Adding security_context flag to charms
security_context is set to false while we don't have new
container images.
Change-Id: I99cf8c1ab7446811887445d596f416f7e79574e7
Signed-off-by: sousaedu <eduardo.sousa@canonical.com>
diff --git a/installers/charm/grafana/config.yaml b/installers/charm/grafana/config.yaml
index d265786..7f97f58 100644
--- a/installers/charm/grafana/config.yaml
+++ b/installers/charm/grafana/config.yaml
@@ -82,3 +82,7 @@
description: The port grafana-k8s will be listening on
type: int
default: 3000
+ security_context:
+ description: Enables the security context of the pods
+ type: boolean
+ default: false
diff --git a/installers/charm/grafana/src/charm.py b/installers/charm/grafana/src/charm.py
index 78ec0e3..36bf696 100755
--- a/installers/charm/grafana/src/charm.py
+++ b/installers/charm/grafana/src/charm.py
@@ -60,6 +60,7 @@
ingress_whitelist_source_range: Optional[str]
tls_secret_name: Optional[str]
image_pull_policy: str
+ security_context: bool
@validator("log_level")
def validate_log_level(cls, v):
@@ -183,7 +184,9 @@
self.grafana_cluster.set_initial_password(admin_initial_password)
# Create Builder for the PodSpec
- pod_spec_builder = PodSpecV3Builder()
+ pod_spec_builder = PodSpecV3Builder(
+ enable_security_context=config.security_context
+ )
# Add secrets to the pod
grafana_secret_name = f"{self.app.name}-admin-secret"
@@ -197,7 +200,10 @@
# Build Container
container_builder = ContainerV3Builder(
- self.app.name, image_info, config.image_pull_policy
+ self.app.name,
+ image_info,
+ config.image_pull_policy,
+ run_as_non_root=config.security_context,
)
container_builder.add_port(name=self.app.name, port=config.port)
container_builder.add_http_readiness_probe(
diff --git a/installers/charm/kafka-exporter/config.yaml b/installers/charm/kafka-exporter/config.yaml
index 456c9c4..22e9387 100644
--- a/installers/charm/kafka-exporter/config.yaml
+++ b/installers/charm/kafka-exporter/config.yaml
@@ -52,3 +52,7 @@
ImagePullPolicy configuration for the pod.
Possible values: always, ifnotpresent, never
default: always
+ security_context:
+ description: Enables the security context of the pods
+ type: boolean
+ default: false
diff --git a/installers/charm/kafka-exporter/src/charm.py b/installers/charm/kafka-exporter/src/charm.py
index a8ffab1..97ab3d0 100755
--- a/installers/charm/kafka-exporter/src/charm.py
+++ b/installers/charm/kafka-exporter/src/charm.py
@@ -53,6 +53,7 @@
ingress_whitelist_source_range: Optional[str]
tls_secret_name: Optional[str]
image_pull_policy: str
+ security_context: bool
@validator("site_url")
def validate_site_url(cls, v):
@@ -173,11 +174,16 @@
self._check_missing_dependencies(config)
# Create Builder for the PodSpec
- pod_spec_builder = PodSpecV3Builder()
+ pod_spec_builder = PodSpecV3Builder(
+ enable_security_context=config.security_context
+ )
# Build container
container_builder = ContainerV3Builder(
- self.app.name, image_info, config.image_pull_policy
+ self.app.name,
+ image_info,
+ config.image_pull_policy,
+ run_as_non_root=config.security_context,
)
container_builder.add_port(name=self.app.name, port=PORT)
container_builder.add_http_readiness_probe(
diff --git a/installers/charm/kafka/config.yaml b/installers/charm/kafka/config.yaml
index 4319a57..4049d93 100644
--- a/installers/charm/kafka/config.yaml
+++ b/installers/charm/kafka/config.yaml
@@ -30,3 +30,7 @@
