Make readOnlyRootFilesystem configurable (#93)

This commit is contained in:
Jason O'Donnell 2019-10-24 12:40:19 -04:00 committed by GitHub
parent 2ca3fd2214
commit e1b89d6396
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 79 additions and 12 deletions

View file

@ -41,7 +41,9 @@ spec:
terminationGracePeriodSeconds: 10
serviceAccountName: {{ template "vault.fullname" . }}
securityContext:
{{- if .Values.server.securityContext.readOnlyRootFilesystem }}
readOnlyRootFilesystem: true
{{- end }}
runAsNonRoot: true
runAsGroup: {{ .Values.server.gid | default 1000 }}
runAsUser: {{ .Values.server.uid | default 100 }}

View file

@ -314,7 +314,7 @@ load _helpers
#--------------------------------------------------------------------
# Security Contexts
@test "server/standalone-StatefulSet: uid default" {
@test "server/dev-StatefulSet: uid default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
@ -324,7 +324,7 @@ load _helpers
[ "${actual}" = "100" ]
}
@test "server/standalone-StatefulSet: uid configurable" {
@test "server/dev-StatefulSet: uid configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
@ -335,7 +335,7 @@ load _helpers
[ "${actual}" = "2000" ]
}
@test "server/standalone-StatefulSet: gid default" {
@test "server/dev-StatefulSet: gid default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
@ -345,7 +345,7 @@ load _helpers
[ "${actual}" = "1000" ]
}
@test "server/standalone-StatefulSet: gid configurable" {
@test "server/dev-StatefulSet: gid configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
@ -356,7 +356,7 @@ load _helpers
[ "${actual}" = "2000" ]
}
@test "server/standalone-StatefulSet: fsgroup default" {
@test "server/dev-StatefulSet: fsgroup default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
@ -366,7 +366,7 @@ load _helpers
[ "${actual}" = "1000" ]
}
@test "server/standalone-StatefulSet: fsgroup configurable" {
@test "server/dev-StatefulSet: fsgroup configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
@ -376,3 +376,24 @@ load _helpers
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}
@test "server/dev-StatefulSet: readOnlyRootFilesystem default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/dev-StatefulSet: readOnlyRootFilesystem configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.dev.enabled=true' \
--set 'server.securityContext.readOnlyRootFilesystem=false' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "null" ]
}

View file

@ -509,7 +509,7 @@ load _helpers
#--------------------------------------------------------------------
# Security Contexts
@test "server/standalone-StatefulSet: uid default" {
@test "server/ha-StatefulSet: uid default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
@ -519,7 +519,7 @@ load _helpers
[ "${actual}" = "100" ]
}
@test "server/standalone-StatefulSet: uid configurable" {
@test "server/ha-StatefulSet: uid configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
@ -530,7 +530,7 @@ load _helpers
[ "${actual}" = "2000" ]
}
@test "server/standalone-StatefulSet: gid default" {
@test "server/ha-StatefulSet: gid default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
@ -540,7 +540,7 @@ load _helpers
[ "${actual}" = "1000" ]
}
@test "server/standalone-StatefulSet: gid configurable" {
@test "server/ha-StatefulSet: gid configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
@ -551,7 +551,7 @@ load _helpers
[ "${actual}" = "2000" ]
}
@test "server/standalone-StatefulSet: fsgroup default" {
@test "server/ha-StatefulSet: fsgroup default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
@ -561,7 +561,7 @@ load _helpers
[ "${actual}" = "1000" ]
}
@test "server/standalone-StatefulSet: fsgroup configurable" {
@test "server/ha-StatefulSet: fsgroup configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
@ -571,3 +571,24 @@ load _helpers
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}
@test "server/ha-StatefulSet: readOnlyRootFilesystem default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/ha-StatefulSet: readOnlyRootFilesystem configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \
--set 'server.securityContext.readOnlyRootFilesystem=false' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "null" ]
}

View file

@ -592,3 +592,22 @@ load _helpers
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}
@test "server/standalone-StatefulSet: readOnlyRootFilesystem default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/standalone-StatefulSet: readOnlyRootFilesystem configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.securityContext.readOnlyRootFilesystem=false' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "null" ]
}

View file

@ -14,6 +14,10 @@ server:
# Resource requests, limits, etc. for the server cluster placement. This
# should map directly to the value of the resources field for a PodSpec.
# By default no direct resource request is made.
securityContext:
readOnlyRootFilesystem: true
resources:
# resources:
# requests: