Fix Kyverno policy violations for DCAE PRH & VES-COLLECTOR
Issue-ID: OOM-3315
Change-Id: I1d6251e7c6724addca81167f9f4d184c291340c3
Signed-off-by: Aditi Shukla <aditi.shukla@t-systems.com>
diff --git a/kubernetes/dcaegen2-services/Chart.yaml b/kubernetes/dcaegen2-services/Chart.yaml
index 83b344b..83732e8 100644
--- a/kubernetes/dcaegen2-services/Chart.yaml
+++ b/kubernetes/dcaegen2-services/Chart.yaml
@@ -22,7 +22,7 @@
appVersion: "Oslo"
description: DCAE Microservices
name: dcaegen2-services
-version: 15.0.0
+version: 15.0.1
dependencies:
- name: common
diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
index 5e39d51..183cde0 100644
--- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
+++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
@@ -85,7 +85,7 @@
based on information provided in .Values.externalVolumes. This
template works in conjunction with dcaegen2-services-common._externalVolumeMounts
to give the microservice access to data in volumes created else.
-This initial implementation supports ConfigMaps only, as this is the only
+This implementation supports ConfigMaps & EmptyDirs only, as this is the only
external volume mounting required by current microservices.
.Values.externalVolumes is a list of objects. Each object has 3 required fields and 2 optional fields:
@@ -94,7 +94,7 @@
names of resources are sometimes set at deployment time (for instance, to prefix the Helm
release to the name), the string can be a Helm template fragment that will be expanded at
deployment time.
- - type: the type of the resource (in the current implementation, only "ConfigMap" is supported).
+ - type: the type of the resource (in the current implementation, only "ConfigMap" & "emptyDir" is supported).
The value is a case-INsensitive string.
- mountPoint: the path to the mount point for the volume in the container file system. The
value is a case-sensitive string.
@@ -113,7 +113,7 @@
type: configmap
mountPath: /opt/app/config
- name: '{{ include "common.release" . }}-another-example'
- type: configmap
+ type: emptyDir
mountPath: /opt/app/otherconfig
optional: false
*/}}
@@ -121,14 +121,18 @@
{{- $global := . -}}
{{- if .Values.externalVolumes }}
{{- range $vol := .Values.externalVolumes }}
+ {{- $vname := (tpl $vol.name $global) -}}
{{- if eq (lower $vol.type) "configmap" }}
- {{- $vname := (tpl $vol.name $global) -}}
{{- $opt := hasKey $vol "optional" | ternary $vol.optional true }}
- configMap:
defaultMode: 420
name: {{ $vname }}
optional: {{ $opt }}
name: {{ $vname }}
+ {{- else if eq (lower $vol.type) "emptydir" }}
+- name: {{ $vname }}
+ emptyDir:
+ sizeLimit: {{ $vol.sizeLimit }}
{{- end }}
{{- end }}
{{- end }}
@@ -141,7 +145,7 @@
based on information provided in .Values.externalVolumes. This
template works in conjunction with dcaegen2-services-common._externalVolumes
to give the microservice access to data in volumes created else.
-This initial implementation supports ConfigMaps only, as this is the only
+This initial implementation supports ConfigMaps & EmptyDirs, as this is the only
external volume mounting required by current microservices.
See the documentation for dcaegen2-services-common._externalVolumes for
@@ -152,16 +156,20 @@
{{- $global := . -}}
{{- if .Values.externalVolumes }}
{{- range $vol := .Values.externalVolumes }}
+ {{- $vname := (tpl $vol.name $global) -}}
{{- if eq (lower $vol.type) "configmap" }}
- {{- $vname := (tpl $vol.name $global) -}}
{{- $readOnly := $vol.readOnly | default false }}
- mountPath: {{ $vol.mountPath }}
name: {{ $vname }}
readOnly: {{ $readOnly }}
+ {{- else if eq (lower $vol.type) "emptydir" }}
+- mountPath: {{ $vol.mountPath }}
+ name: {{ $vname }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
+
{{/*
dcaegen2-services-common.microserviceDeployment:
This template produces a Kubernetes Deployment for a DCAE microservice.