description: Kafka number of partitions per topic
type: int
default: 1
+ security_context:
+ description: Enables the security context of the pods
+ type: boolean
+ default: false
diff --git a/installers/charm/kafka/src/charm.py b/installers/charm/kafka/src/charm.py
index 763d416..5be3404 100755
--- a/installers/charm/kafka/src/charm.py
+++ b/installers/charm/kafka/src/charm.py
@@ -43,6 +43,7 @@
class ConfigModel(ModelValidator):
num_partitions: int
image_pull_policy: str
+ security_context: bool
@validator("image_pull_policy")
def validate_image_pull_policy(cls, v):
@@ -100,11 +101,16 @@
self._check_missing_dependencies()
# Create Builder for the PodSpec
- pod_spec_builder = PodSpecV3Builder()
+ pod_spec_builder = PodSpecV3Builder(
+ enable_security_context=config.security_context
+ )
# Build Container
container_builder = ContainerV3Builder(
- self.app.name, image_info, config.image_pull_policy
+ self.app.name,
+ image_info,
+ config.image_pull_policy,
+ run_as_non_root=config.security_context,
)
container_builder.add_port(name="kafka", port=KAFKA_PORT)
diff --git a/installers/charm/kafka/tests/test_charm.py b/installers/charm/kafka/tests/test_charm.py
index ec0efbd..409dc0b 100644
--- a/installers/charm/kafka/tests/test_charm.py
+++ b/installers/charm/kafka/tests/test_charm.py
@@ -56,9 +56,7 @@
self.assertIsInstance(self.harness.charm.unit.status, ActiveStatus)
@patch("charm.KafkaCharm.num_units", new_callable=PropertyMock)
- def test_with_relations_kafka(
- self, mock_num_units
- ) -> NoReturn:
+ def test_with_relations_kafka(self, mock_num_units) -> NoReturn:
"Test with relations (kafka)"
mock_num_units.return_value = 1
diff --git a/installers/charm/keystone/config.yaml b/installers/charm/keystone/config.yaml
index e15d035..dc0953a 100644
--- a/installers/charm/keystone/config.yaml
+++ b/installers/charm/keystone/config.yaml
@@ -48,6 +48,10 @@
ImagePullPolicy configuration for the pod.
Possible values: always, ifnotpresent, never
default: always
+ security_context:
+ description: Enables the security context of the pods
+ type: boolean
+ default: false
region_id:
type: string
description: Region ID to be created when starting the service
diff --git a/installers/charm/keystone/src/charm.py b/installers/charm/keystone/src/charm.py
index 808af3b..4560ff5 100755
--- a/installers/charm/keystone/src/charm.py
+++ b/installers/charm/keystone/src/charm.py
@@ -86,6 +86,7 @@
mysql_port: Optional[int]
mysql_root_password: Optional[str]
image_pull_policy: str
+ security_context: bool
@validator("max_file_size")
def validate_max_file_size(cls, v):
@@ -266,9 +267,14 @@
self._check_missing_dependencies(config, external_db)
# Create Builder for the PodSpec
- pod_spec_builder = PodSpecV3Builder()
+ pod_spec_builder = PodSpecV3Builder(
+ enable_security_context=config.security_context
+ )
container_builder = ContainerV3Builder(
- self.app.name, image_info, config.image_pull_policy
+ self.app.name,
+ image_info,
+ config.image_pull_policy,
+ run_as_non_root=config.security_context,
)
# Build files
diff --git a/installers/charm/lcm/config.yaml b/installers/charm/lcm/config.yaml
index becbc4a..0f218ea 100644
--- a/installers/charm/lcm/config.yaml
+++ b/installers/charm/lcm/config.yaml
@@ -284,9 +284,14 @@
description: |
If true, debug mode is activated. It means that the service will not run,
and instead, the command for the container will be a `sleep infinity`.
