Merge "[Multicloud] Fix Kyverno Policy violations"
diff --git a/kubernetes/multicloud/Chart.yaml b/kubernetes/multicloud/Chart.yaml
index cecef8c..01d4514 100644
--- a/kubernetes/multicloud/Chart.yaml
+++ b/kubernetes/multicloud/Chart.yaml
@@ -2,6 +2,7 @@
# Modifications Copyright © 2018 AT&T
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,7 +19,7 @@
apiVersion: v2
description: ONAP multicloud broker
name: multicloud
-version: 15.0.0
+version: 15.0.1
dependencies:
- name: common
diff --git a/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml b/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml
index b825f67..64c8d5a 100644
--- a/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml
+++ b/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml
@@ -1,5 +1,6 @@
# Copyright (c) 2019, CMCC Technologies Co., Ltd.
# Modifications Copyright © 2021 Orange
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml
index 5dc3752..588fa90 100644
--- a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml
+++ b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml
@@ -1,6 +1,7 @@
# Copyright 2019 Intel Corporation, Inc
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -17,7 +18,7 @@
apiVersion: v2
description: ONAP Multicloud Kubernetes Plugin
name: multicloud-k8s
-version: 13.1.0
+version: 13.1.1
dependencies:
- name: common
diff --git a/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json b/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json
index d6fa40d..08c228f 100644
--- a/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json
+++ b/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json
@@ -8,4 +8,4 @@
"database-address": "multicloud-k8s-mongo",
"etcd-ip": "multicloud-k8s-etcd",
"plugin-dir": "/opt/multicloud/k8splugin/plugins"
-}
\ No newline at end of file
+}
diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml
index 9881a13..f2ed9da 100644
--- a/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml
+++ b/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml
@@ -1,5 +1,6 @@
{{/*
# Copyright 2019 Intel Corporation, Inc
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -23,6 +24,7 @@
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
containers:
- image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
@@ -30,6 +32,7 @@
command: ["/opt/multicloud/k8splugin/k8plugin"]
workingDir: /opt/multicloud/k8splugin
ports: {{ include "common.containerPorts" . | nindent 10 }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
{{- if eq .Values.liveness.enabled true }}
livenessProbe:
tcpSocket:
@@ -60,10 +63,26 @@
name: framework-artifactbroker
command: ["/opt/app/distribution/bin/artifact-dist.sh"]
args: ["/opt/app/distribution/etc/mounted/config.json"]
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
+ resources: {{ include "common.resources" . | nindent 10 }}
ports:
- containerPort: {{ .Values.artifactbroker.internalPort }}
protocol: TCP
+ {{- if eq .Values.liveness.enabled true }}
+ livenessProbe:
+ tcpSocket:
+ port: {{ .Values.artifactbroker.internalPort }}
+ initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.liveness.periodSeconds }}
+ {{ end -}}
+ readinessProbe:
+ tcpSocket:
+ port: {{ .Values.artifactbroker.internalPort }}
+ initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
+ - mountPath: "{{ .Values.log.path }}"
+ name: framework-log
- mountPath: /opt/app/distribution/etc/mounted/config.json
name: {{ include "common.name" .}}
subPath: config.json
@@ -77,9 +96,13 @@
key: sasl.jaas.config
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
+ - name: framework-log
+ emptyDir:
+ sizeLimit: {{ .Values.volumes.logSizeLimit }}
- name : {{ include "common.name" . }}
configMap:
name: {{ include "common.fullname" . }}
- name: artifact-data
- emptyDir: {}
+ emptyDir:
+ sizeLimit: {{ .Values.volumes.artifactDataSizeLimit }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/multicloud/components/multicloud-k8s/values.yaml b/kubernetes/multicloud/components/multicloud-k8s/values.yaml
index 5c9c0ad..57becb2 100644