@@ -236,6 +244,7 @@
{{- define "dcaegen2-services-common.microserviceDeployment" -}}
{{- $log := default dict .Values.log -}}
{{- $logDir := default "" $log.path -}}
+{{- $ves := default false .Values.ves -}}
{{- $certDir := (eq "true" (include "common.needTLS" .)) | ternary (default "" .Values.certDirectory . ) "" -}}
{{- $commonRelease := print (include "common.release" .) -}}
{{- $policy := default dict .Values.policies -}}
@@ -253,9 +262,15 @@
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
+ securityContext:
+ {{- toYaml .Values.podSecurityContext | nindent 8 }}
initContainers:
+
+ {{- if $ves }}
+ {{- include "dcaegen2-ves-collector.vesCollectorCopyEtc" . | nindent 6 }}
+ {{- end }}
{{- if .Values.readinessCheck }}
- {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }}
+ {{ include "common.readinessCheck.waitFor" . | nindent 6 }}
{{- end }}
{{- include "common.dmaap.provisioning.initContainer" . | nindent 6 }}
{{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }}
@@ -263,6 +278,8 @@
- image: {{ default ( include "repositoryGenerator.repository" . ) .Values.imageRepositoryOverride }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}
+ securityContext:
+ {{- toYaml .Values.containerSecurityContext | nindent 10 }}
env:
{{- range $cred := .Values.credentials }}
- name: {{ $cred.name }}
@@ -307,6 +324,26 @@
{{- end }}
{{- end }}
{{- end }}
+ {{- if .Values.liveness }}
+ livenessProbe:
+ initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds | default 5 }}
+ periodSeconds: {{ .Values.liveness.periodSeconds | default 15 }}
+ timeoutSeconds: {{ .Values.liveness.timeoutSeconds | default 1 }}
+ {{- $probeType := .Values.liveness.type | default "httpGet" -}}
+ {{- if eq $probeType "httpGet" }}
+ httpGet:
+ scheme: {{ .Values.liveness.scheme }}
+ path: {{ .Values.liveness.path }}
+ port: {{ .Values.liveness.port }}
+ {{- end }}
+ {{- if eq $probeType "exec" }}
+ exec:
+ command:
+ {{- range $cmd := .Values.liveness.command }}
+ - {{ $cmd }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
resources: {{ include "common.resources" . | nindent 10 }}
volumeMounts:
- mountPath: /app-config
@@ -314,7 +351,7 @@
- mountPath: /app-config-input
name: app-config-input
- mountPath: /tmp
- name: tmp-volume
+ name: tmp
{{- if $logDir }}
- mountPath: {{ $logDir}}
name: logs
@@ -387,12 +424,13 @@
- emptyDir:
medium: Memory
name: app-config
- - name: tmp-volume
+ - name: tmp
emptyDir:
sizeLimit: 128Mi
{{- if $logDir }}
- - emptyDir: {}
- name: logs
+ - name: logs
+ emptyDir:
+ sizeLimit: 128Mi
{{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }}
{{- end }}
{{- if $certDir }}
diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/ves-collector/_copyEtc.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/ves-collector/_copyEtc.tpl
new file mode 100644
index 0000000..a3a7247
--- /dev/null
+++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/ves-collector/_copyEtc.tpl
@@ -0,0 +1,26 @@
+{{- define "dcaegen2-ves-collector.vesCollectorCopyEtc" -}}
+- name: dcae-ves-collector-copy-etc
+ command: ["cp", "-R", "/opt/app/VESCollector/etc/.", "/opt/app/VESCollector/etc_rw/"]
+ image: {{ default ( include "repositoryGenerator.repository" . ) .Values.imageRepositoryOverride }}/{{ .Values.image }}
+ imagePullPolicy: Always
+ resources:
+ limits:
+ cpu: {{ .Values.copyEtc.resources.limits.cpu }}
+ memory: {{ .Values.copyEtc.resources.limits.memory }}
+ requests:
+ cpu: {{ .Values.copyEtc.resources.requests.cpu }}