+ Note: If enabled, security_context will be disabled.
type: boolean
default: false
debug_pubkey:
description: |
Public SSH key that will be injected to the application pod.
type: string
+ security_context:
+ description: Enables the security context of the pods
+ type: boolean
+ default: false
diff --git a/installers/charm/lcm/src/charm.py b/installers/charm/lcm/src/charm.py
index b034624..2fb90e8 100755
--- a/installers/charm/lcm/src/charm.py
+++ b/installers/charm/lcm/src/charm.py
@@ -111,6 +111,8 @@
vca_stablerepourl: Optional[str]
vca_helm_ca_certs: Optional[str]
image_pull_policy: str
+ debug_mode: bool
+ security_context: bool
@validator("log_level")
def validate_log_level(cls, v):
@@ -181,8 +183,14 @@
# Check relations
self._check_missing_dependencies(config)
+ security_context_enabled = (
+ config.security_context if not config.debug_mode else False
+ )
+
# Create Builder for the PodSpec
- pod_spec_builder = PodSpecV3Builder()
+ pod_spec_builder = PodSpecV3Builder(
+ enable_security_context=security_context_enabled
+ )
# Add secrets to the pod
lcm_secret_name = f"{self.app.name}-lcm-secret"
@@ -197,7 +205,10 @@
# Build Container
container_builder = ContainerV3Builder(
- self.app.name, image_info, config.image_pull_policy
+ self.app.name,
+ image_info,
+ config.image_pull_policy,
+ run_as_non_root=security_context_enabled,
)
container_builder.add_port(name=self.app.name, port=PORT)
container_builder.add_envs(
diff --git a/installers/charm/mon/config.yaml b/installers/charm/mon/config.yaml
index b8477b1..a3394ff 100644
--- a/installers/charm/mon/config.yaml
+++ b/installers/charm/mon/config.yaml
@@ -97,9 +97,14 @@
description: |
If true, debug mode is activated. It means that the service will not run,
and instead, the command for the container will be a `sleep infinity`.
+ Note: If enabled, security_context will be disabled.
type: boolean
default: false
debug_pubkey:
description: |
Public SSH key that will be injected to the application pod.
type: string
+ security_context:
+ description: Enables the security context of the pods
+ type: boolean
+ default: false
diff --git a/installers/charm/mon/src/charm.py b/installers/charm/mon/src/charm.py
index 2721939..917b54a 100755
--- a/installers/charm/mon/src/charm.py
+++ b/installers/charm/mon/src/charm.py
@@ -86,6 +86,8 @@
grafana_password: str
certificates: Optional[str]
image_pull_policy: str
+ debug_mode: bool
+ security_context: bool
@validator("log_level")
def validate_log_level(cls, v):
@@ -187,8 +189,14 @@
# Check relations
self._check_missing_dependencies(config)
+ security_context_enabled = (
+ config.security_context if not config.debug_mode else False
+ )
+
# Create Builder for the PodSpec
- pod_spec_builder = PodSpecV3Builder()
+ pod_spec_builder = PodSpecV3Builder(
+ enable_security_context=security_context_enabled
+ )
# Add secrets to the pod
mongodb_secret_name = f"{self.app.name}-mongodb-secret"
@@ -222,7 +230,10 @@
# Build Container
container_builder = ContainerV3Builder(
- self.app.name, image_info, config.image_pull_policy
+ self.app.name,
+ image_info,
+ config.image_pull_policy,
+ run_as_non_root=security_context_enabled,
)
certs_files = self._build_cert_files(config)
diff --git a/installers/charm/mongodb-exporter/config.yaml b/installers/charm/mongodb-exporter/config.yaml
index eb19d5b..fe5cd63 100644
--- a/installers/charm/mongodb-exporter/config.yaml
+++ b/installers/charm/mongodb-exporter/config.yaml
@@ -55,3 +55,7 @@
ImagePullPolicy configuration for the pod.
