & 0 deletions pkg/operator/ceph/cluster/cleanup.go
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,7 @@ func (c *ClusterController) cleanUpJobTemplateSpec(cluster *cephv1.CephCluster,
Volumes: volumes,
RestartPolicy: v1.RestartPolicyOnFailure,
PriorityClassName: cephv1.GetCleanupPriorityClassName(cluster.Spec.PriorityClassNames),
SecurityContext: &v1.PodSecurityContext{},
ServiceAccountName: k8sutil.DefaultServiceAccount,
HostNetwork: opcontroller.EnforceHostNetwork(),
},
Expand Down
1 change: 1 addition & 0 deletions pkg/operator/ceph/cluster/mgr/spec.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ func (c *Cluster) makeDeployment(mgrConfig *mgrConfig) (*apps.Deployment, error)
Containers: []v1.Container{
c.makeMgrDaemonContainer(mgrConfig),
},
SecurityContext: &v1.PodSecurityContext{},
ServiceAccountName: serviceAccountName,
RestartPolicy: v1.RestartPolicyAlways,
Volumes: volumes,
Expand Down
1 change: 1 addition & 0 deletions pkg/operator/ceph/cluster/mon/spec.go
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,7 @@ func (c *Cluster) makeMonPod(monConfig *monConfig, canary bool) (*corev1.Pod, er
Volumes: controller.DaemonVolumesBase(monConfig.DataPathMap, keyringStoreName, c.spec.DataDirHostPath),
HostNetwork: monConfig.UseHostNetwork,
PriorityClassName: cephv1.GetMonPriorityClassName(c.spec.PriorityClassNames),
SecurityContext: &corev1.PodSecurityContext{},
ServiceAccountName: k8sutil.DefaultServiceAccount,
}

Expand Down
1 change: 1 addition & 0 deletions pkg/operator/ceph/cluster/nodedaemon/crash.go
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@ func (r *ReconcileNode) createOrUpdateCephCrash(node corev1.Node, tolerations []
HostNetwork: cephCluster.Spec.Network.IsHost(),
Volumes: volumes,
PriorityClassName: cephv1.GetCrashCollectorPriorityClassName(cephCluster.Spec.PriorityClassNames),
SecurityContext: &corev1.PodSecurityContext{},
ServiceAccountName: k8sutil.DefaultServiceAccount,
},
}
Expand Down
1 change: 1 addition & 0 deletions pkg/operator/ceph/cluster/nodedaemon/exporter.go
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ func (r *ReconcileNode) createOrUpdateCephExporter(node corev1.Node, tolerations
Volumes: volumes,
PriorityClassName: cephv1.GetCephExporterPriorityClassName(cephCluster.Spec.PriorityClassNames),
TerminationGracePeriodSeconds: &terminationGracePeriodSeconds,
SecurityContext: &corev1.PodSecurityContext{},
ServiceAccountName: k8sutil.DefaultServiceAccount,
},
}
Expand Down
1 change: 1 addition & 0 deletions pkg/operator/ceph/cluster/nodedaemon/pruner.go
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ func (r *ReconcileNode) createOrUpdateCephCron(cephCluster cephv1.CephCluster, c
RestartPolicy: corev1.RestartPolicyNever,
HostNetwork: cephCluster.Spec.Network.IsHost(),
Volumes: volumes,
SecurityContext: &corev1.PodSecurityContext{},
ServiceAccountName: k8sutil.DefaultServiceAccount,
},
}
Expand Down
1 change: 1 addition & 0 deletions pkg/operator/ceph/cluster/osd/key_rotation.go
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,7 @@ func (c *Cluster) getKeyRotationPodTemplateSpec(osdProps osdProperties, osd OSDI
HostNetwork: c.spec.Network.IsHost(),
PriorityClassName: cephv1.GetOSDPriorityClassName(c.spec.PriorityClassNames),
SchedulerName: osdProps.schedulerName,
SecurityContext: &v1.PodSecurityContext{},
},
}
if c.spec.Network.IsHost() {
Expand Down
1 change: 1 addition & 0 deletions pkg/operator/ceph/cluster/osd/provision_spec.go
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,7 @@ func (c *Cluster) provisionPodTemplateSpec(osdProps osdProperties, restart v1.Re
HostNetwork: opcontroller.EnforceHostNetwork(),
PriorityClassName: cephv1.GetOSDPriorityClassName(c.spec.PriorityClassNames),
SchedulerName: osdProps.schedulerName,
SecurityContext: &v1.PodSecurityContext{},
}
if c.spec.Network.IsHost() {
podSpec.DNSPolicy = v1.DNSClusterFirstWithHostNet
Expand Down
5 changes: 3 additions & 2 deletions pkg/operator/ceph/cluster/osd/spec.go
Original file line number Diff line number Diff line change
Expand Up @@ -656,8 +656,9 @@ func (c *Cluster) makeDeployment(osdProps osdProperties, osd *OSDInfo, provision
WorkingDir: opconfig.VarLogCephDir,
},
},
Volumes: volumes,
SchedulerName: osdProps.schedulerName,
Volumes: volumes,
SecurityContext: &v1.PodSecurityContext{},
SchedulerName: osdProps.schedulerName,
},
}

Expand Down
1 change: 1 addition & 0 deletions pkg/operator/ceph/cluster/rbd/spec.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ func (r *ReconcileCephRBDMirror) makeDeployment(daemonConfig *daemonConfig, rbdM
Volumes: controller.DaemonVolumes(daemonConfig.DataPathMap, daemonConfig.ResourceName, r.cephClusterSpec.DataDirHostPath),
HostNetwork: r.cephClusterSpec.Network.IsHost(),
PriorityClassName: rbdMirror.Spec.PriorityClassName,
SecurityContext: &v1.PodSecurityContext{},
ServiceAccountName: k8sutil.DefaultServiceAccount,
},
}
Expand Down
1 change: 1 addition & 0 deletions pkg/operator/ceph/controller/cleanup.go
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,7 @@ func (c *ResourceCleanup) jobTemplateSpec() v1.PodTemplateSpec {
Volumes: volumes,
RestartPolicy: v1.RestartPolicyOnFailure,
PriorityClassName: cephv1.GetCleanupPriorityClassName(c.cluster.Spec.PriorityClassNames),
SecurityContext: &v1.PodSecurityContext{},
ServiceAccountName: k8sutil.DefaultServiceAccount,
},
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ spec:
spec:
# HostPID is needed to expose the correct process ID network namespace and not the process namespace
hostPID: true
securityContext: {}
serviceAccountName: rook-csi-cephfs-plugin-sa
{{ if .PluginPriorityClassName }}
priorityClassName: {{ .PluginPriorityClassName }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ spec:
{{ $key }}: "{{ $value }}"
{{ end }}
spec:
securityContext: {}
serviceAccountName: rook-csi-cephfs-provisioner-sa
{{ if .ProvisionerPriorityClassName }}
priorityClassName: {{ .ProvisionerPriorityClassName }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ spec:
{{ $key }}: "{{ $value }}"
{{ end }}
spec:
securityContext: {}
serviceAccountName: rook-csi-cephfs-plugin-sa
hostNetwork: {{ .EnableCSIHostNetwork }}
{{ if .PluginPriorityClassName }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ spec:
spec:
# HostPID is needed to expose the correct process ID network namespace and not the process namespace
hostPID: true
securityContext: {}
serviceAccountName: rook-csi-nfs-plugin-sa
{{ if .PluginPriorityClassName }}
priorityClassName: {{ .PluginPriorityClassName }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ spec:
{{ $key }}: "{{ $value }}"
{{ end }}
spec:
securityContext: {}
serviceAccountName: rook-csi-nfs-provisioner-sa
{{ if .ProvisionerPriorityClassName }}
priorityClassName: {{ .ProvisionerPriorityClassName }}
Expand Down
1 change: 1 addition & 0 deletions pkg/operator/ceph/csi/template/nfs/csi-nfsplugin.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ spec:
{{ $key }}: "{{ $value }}"
{{ end }}
spec:
securityContext: {}
serviceAccountName: rook-csi-nfs-plugin-sa
hostNetwork: {{ .EnableCSIHostNetwork }}
{{ if .PluginPriorityClassName }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ spec:
spec:
# HostPID is needed to expose the correct process ID network namespace and not the process namespace
hostPID: true
securityContext: {}
serviceAccountName: rook-csi-rbd-plugin-sa
{{ if .PluginPriorityClassName }}
priorityClassName: {{ .PluginPriorityClassName }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ spec:
{{ $key }}: "{{ $value }}"
{{ end }}
spec:
securityContext: {}
serviceAccountName: rook-csi-rbd-provisioner-sa
{{ if .ProvisionerPriorityClassName }}
priorityClassName: {{ .ProvisionerPriorityClassName }}
Expand Down
1 change: 1 addition & 0 deletions pkg/operator/ceph/csi/template/rbd/csi-rbdplugin.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ spec:
{{ $key }}: "{{ $value }}"
{{ end }}
spec:
