From 468de3e458966198b5e1b2e7c98d0a35ca855be8 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Mon, 18 Nov 2024 18:19:11 +0300 Subject: [PATCH] wip: Mon Nov 18 18:19:11 +03 2024 --- charts/cf-runtime/README.md | 12 +++++++----- charts/cf-runtime/README.md.gotmpl | 12 +++++++----- .../_components/volume-provisioner/_daemonset.yaml | 4 ++-- .../templates/runtime/runtime-env-spec-tmpl.yaml | 2 +- charts/cf-runtime/values-rootless.yaml | 12 +++++++----- 5 files changed, 24 insertions(+), 18 deletions(-) diff --git a/charts/cf-runtime/README.md b/charts/cf-runtime/README.md index b92f1274..8373bc03 100644 --- a/charts/cf-runtime/README.md +++ b/charts/cf-runtime/README.md @@ -727,10 +727,12 @@ volumeProvisioner: image: tag: 1.30.0-rootless digest: sha256:712e549e6e843b04684647f17e0973f8047e0d60e6e8b38a693ea64dc75b0479 - podSecurityContext: - enabled: true + containerSecurityContext: runAsUser: 1000 + podSecurityContext: fsGroup: 1000 + # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods + fsGroupChangePolicy: "OnRootMismatch" # -- Enable initContainer to run chmod for /var/lib/codefresh/dind-volumes on host nodes volumePermissions: enabled: false @@ -746,15 +748,15 @@ runtime: mountPath: /home/rootless/ containerSecurityContext: privileged: true - podSecurityContext: - enabled: true runAsUser: 1000 + podSecurityContext: fsGroup: 1000 # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods fsGroupChangePolicy: "OnRootMismatch" # -- Enable initContainer to run chmod for /home/rootless in DinD pod + # !!! Will slow down dind pod startup volumePermissions: - enabled: false + enabled: true ``` ### ARM diff --git a/charts/cf-runtime/README.md.gotmpl b/charts/cf-runtime/README.md.gotmpl index dbfb6126..f3192802 100644 --- a/charts/cf-runtime/README.md.gotmpl +++ b/charts/cf-runtime/README.md.gotmpl @@ -729,10 +729,12 @@ volumeProvisioner: image: tag: 1.30.0-rootless digest: sha256:712e549e6e843b04684647f17e0973f8047e0d60e6e8b38a693ea64dc75b0479 - podSecurityContext: - enabled: true + containerSecurityContext: runAsUser: 1000 + podSecurityContext: fsGroup: 1000 + # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods + fsGroupChangePolicy: "OnRootMismatch" # -- Enable initContainer to run chmod for /var/lib/codefresh/dind-volumes on host nodes volumePermissions: enabled: false @@ -748,15 +750,15 @@ runtime: mountPath: /home/rootless/ containerSecurityContext: privileged: true - podSecurityContext: - enabled: true runAsUser: 1000 + podSecurityContext: fsGroup: 1000 # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods fsGroupChangePolicy: "OnRootMismatch" # -- Enable initContainer to run chmod for /home/rootless in DinD pod + # !!! Will slow down dind pod startup volumePermissions: - enabled: false + enabled: true ``` ### ARM diff --git a/charts/cf-runtime/templates/_components/volume-provisioner/_daemonset.yaml b/charts/cf-runtime/templates/_components/volume-provisioner/_daemonset.yaml index cb463231..b2481470 100644 --- a/charts/cf-runtime/templates/_components/volume-provisioner/_daemonset.yaml +++ b/charts/cf-runtime/templates/_components/volume-provisioner/_daemonset.yaml @@ -37,7 +37,7 @@ spec: args: - -ec - | - chown -R {{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ $localVolumeParentDir }} + chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ $localVolumeParentDir }} volumeMounts: - mountPath: {{ $localVolumeParentDir }} name: dind-volume-dir @@ -95,4 +95,4 @@ spec: {{- toYaml . | nindent 6 }} {{- end }} {{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/cf-runtime/templates/runtime/runtime-env-spec-tmpl.yaml b/charts/cf-runtime/templates/runtime/runtime-env-spec-tmpl.yaml index bb1b76d9..d1a8bfad 100644 --- a/charts/cf-runtime/templates/runtime/runtime-env-spec-tmpl.yaml +++ b/charts/cf-runtime/templates/runtime/runtime-env-spec-tmpl.yaml @@ -199,7 +199,7 @@ dockerDaemonScheduler: args: - -ec - | - chown -R {{ $dindContext.podSecurityContext.runAsUser }}:{{ $dindContext.podSecurityContext.fsGroup }} /home/rootless/.local/share/docker + chown -R {{ $dindContext.containerSecurityContext.runAsUser }}:{{ $dindContext.podSecurityContext.fsGroup }} /home/rootless/.local/share/docker volumeMounts: - mountPath: /home/rootless/.local/share/docker name: dind diff --git a/charts/cf-runtime/values-rootless.yaml b/charts/cf-runtime/values-rootless.yaml index 43d681c5..fc7edb4d 100644 --- a/charts/cf-runtime/values-rootless.yaml +++ b/charts/cf-runtime/values-rootless.yaml @@ -6,10 +6,12 @@ volumeProvisioner: image: tag: 1.30.0-rootless digest: sha256:712e549e6e843b04684647f17e0973f8047e0d60e6e8b38a693ea64dc75b0479 - podSecurityContext: - enabled: true + containerSecurityContext: runAsUser: 1000 + podSecurityContext: fsGroup: 1000 + # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods + fsGroupChangePolicy: "OnRootMismatch" # -- Enable initContainer to run chmod for /var/lib/codefresh/dind-volumes on host nodes volumePermissions: enabled: false @@ -25,12 +27,12 @@ runtime: mountPath: /home/rootless/ containerSecurityContext: privileged: true - podSecurityContext: - enabled: true runAsUser: 1000 + podSecurityContext: fsGroup: 1000 # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods fsGroupChangePolicy: "OnRootMismatch" # -- Enable initContainer to run chmod for /home/rootless in DinD pod + # !!! Will slow down dind pod startup volumePermissions: - enabled: false + enabled: true