--- a/kubernetes/multicloud/components/multicloud-k8s/values.yaml
+++ b/kubernetes/multicloud/components/multicloud-k8s/values.yaml
@@ -1,4 +1,5 @@
# Copyright 2019 Intel Corporation, Inc
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -59,6 +60,14 @@
affinity: {}
+securityContext:
+ user_id: 999
+ group_id: 999
+
+volumes:
+ artifactDataSizeLimit: 100Mi
+ logSizeLimit: 100Mi
+
# probe configuration parameters
liveness:
initialDelaySeconds: 10
@@ -70,6 +79,7 @@
readiness:
initialDelaySeconds: 10
periodSeconds: 30
+ enabled: true
service:
type: NodePort
@@ -181,3 +191,7 @@
nameOverride: multicloud-k8s
roles:
- read
+
+#Log configuration
+log:
+ path: /var/log/onap
diff --git a/kubernetes/multicloud/templates/deployment.yaml b/kubernetes/multicloud/templates/deployment.yaml
index 80a09c7..a03a6d0 100644
--- a/kubernetes/multicloud/templates/deployment.yaml
+++ b/kubernetes/multicloud/templates/deployment.yaml
@@ -1,6 +1,7 @@
{{/*
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018 AT&T
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -24,6 +25,23 @@
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
+ initContainers:
+ - name: {{ include "common.name" . }}-copy-pub
+ image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ command: ["cp", "-R", "/opt/multivimbroker/multivimbroker/pub/.", "/opt/multivimbroker/multivimbroker/pub_rw/"]
+ resources:
+ limits:
+ cpu: 200m
+ memory: 200Mi
+ requests:
+ cpu: 10m
+ memory: 100Mi
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
+ volumeMounts:
+ - mountPath: /opt/multivimbroker/multivimbroker/pub_rw
+ name: framework-pub
containers:
- env:
- name: MSB_PROTO
@@ -50,9 +68,12 @@
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
volumeMounts:
- mountPath: "{{ .Values.log.path }}"
name: framework-log
+ - mountPath: /opt/multivimbroker/multivimbroker/pub
+ name: framework-pub
- mountPath: /opt/multivimbroker/multivimbroker/pub/config/log.yml
name: framework-logconfig
subPath: log.yml
@@ -62,25 +83,34 @@
ports: {{ include "common.containerPorts" . | nindent 10 }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
- {{- if eq .Values.liveness.enabled true }}
+ {{ if .Values.liveness.enabled }}
livenessProbe:
httpGet:
- path: /api/multicloud/v0/swagger.json
port: {{ .Values.service.internalPort }}
- scheme: "HTTP"
+ path: {{ .Values.liveness.path }}
+ scheme: HTTP
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
- timeoutSeconds: {{ .Values.liveness.timeoutSeconds }}
- successThreshold: {{ .Values.liveness.successThreshold }}
- failureThreshold: {{ .Values.liveness.failureThreshold }}
- {{ end -}}
-
+ {{ end }}
+ {{ if .Values.readiness.enabled }}
+ readinessProbe:
+ httpGet:
+ port: {{ .Values.service.internalPort }}
+ path: {{ .Values.readiness.path }}
+ scheme: HTTP
+ initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.readiness.periodSeconds }}
+ {{ end }}
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
- name: framework-log
- emptyDir: {}
+ emptyDir:
+ sizeLimit: {{ .Values.volumes.logSizeLimit }}
+ - name: framework-pub
+ emptyDir:
+ sizeLimit: {{ .Values.volumes.pubSizeLimit }}
- name: provider-plugin
configMap:
name: {{ include "common.fullname" . }}-provider-plugin-configmap
diff --git a/kubernetes/multicloud/values.yaml b/kubernetes/multicloud/values.yaml
index 6906390..0579cb9 100644
--- a/kubernetes/multicloud/values.yaml
+++ b/kubernetes/multicloud/values.yaml
@@ -1,5 +1,6 @@
# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2018 AT&T
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -57,14 +58,26 @@
affinity: {}
+securityContext:
+ user_id: 100
+ group_id: 65533
+
+volumes:
+ logSizeLimit: 50Mi
+ pubSizeLimit: 50Mi
+
# probe configuration parameters
liveness:
+ enabled: true
+ path: /api/multicloud/v0/swagger.json
initialDelaySeconds: 30
periodSeconds: 10
- timeoutSeconds: 10
- successThreshold: 1
- failureThreshold: 5
+
+readiness:
enabled: true
+ path: /api/multicloud/v0/swagger.json
+ initialDelaySeconds: 10
+ periodSeconds: 30
service:
type: NodePort