Possible values: always, ifnotpresent, never
default: always
+ security_context:
+ description: Enables the security context of the pods
+ type: boolean
+ default: false
diff --git a/installers/charm/mongodb-exporter/src/charm.py b/installers/charm/mongodb-exporter/src/charm.py
index 0b89931..500a1e3 100755
--- a/installers/charm/mongodb-exporter/src/charm.py
+++ b/installers/charm/mongodb-exporter/src/charm.py
@@ -55,6 +55,7 @@
tls_secret_name: Optional[str]
mongodb_uri: Optional[str]
image_pull_policy: str
+ security_context: bool
@validator("site_url")
def validate_site_url(cls, v):
@@ -194,7 +195,9 @@
mongodb_uri += f"?{parsed.query}"
# Create Builder for the PodSpec
- pod_spec_builder = PodSpecV3Builder()
+ pod_spec_builder = PodSpecV3Builder(
+ enable_security_context=config.security_context
+ )
# Add secrets to the pod
mongodb_secret_name = f"{self.app.name}-mongodb-secret"
@@ -202,7 +205,10 @@
# Build container
container_builder = ContainerV3Builder(
- self.app.name, image_info, config.image_pull_policy
+ self.app.name,
+ image_info,
+ config.image_pull_policy,
+ run_as_non_root=config.security_context,
)
container_builder.add_port(name=self.app.name, port=PORT)
container_builder.add_http_readiness_probe(
diff --git a/installers/charm/mysqld-exporter/config.yaml b/installers/charm/mysqld-exporter/config.yaml
index c25886f..5c0a24b 100644
--- a/installers/charm/mysqld-exporter/config.yaml
+++ b/installers/charm/mysqld-exporter/config.yaml
@@ -55,3 +55,7 @@
ImagePullPolicy configuration for the pod.
Possible values: always, ifnotpresent, never
default: always
+ security_context:
+ description: Enables the security context of the pods
+ type: boolean
+ default: false
diff --git a/installers/charm/mysqld-exporter/src/charm.py b/installers/charm/mysqld-exporter/src/charm.py
index 6aeea5d..91be02a 100755
--- a/installers/charm/mysqld-exporter/src/charm.py
+++ b/installers/charm/mysqld-exporter/src/charm.py
@@ -55,6 +55,7 @@
tls_secret_name: Optional[str]
mysql_uri: Optional[str]
image_pull_policy: str
+ security_context: bool
@validator("site_url")
def validate_site_url(cls, v):
@@ -190,7 +191,9 @@
)
# Create Builder for the PodSpec
- pod_spec_builder = PodSpecV3Builder()
+ pod_spec_builder = PodSpecV3Builder(
+ enable_security_context=config.security_context
+ )
# Add secrets to the pod
mysql_secret_name = f"{self.app.name}-mysql-secret"
@@ -201,7 +204,10 @@
# Build container
container_builder = ContainerV3Builder(
- self.app.name, image_info, config.image_pull_policy
+ self.app.name,
+ image_info,
+ config.image_pull_policy,
+ run_as_non_root=config.security_context,
)
container_builder.add_port(name=self.app.name, port=PORT)
container_builder.add_http_readiness_probe(
diff --git a/installers/charm/nbi/config.yaml b/installers/charm/nbi/config.yaml
index 89e248d..a85aa70 100644
--- a/installers/charm/nbi/config.yaml
+++ b/installers/charm/nbi/config.yaml
@@ -82,9 +82,14 @@
description: |
If true, debug mode is activated. It means that the service will not run,
and instead, the command for the container will be a `sleep infinity`.