+ memory: {{ .Values.copyEtc.resources.requests.memory }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /opt/app/VESCollector/etc_rw
+ name: ves-collector-etc
+{{- end }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml
index fefc06e..408c0a9 100644
--- a/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml
@@ -19,10 +19,10 @@
# ============LICENSE_END=========================================================
apiVersion: v2
-appVersion: "NewDelhi"
+appVersion: "Oslo"
description: DCAE PRH
name: dcae-prh
-version: 13.1.0
+version: 13.1.1
dependencies:
- name: common
diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml
index 11cb726..2c9612f 100644
--- a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml
@@ -55,7 +55,14 @@
# probe configuration
readiness:
- initialDelaySeconds: 5
+ initialDelaySeconds: 25
+ periodSeconds: 15
+ path: /heartbeat
+ scheme: HTTP
+ port: 8100
+ timeoutSeconds: 30
+liveness:
+ initialDelaySeconds: 25
periodSeconds: 15
path: /heartbeat
scheme: HTTP
@@ -197,3 +204,32 @@
nameOverride: dcae-prh
roles:
- read
+
+# Pod Security context
+podSecurityContext:
+ runAsGroup: 1414
+ runAsUser: 1414
+ fsGroup: 1414
+ seccompProfile:
+ type: RuntimeDefault
+
+# Container Security context
+containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+
+# PRH volumes
+externalVolumes:
+ - name: prh-logs
+ mountPath: /var/log/ONAP/prh/prh-app-server/
+ type: emptyDir
+ sizeLimit: 64Mi
+
+# PRH pod annotations
+podAnnotations:
+ sidecar.istio.io/rewriteAppHTTPProbers: "false"
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml
index 61a5f03..6c03c1a 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml
@@ -19,10 +19,10 @@
# ============LICENSE_END=========================================================
apiVersion: v2
-appVersion: "NewDelhi"
+appVersion: "Oslo"
description: DCAE VES Collector
name: dcae-ves-collector
-version: 13.1.0
+version: 13.1.1
dependencies:
- name: common
diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
index ae75bac..0007b9c 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
@@ -85,6 +85,12 @@
path: /healthcheck
scheme: HTTP
port: 8080
+liveness:
+ initialDelaySeconds: 5
+ periodSeconds: 15
+ path: /healthcheck
+ scheme: HTTP
+ port: 8080
# service configuration
service:
@@ -288,3 +294,45 @@
nameOverride: dcae-ves-collector
roles:
- read
+
+# Pod Security context
+podSecurityContext:
+ runAsGroup: 1000
+ runAsUser: 100
+ fsGroup: 1000
+ seccompProfile:
+ type: RuntimeDefault
+
+# Container Security context
+containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+
+# Flag which can be used to put VES-COLLECTOR specific properties in template
+ves: true
+
+# VES-COLLECTOR volumes
+externalVolumes:
+ - name: ves-collector-etc
+ type: emptyDir
+ sizeLimit: 50Mi
+ mountPath: /opt/app/VESCollector/etc
+
+# VES-COLLECTOR pod annotations
+podAnnotations:
+ sidecar.istio.io/rewriteAppHTTPProbers: "false"
+
+# Resources for init container copy-etc
+copyEtc:
+ resources:
+ limits:
+ cpu: 100m
+ memory: 128Mi
+ requests:
+ cpu: 30m
+ memory: 32Mi
diff --git a/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml b/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml
index af62dc3..cae85bf 100644
--- a/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml
+++ b/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml
@@ -70,7 +70,7 @@
#ssl.key_passphrase: $ssl.key_passphrase
logging:
- level: debug
+ level: info
# enable file rotation with default configuration
to_files: true