securityContext: {}
serviceAccountName: rook-csi-rbd-plugin-sa
{{ if .PluginPriorityClassName }}
priorityClassName: {{ .PluginPriorityClassName }}
Expand Down
1 change: 1 addition & 0 deletions pkg/operator/ceph/file/mds/spec.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ func (c *Cluster) makeDeployment(mdsConfig *mdsConfig, fsNamespacedname types.Na
Volumes: controller.DaemonVolumes(mdsConfig.DataPathMap, mdsConfig.ResourceName, c.clusterSpec.DataDirHostPath),
HostNetwork: c.clusterSpec.Network.IsHost(),
PriorityClassName: c.fs.Spec.MetadataServer.PriorityClassName,
SecurityContext: &v1.PodSecurityContext{},
ServiceAccountName: k8sutil.DefaultServiceAccount,
},
}
Expand Down
1 change: 1 addition & 0 deletions pkg/operator/ceph/file/mirror/spec.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ func (r *ReconcileFilesystemMirror) makeDeployment(daemonConfig *daemonConfig, f
Volumes: controller.DaemonVolumes(daemonConfig.DataPathMap, daemonConfig.ResourceName, r.cephClusterSpec.DataDirHostPath),
HostNetwork: r.cephClusterSpec.Network.IsHost(),
PriorityClassName: fsMirror.Spec.PriorityClassName,
SecurityContext: &v1.PodSecurityContext{},
ServiceAccountName: k8sutil.DefaultServiceAccount,
},
}
Expand Down
1 change: 1 addition & 0 deletions pkg/operator/ceph/nfs/spec.go
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@ func (r *ReconcileCephNFS) makeDeployment(nfs *cephv1.CephNFS, cfg daemonConfig)
// connecting to the krb server. give all ganesha servers the same hostname so they can all
// use the same krb credentials to auth
Hostname: fmt.Sprintf("%s-%s", nfs.Namespace, nfs.Name),
SecurityContext: &v1.PodSecurityContext{},
ServiceAccountName: k8sutil.DefaultServiceAccount,
}
// Replace default unreachable node toleration
Expand Down
1 change: 1 addition & 0 deletions pkg/operator/ceph/object/cosi/spec.go
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ func createCOSIPodSpec(cephCOSIDriver *cephv1.CephCOSIDriver) (corev1.PodTemplat
cosiDriverContainer,
cosiSideCarContainer,
},
SecurityContext: &corev1.PodSecurityContext{},
ServiceAccountName: DefaultServiceAccountName,
Volumes: []corev1.Volume{
{Name: cosiSocketVolumeName, VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}}},
Expand Down
1 change: 1 addition & 0 deletions pkg/operator/ceph/object/spec.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@ func (c *clusterConfig) makeRGWPodSpec(rgwConfig *rgwConfig) (v1.PodTemplateSpec
),
HostNetwork: hostNetwork,
PriorityClassName: c.store.Spec.Gateway.PriorityClassName,
SecurityContext: &v1.PodSecurityContext{},
ServiceAccountName: serviceAccountName,
}

Expand Down
1 change: 1 addition & 0 deletions pkg/operator/discover/discover.go
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,7 @@ func (d *Discover) createDiscoverDaemonSet(ctx context.Context, namespace, disco
},
HostNetwork: opcontroller.EnforceHostNetwork(),
PriorityClassName: k8sutil.GetValue(data, discoverDaemonsetPriorityClassNameEnv, ""),
SecurityContext: &v1.PodSecurityContext{},
},
},
},
Expand Down
1 change: 1 addition & 0 deletions pkg/operator/k8sutil/cmdreporter/cmdreporter.go
Original file line number Diff line number Diff line change
Expand Up @@ -302,6 +302,7 @@ func (cr *cmdReporterCfg) initJobSpec() (*batch.Job, error) {
*cmdReporterContainer,
},
RestartPolicy: v1.RestartPolicyOnFailure,
SecurityContext: &v1.PodSecurityContext{},
ServiceAccountName: k8sutil.DefaultServiceAccount,
HostNetwork: cephv1.EnforceHostNetwork(),
}
Expand Down

0 comments on commit d22f420

Please sign in to comment.