+ Note: If enabled, security_context will be disabled.
type: boolean
default: false
debug_pubkey:
description: |
Public SSH key that will be injected to the application pod.
type: string
+ security_context:
+ description: Enables the security context of the pods
+ type: boolean
+ default: false
diff --git a/installers/charm/nbi/src/charm.py b/installers/charm/nbi/src/charm.py
index a47f618..f9088ab 100755
--- a/installers/charm/nbi/src/charm.py
+++ b/installers/charm/nbi/src/charm.py
@@ -63,6 +63,8 @@
tls_secret_name: Optional[str]
mongodb_uri: Optional[str]
image_pull_policy: str
+ debug_mode: bool
+ security_context: bool
@validator("auth_backend")
def validate_auth_backend(cls, v):
@@ -183,8 +185,14 @@
# Check relations
self._check_missing_dependencies(config)
+ security_context_enabled = (
+ config.security_context if not config.debug_mode else False
+ )
+
# Create Builder for the PodSpec
- pod_spec_builder = PodSpecV3Builder()
+ pod_spec_builder = PodSpecV3Builder(
+ enable_security_context=security_context_enabled
+ )
# Add secrets to the pod
mongodb_secret_name = f"{self.app.name}-mongodb-secret"
@@ -211,7 +219,10 @@
# Build Container
container_builder = ContainerV3Builder(
- self.app.name, image_info, config.image_pull_policy
+ self.app.name,
+ image_info,
+ config.image_pull_policy,
+ run_as_non_root=security_context_enabled,
)
container_builder.add_port(name=self.app.name, port=PORT)
container_builder.add_tcpsocket_readiness_probe(
diff --git a/installers/charm/ng-ui/config.yaml b/installers/charm/ng-ui/config.yaml
index 49226b7..c5f447b 100644
--- a/installers/charm/ng-ui/config.yaml
+++ b/installers/charm/ng-ui/config.yaml
@@ -60,3 +60,7 @@
ImagePullPolicy configuration for the pod.
Possible values: always, ifnotpresent, never
default: always
+ security_context:
+ description: Enables the security context of the pods
+ type: boolean
+ default: false
diff --git a/installers/charm/ng-ui/src/charm.py b/installers/charm/ng-ui/src/charm.py
index 7d8c59c..39675d0 100755
--- a/installers/charm/ng-ui/src/charm.py
+++ b/installers/charm/ng-ui/src/charm.py
@@ -55,6 +55,7 @@
ingress_whitelist_source_range: Optional[str]
tls_secret_name: Optional[str]
image_pull_policy: str
+ security_context: bool
@validator("port")
def validate_port(cls, v):
@@ -132,10 +133,15 @@
# Check relations
self._check_missing_dependencies(config)
# Create Builder for the PodSpec
- pod_spec_builder = PodSpecV3Builder()
+ pod_spec_builder = PodSpecV3Builder(
+ enable_security_context=config.security_context
+ )
# Build Container
container_builder = ContainerV3Builder(
- self.app.name, image_info, config.image_pull_policy
+ self.app.name,
+ image_info,
+ config.image_pull_policy,
+ run_as_non_root=config.security_context,
)
container_builder.add_port(name=self.app.name, port=config.port)
container = container_builder.build()
diff --git a/installers/charm/pla/config.yaml b/installers/charm/pla/config.yaml
index 75b19d8..642c165 100644
--- a/installers/charm/pla/config.yaml
+++ b/installers/charm/pla/config.yaml
@@ -33,3 +33,7 @@
ImagePullPolicy configuration for the pod.
Possible values: always, ifnotpresent, never
default: always
+ security_context:
+ description: Enables the security context of the pods
+ type: boolean
+ default: false
diff --git a/installers/charm/pla/src/charm.py b/installers/charm/pla/src/charm.py
index d0df179..7867991 100755
--- a/installers/charm/pla/src/charm.py
+++ b/installers/charm/pla/src/charm.py
@@ -48,6 +48,7 @@
mongodb_uri: Optional[str]
log_level: str
image_pull_policy: str
+ security_context: bool
@validator("log_level")
def validate_log_level(cls, v):
@@ -108,7 +109,9 @@
self._check_missing_dependencies(config)
# Create Builder for the PodSpec
- pod_spec_builder = PodSpecV3Builder()
+ pod_spec_builder = PodSpecV3Builder(
+ enable_security_context=config.security_context
+ )
# Add secrets to the pod
mongodb_secret_name = f"{self.app.name}-mongodb-secret"
@@ -122,7 +125,10 @@
# Build Container
container_builder = ContainerV3Builder(
- self.app.name, image_info, config.image_pull_policy
+ self.app.name,
+ image_info,
+ config.image_pull_policy,
+ run_as_non_root=config.security_context,
)
container_builder.add_port(name=self.app.name, port=PORT)
container_builder.add_envs(
diff --git a/installers/charm/pol/config.yaml b/installers/charm/pol/config.yaml
index 3264ca3..0279bd5 100644
--- a/installers/charm/pol/config.yaml
+++ b/installers/charm/pol/config.yaml
@@ -42,9 +42,14 @@
description: |
If true, debug mode is activated. It means that the service will not run,
and instead, the command for the container will be a `sleep infinity`.
+ Note: If enabled, security_context will be disabled.
type: boolean
default: false
debug_pubkey:
description: |
Public SSH key that will be injected to the application pod.
type: string
+ security_context:
+ description: Enables the security context of the pods
+ type: boolean
+ default: false
diff --git a/installers/charm/pol/src/charm.py b/installers/charm/pol/src/charm.py
index 02c8186..345a87f 100755
--- a/installers/charm/pol/src/charm.py
+++ b/installers/charm/pol/src/charm.py
@@ -51,6 +51,8 @@
mongodb_uri: Optional[str]
mysql_uri: Optional[str]
image_pull_policy: str
+ debug_mode: bool
+ security_context: bool
@validator("log_level")
def validate_log_level(cls, v):
@@ -130,8 +132,14 @@
# Check relations
self._check_missing_dependencies(config)
+ security_context_enabled = (
+ config.security_context if not config.debug_mode else False
+ )
+
# Create Builder for the PodSpec
- pod_spec_builder = PodSpecV3Builder()
+ pod_spec_builder = PodSpecV3Builder(
+ enable_security_context=security_context_enabled
+ )
# Add secrets to the pod
mongodb_secret_name = f"{self.app.name}-mongodb-secret"
@@ -150,7 +158,10 @@
# Build Container
container_builder = ContainerV3Builder(
- self.app.name, image_info, config.image_pull_policy
+ self.app.name,
+ image_info,
+ config.image_pull_policy,
+ run_as_non_root=security_context_enabled,
)
container_builder.add_port(name=self.app.name, port=PORT)
container_builder.add_envs(
diff --git a/installers/charm/prometheus/config.yaml b/installers/charm/prometheus/config.yaml
index 6ce1613..6db6a60 100644
--- a/installers/charm/prometheus/config.yaml
+++ b/installers/charm/prometheus/config.yaml
@@ -71,3 +71,7 @@
ImagePullPolicy configuration for the pod.
Possible values: always, ifnotpresent, never
default: always
+ security_context:
+ description: Enables the security context of the pods
+ type: boolean
+ default: false
diff --git a/installers/charm/prometheus/src/charm.py b/installers/charm/prometheus/src/charm.py
index e79de69..61589e2 100755
--- a/installers/charm/prometheus/src/charm.py
+++ b/installers/charm/prometheus/src/charm.py
@@ -61,6 +61,7 @@
tls_secret_name: Optional[str]
enable_web_admin_api: bool
image_pull_policy: str
+ security_context: bool
@validator("web_subpath")
def validate_web_subpath(cls, v):
@@ -159,7 +160,9 @@
# Validate config
config = ConfigModel(**dict(self.config))
# Create Builder for the PodSpec
- pod_spec_builder = PodSpecV3Builder()
+ pod_spec_builder = PodSpecV3Builder(
+ enable_security_context=config.security_context
+ )
# Build Backup Container
backup_image = OCIImageResource(self, "backup-image")
@@ -171,7 +174,10 @@
# Build Container
container_builder = ContainerV3Builder(
- self.app.name, image_info, config.image_pull_policy
+ self.app.name,
+ image_info,
+ config.image_pull_policy,
+ run_as_non_root=config.security_context,
)
container_builder.add_port(name=self.app.name, port=PORT)
container_builder.add_http_readiness_probe(
diff --git a/installers/charm/ro/config.yaml b/installers/charm/ro/config.yaml
index 9828438..ab4cd5d 100644
--- a/installers/charm/ro/config.yaml
+++ b/installers/charm/ro/config.yaml
@@ -80,9 +80,14 @@
description: |
If true, debug mode is activated. It means that the service will not run,
and instead, the command for the container will be a `sleep infinity`.
+ Note: If enabled, security_context will be disabled.
type: boolean
default: false
debug_pubkey:
description: |
Public SSH key that will be injected to the application pod.
type: string
+ security_context:
+ description: Enables the security context of the pods
+ type: boolean
+ default: false
diff --git a/installers/charm/ro/src/charm.py b/installers/charm/ro/src/charm.py
index 3b6b7e2..2a8c110 100755
--- a/installers/charm/ro/src/charm.py
+++ b/installers/charm/ro/src/charm.py
@@ -79,6 +79,8 @@
openmano_tenant: str
certificates: Optional[str]
image_pull_policy: str
+ debug_mode: bool
+ security_context: bool
@validator("log_level")
def validate_log_level(cls, v):
@@ -216,12 +218,21 @@
# Check relations
self._check_missing_dependencies(config)
+ security_context_enabled = (
+ config.security_context if not config.debug_mode else False
+ )
+
# Create Builder for the PodSpec
- pod_spec_builder = PodSpecV3Builder()
+ pod_spec_builder = PodSpecV3Builder(
+ enable_security_context=security_context_enabled
+ )
# Build Container
container_builder = ContainerV3Builder(
- self.app.name, image_info, config.image_pull_policy
+ self.app.name,
+ image_info,
+ config.image_pull_policy,
+ run_as_non_root=security_context_enabled,
)
certs_files = self._build_cert_files(config)
diff --git a/installers/charm/zookeeper/config.yaml b/installers/charm/zookeeper/config.yaml
index d9b89a4..149d388 100644
--- a/installers/charm/zookeeper/config.yaml
+++ b/installers/charm/zookeeper/config.yaml
@@ -87,3 +87,7 @@
For example, the minimum session timeout will be two ticks.
type: int
default: 2000
+ security_context:
+ description: Enables the security context of the pods
+ type: boolean
+ default: false
diff --git a/installers/charm/zookeeper/src/charm.py b/installers/charm/zookeeper/src/charm.py
index 6e4588c..c2acf0b 100755
--- a/installers/charm/zookeeper/src/charm.py
+++ b/installers/charm/zookeeper/src/charm.py
@@ -52,6 +52,7 @@
sync_limit: int
init_limit: int
tick_time: int
+ security_context: bool
@validator("log_level")
def validate_log_level(cls, v):
@@ -99,7 +100,7 @@
Args:
event (EventBase): Zookeeper Cluster relation event.
"""
- self._publish_zookeeper_info(event)
+ self._publish_info(event)
self.configure_pod()
def _publish_info(self, event: EventBase):
@@ -120,11 +121,16 @@
config = ConfigModel(**dict(self.config))
# Create Builder for the PodSpec
- pod_spec_builder = PodSpecV3Builder()
+ pod_spec_builder = PodSpecV3Builder(
+ enable_security_context=config.security_context
+ )
# Build Container
container_builder = ContainerV3Builder(
- self.app.name, image_info, config.image_pull_policy
+ self.app.name,
+ image_info,
+ config.image_pull_policy,
+ run_as_non_root=config.security_context,
)
container_builder.add_port(name="client", port=CLIENT_PORT)