From 540d93716ee0a4c4ffd070120779c1c40f6f353c Mon Sep 17 00:00:00 2001 From: sousaedu Date: Wed, 29 Sep 2021 01:53:30 +0100 Subject: [PATCH] Adding security_context flag to charms security_context is set to false while we don't have new container images. Change-Id: I99cf8c1ab7446811887445d596f416f7e79574e7 Signed-off-by: sousaedu --- installers/charm/grafana/config.yaml | 4 ++++ installers/charm/grafana/src/charm.py | 10 ++++++++-- installers/charm/kafka-exporter/config.yaml | 4 ++++ installers/charm/kafka-exporter/src/charm.py | 10 ++++++++-- installers/charm/kafka/config.yaml | 4 ++++ installers/charm/kafka/src/charm.py | 10 ++++++++-- installers/charm/kafka/tests/test_charm.py | 4 +--- installers/charm/keystone/config.yaml | 4 ++++ installers/charm/keystone/src/charm.py | 10 ++++++++-- installers/charm/lcm/config.yaml | 5 +++++ installers/charm/lcm/src/charm.py | 15 +++++++++++++-- installers/charm/mon/config.yaml | 5 +++++ installers/charm/mon/src/charm.py | 15 +++++++++++++-- installers/charm/mongodb-exporter/config.yaml | 4 ++++ installers/charm/mongodb-exporter/src/charm.py | 10 ++++++++-- installers/charm/mysqld-exporter/config.yaml | 4 ++++ installers/charm/mysqld-exporter/src/charm.py | 10 ++++++++-- installers/charm/nbi/config.yaml | 5 +++++ installers/charm/nbi/src/charm.py | 15 +++++++++++++-- installers/charm/ng-ui/config.yaml | 4 ++++ installers/charm/ng-ui/src/charm.py | 10 ++++++++-- installers/charm/pla/config.yaml | 4 ++++ installers/charm/pla/src/charm.py | 10 ++++++++-- installers/charm/pol/config.yaml | 5 +++++ installers/charm/pol/src/charm.py | 15 +++++++++++++-- installers/charm/prometheus/config.yaml | 4 ++++ installers/charm/prometheus/src/charm.py | 10 ++++++++-- installers/charm/ro/config.yaml | 5 +++++ installers/charm/ro/src/charm.py | 15 +++++++++++++-- installers/charm/zookeeper/config.yaml | 4 ++++ installers/charm/zookeeper/src/charm.py | 12 +++++++++--- 31 files changed, 212 insertions(+), 34 deletions(-) diff --git a/installers/charm/grafana/config.yaml b/installers/charm/grafana/config.yaml index d2657867..7f97f589 100644 --- a/installers/charm/grafana/config.yaml +++ b/installers/charm/grafana/config.yaml @@ -82,3 +82,7 @@ options: description: The port grafana-k8s will be listening on type: int default: 3000 + security_context: + description: Enables the security context of the pods + type: boolean + default: false diff --git a/installers/charm/grafana/src/charm.py b/installers/charm/grafana/src/charm.py index 78ec0e34..36bf6961 100755 --- a/installers/charm/grafana/src/charm.py +++ b/installers/charm/grafana/src/charm.py @@ -60,6 +60,7 @@ class ConfigModel(ModelValidator): ingress_whitelist_source_range: Optional[str] tls_secret_name: Optional[str] image_pull_policy: str + security_context: bool @validator("log_level") def validate_log_level(cls, v): @@ -183,7 +184,9 @@ class GrafanaCharm(CharmedOsmBase): self.grafana_cluster.set_initial_password(admin_initial_password) # Create Builder for the PodSpec - pod_spec_builder = PodSpecV3Builder() + pod_spec_builder = PodSpecV3Builder( + enable_security_context=config.security_context + ) # Add secrets to the pod grafana_secret_name = f"{self.app.name}-admin-secret" @@ -197,7 +200,10 @@ class GrafanaCharm(CharmedOsmBase): # Build Container container_builder = ContainerV3Builder( - self.app.name, image_info, config.image_pull_policy + self.app.name, + image_info, + config.image_pull_policy, + run_as_non_root=config.security_context, ) container_builder.add_port(name=self.app.name, port=config.port) container_builder.add_http_readiness_probe( diff --git a/installers/charm/kafka-exporter/config.yaml b/installers/charm/kafka-exporter/config.yaml index 456c9c49..22e93871 100644 --- a/installers/charm/kafka-exporter/config.yaml +++ b/installers/charm/kafka-exporter/config.yaml @@ -52,3 +52,7 @@ options: ImagePullPolicy configuration for the pod. Possible values: always, ifnotpresent, never default: always + security_context: + description: Enables the security context of the pods + type: boolean + default: false diff --git a/installers/charm/kafka-exporter/src/charm.py b/installers/charm/kafka-exporter/src/charm.py index a8ffab16..97ab3d01 100755 --- a/installers/charm/kafka-exporter/src/charm.py +++ b/installers/charm/kafka-exporter/src/charm.py @@ -53,6 +53,7 @@ class ConfigModel(ModelValidator): ingress_whitelist_source_range: Optional[str] tls_secret_name: Optional[str] image_pull_policy: str + security_context: bool @validator("site_url") def validate_site_url(cls, v): @@ -173,11 +174,16 @@ class KafkaExporterCharm(CharmedOsmBase): self._check_missing_dependencies(config) # Create Builder for the PodSpec - pod_spec_builder = PodSpecV3Builder() + pod_spec_builder = PodSpecV3Builder( + enable_security_context=config.security_context + ) # Build container container_builder = ContainerV3Builder( - self.app.name, image_info, config.image_pull_policy + self.app.name, + image_info, + config.image_pull_policy, + run_as_non_root=config.security_context, ) container_builder.add_port(name=self.app.name, port=PORT) container_builder.add_http_readiness_probe( diff --git a/installers/charm/kafka/config.yaml b/installers/charm/kafka/config.yaml index 4319a570..4049d93f 100644 --- a/installers/charm/kafka/config.yaml +++ b/installers/charm/kafka/config.yaml @@ -30,3 +30,7 @@ options: description: Kafka number of partitions per topic type: int default: 1 + security_context: + description: Enables the security context of the pods + type: boolean + default: false diff --git a/installers/charm/kafka/src/charm.py b/installers/charm/kafka/src/charm.py index 763d4160..5be34047 100755 --- a/installers/charm/kafka/src/charm.py +++ b/installers/charm/kafka/src/charm.py @@ -43,6 +43,7 @@ KAFKA_RESERVED_BROKER_MAX_ID = "999999999" class ConfigModel(ModelValidator): num_partitions: int image_pull_policy: str + security_context: bool @validator("image_pull_policy") def validate_image_pull_policy(cls, v): @@ -100,11 +101,16 @@ class KafkaCharm(CharmedOsmBase): self._check_missing_dependencies() # Create Builder for the PodSpec - pod_spec_builder = PodSpecV3Builder() + pod_spec_builder = PodSpecV3Builder( + enable_security_context=config.security_context + ) # Build Container container_builder = ContainerV3Builder( - self.app.name, image_info, config.image_pull_policy + self.app.name, + image_info, + config.image_pull_policy, + run_as_non_root=config.security_context, ) container_builder.add_port(name="kafka", port=KAFKA_PORT) diff --git a/installers/charm/kafka/tests/test_charm.py b/installers/charm/kafka/tests/test_charm.py index ec0efbd2..409dc0b8 100644 --- a/installers/charm/kafka/tests/test_charm.py +++ b/installers/charm/kafka/tests/test_charm.py @@ -56,9 +56,7 @@ class TestCharm(unittest.TestCase): self.assertIsInstance(self.harness.charm.unit.status, ActiveStatus) @patch("charm.KafkaCharm.num_units", new_callable=PropertyMock) - def test_with_relations_kafka( - self, mock_num_units - ) -> NoReturn: + def test_with_relations_kafka(self, mock_num_units) -> NoReturn: "Test with relations (kafka)" mock_num_units.return_value = 1 diff --git a/installers/charm/keystone/config.yaml b/installers/charm/keystone/config.yaml index e15d0356..dc0953a9 100644 --- a/installers/charm/keystone/config.yaml +++ b/installers/charm/keystone/config.yaml @@ -48,6 +48,10 @@ options: ImagePullPolicy configuration for the pod. Possible values: always, ifnotpresent, never default: always + security_context: + description: Enables the security context of the pods + type: boolean + default: false region_id: type: string description: Region ID to be created when starting the service diff --git a/installers/charm/keystone/src/charm.py b/installers/charm/keystone/src/charm.py index 808af3be..4560ff52 100755 --- a/installers/charm/keystone/src/charm.py +++ b/installers/charm/keystone/src/charm.py @@ -86,6 +86,7 @@ class ConfigModel(ModelValidator): mysql_port: Optional[int] mysql_root_password: Optional[str] image_pull_policy: str + security_context: bool @validator("max_file_size") def validate_max_file_size(cls, v): @@ -266,9 +267,14 @@ class KeystoneCharm(CharmedOsmBase): self._check_missing_dependencies(config, external_db) # Create Builder for the PodSpec - pod_spec_builder = PodSpecV3Builder() + pod_spec_builder = PodSpecV3Builder( + enable_security_context=config.security_context + ) container_builder = ContainerV3Builder( - self.app.name, image_info, config.image_pull_policy + self.app.name, + image_info, + config.image_pull_policy, + run_as_non_root=config.security_context, ) # Build files diff --git a/installers/charm/lcm/config.yaml b/installers/charm/lcm/config.yaml index becbc4a0..0f218ea9 100644 --- a/installers/charm/lcm/config.yaml +++ b/installers/charm/lcm/config.yaml @@ -284,9 +284,14 @@ options: description: | If true, debug mode is activated. It means that the service will not run, and instead, the command for the container will be a `sleep infinity`. + Note: If enabled, security_context will be disabled. type: boolean default: false debug_pubkey: description: | Public SSH key that will be injected to the application pod. type: string + security_context: + description: Enables the security context of the pods + type: boolean + default: false diff --git a/installers/charm/lcm/src/charm.py b/installers/charm/lcm/src/charm.py index b034624e..2fb90e85 100755 --- a/installers/charm/lcm/src/charm.py +++ b/installers/charm/lcm/src/charm.py @@ -111,6 +111,8 @@ class ConfigModel(ModelValidator): vca_stablerepourl: Optional[str] vca_helm_ca_certs: Optional[str] image_pull_policy: str + debug_mode: bool + security_context: bool @validator("log_level") def validate_log_level(cls, v): @@ -181,8 +183,14 @@ class LcmCharm(CharmedOsmBase): # Check relations self._check_missing_dependencies(config) + security_context_enabled = ( + config.security_context if not config.debug_mode else False + ) + # Create Builder for the PodSpec - pod_spec_builder = PodSpecV3Builder() + pod_spec_builder = PodSpecV3Builder( + enable_security_context=security_context_enabled + ) # Add secrets to the pod lcm_secret_name = f"{self.app.name}-lcm-secret" @@ -197,7 +205,10 @@ class LcmCharm(CharmedOsmBase): # Build Container container_builder = ContainerV3Builder( - self.app.name, image_info, config.image_pull_policy + self.app.name, + image_info, + config.image_pull_policy, + run_as_non_root=security_context_enabled, ) container_builder.add_port(name=self.app.name, port=PORT) container_builder.add_envs( diff --git a/installers/charm/mon/config.yaml b/installers/charm/mon/config.yaml index b8477b17..a3394ffa 100644 --- a/installers/charm/mon/config.yaml +++ b/installers/charm/mon/config.yaml @@ -97,9 +97,14 @@ options: description: | If true, debug mode is activated. It means that the service will not run, and instead, the command for the container will be a `sleep infinity`. + Note: If enabled, security_context will be disabled. type: boolean default: false debug_pubkey: description: | Public SSH key that will be injected to the application pod. type: string + security_context: + description: Enables the security context of the pods + type: boolean + default: false diff --git a/installers/charm/mon/src/charm.py b/installers/charm/mon/src/charm.py index 27219396..917b54a9 100755 --- a/installers/charm/mon/src/charm.py +++ b/installers/charm/mon/src/charm.py @@ -86,6 +86,8 @@ class ConfigModel(ModelValidator): grafana_password: str certificates: Optional[str] image_pull_policy: str + debug_mode: bool + security_context: bool @validator("log_level") def validate_log_level(cls, v): @@ -187,8 +189,14 @@ class MonCharm(CharmedOsmBase): # Check relations self._check_missing_dependencies(config) + security_context_enabled = ( + config.security_context if not config.debug_mode else False + ) + # Create Builder for the PodSpec - pod_spec_builder = PodSpecV3Builder() + pod_spec_builder = PodSpecV3Builder( + enable_security_context=security_context_enabled + ) # Add secrets to the pod mongodb_secret_name = f"{self.app.name}-mongodb-secret" @@ -222,7 +230,10 @@ class MonCharm(CharmedOsmBase): # Build Container container_builder = ContainerV3Builder( - self.app.name, image_info, config.image_pull_policy + self.app.name, + image_info, + config.image_pull_policy, + run_as_non_root=security_context_enabled, ) certs_files = self._build_cert_files(config) diff --git a/installers/charm/mongodb-exporter/config.yaml b/installers/charm/mongodb-exporter/config.yaml index eb19d5bc..fe5cd630 100644 --- a/installers/charm/mongodb-exporter/config.yaml +++ b/installers/charm/mongodb-exporter/config.yaml @@ -55,3 +55,7 @@ options: ImagePullPolicy configuration for the pod. Possible values: always, ifnotpresent, never default: always + security_context: + description: Enables the security context of the pods + type: boolean + default: false diff --git a/installers/charm/mongodb-exporter/src/charm.py b/installers/charm/mongodb-exporter/src/charm.py index 0b899317..500a1e3d 100755 --- a/installers/charm/mongodb-exporter/src/charm.py +++ b/installers/charm/mongodb-exporter/src/charm.py @@ -55,6 +55,7 @@ class ConfigModel(ModelValidator): tls_secret_name: Optional[str] mongodb_uri: Optional[str] image_pull_policy: str + security_context: bool @validator("site_url") def validate_site_url(cls, v): @@ -194,7 +195,9 @@ class MongodbExporterCharm(CharmedOsmBase): mongodb_uri += f"?{parsed.query}" # Create Builder for the PodSpec - pod_spec_builder = PodSpecV3Builder() + pod_spec_builder = PodSpecV3Builder( + enable_security_context=config.security_context + ) # Add secrets to the pod mongodb_secret_name = f"{self.app.name}-mongodb-secret" @@ -202,7 +205,10 @@ class MongodbExporterCharm(CharmedOsmBase): # Build container container_builder = ContainerV3Builder( - self.app.name, image_info, config.image_pull_policy + self.app.name, + image_info, + config.image_pull_policy, + run_as_non_root=config.security_context, ) container_builder.add_port(name=self.app.name, port=PORT) container_builder.add_http_readiness_probe( diff --git a/installers/charm/mysqld-exporter/config.yaml b/installers/charm/mysqld-exporter/config.yaml index c25886f0..5c0a24ba 100644 --- a/installers/charm/mysqld-exporter/config.yaml +++ b/installers/charm/mysqld-exporter/config.yaml @@ -55,3 +55,7 @@ options: ImagePullPolicy configuration for the pod. Possible values: always, ifnotpresent, never default: always + security_context: + description: Enables the security context of the pods + type: boolean + default: false diff --git a/installers/charm/mysqld-exporter/src/charm.py b/installers/charm/mysqld-exporter/src/charm.py index 6aeea5df..91be02a6 100755 --- a/installers/charm/mysqld-exporter/src/charm.py +++ b/installers/charm/mysqld-exporter/src/charm.py @@ -55,6 +55,7 @@ class ConfigModel(ModelValidator): tls_secret_name: Optional[str] mysql_uri: Optional[str] image_pull_policy: str + security_context: bool @validator("site_url") def validate_site_url(cls, v): @@ -190,7 +191,9 @@ class MysqlExporterCharm(CharmedOsmBase): ) # Create Builder for the PodSpec - pod_spec_builder = PodSpecV3Builder() + pod_spec_builder = PodSpecV3Builder( + enable_security_context=config.security_context + ) # Add secrets to the pod mysql_secret_name = f"{self.app.name}-mysql-secret" @@ -201,7 +204,10 @@ class MysqlExporterCharm(CharmedOsmBase): # Build container container_builder = ContainerV3Builder( - self.app.name, image_info, config.image_pull_policy + self.app.name, + image_info, + config.image_pull_policy, + run_as_non_root=config.security_context, ) container_builder.add_port(name=self.app.name, port=PORT) container_builder.add_http_readiness_probe( diff --git a/installers/charm/nbi/config.yaml b/installers/charm/nbi/config.yaml index 89e248dc..a85aa70d 100644 --- a/installers/charm/nbi/config.yaml +++ b/installers/charm/nbi/config.yaml @@ -82,9 +82,14 @@ options: description: | If true, debug mode is activated. It means that the service will not run, and instead, the command for the container will be a `sleep infinity`. + Note: If enabled, security_context will be disabled. type: boolean default: false debug_pubkey: description: | Public SSH key that will be injected to the application pod. type: string + security_context: + description: Enables the security context of the pods + type: boolean + default: false diff --git a/installers/charm/nbi/src/charm.py b/installers/charm/nbi/src/charm.py index a47f618b..f9088ab7 100755 --- a/installers/charm/nbi/src/charm.py +++ b/installers/charm/nbi/src/charm.py @@ -63,6 +63,8 @@ class ConfigModel(ModelValidator): tls_secret_name: Optional[str] mongodb_uri: Optional[str] image_pull_policy: str + debug_mode: bool + security_context: bool @validator("auth_backend") def validate_auth_backend(cls, v): @@ -183,8 +185,14 @@ class NbiCharm(CharmedOsmBase): # Check relations self._check_missing_dependencies(config) + security_context_enabled = ( + config.security_context if not config.debug_mode else False + ) + # Create Builder for the PodSpec - pod_spec_builder = PodSpecV3Builder() + pod_spec_builder = PodSpecV3Builder( + enable_security_context=security_context_enabled + ) # Add secrets to the pod mongodb_secret_name = f"{self.app.name}-mongodb-secret" @@ -211,7 +219,10 @@ class NbiCharm(CharmedOsmBase): # Build Container container_builder = ContainerV3Builder( - self.app.name, image_info, config.image_pull_policy + self.app.name, + image_info, + config.image_pull_policy, + run_as_non_root=security_context_enabled, ) container_builder.add_port(name=self.app.name, port=PORT) container_builder.add_tcpsocket_readiness_probe( diff --git a/installers/charm/ng-ui/config.yaml b/installers/charm/ng-ui/config.yaml index 49226b77..c5f447bf 100644 --- a/installers/charm/ng-ui/config.yaml +++ b/installers/charm/ng-ui/config.yaml @@ -60,3 +60,7 @@ options: ImagePullPolicy configuration for the pod. Possible values: always, ifnotpresent, never default: always + security_context: + description: Enables the security context of the pods + type: boolean + default: false diff --git a/installers/charm/ng-ui/src/charm.py b/installers/charm/ng-ui/src/charm.py index 7d8c59cb..39675d05 100755 --- a/installers/charm/ng-ui/src/charm.py +++ b/installers/charm/ng-ui/src/charm.py @@ -55,6 +55,7 @@ class ConfigModel(ModelValidator): ingress_whitelist_source_range: Optional[str] tls_secret_name: Optional[str] image_pull_policy: str + security_context: bool @validator("port") def validate_port(cls, v): @@ -132,10 +133,15 @@ class NgUiCharm(CharmedOsmBase): # Check relations self._check_missing_dependencies(config) # Create Builder for the PodSpec - pod_spec_builder = PodSpecV3Builder() + pod_spec_builder = PodSpecV3Builder( + enable_security_context=config.security_context + ) # Build Container container_builder = ContainerV3Builder( - self.app.name, image_info, config.image_pull_policy + self.app.name, + image_info, + config.image_pull_policy, + run_as_non_root=config.security_context, ) container_builder.add_port(name=self.app.name, port=config.port) container = container_builder.build() diff --git a/installers/charm/pla/config.yaml b/installers/charm/pla/config.yaml index 75b19d82..642c165e 100644 --- a/installers/charm/pla/config.yaml +++ b/installers/charm/pla/config.yaml @@ -33,3 +33,7 @@ options: ImagePullPolicy configuration for the pod. Possible values: always, ifnotpresent, never default: always + security_context: + description: Enables the security context of the pods + type: boolean + default: false diff --git a/installers/charm/pla/src/charm.py b/installers/charm/pla/src/charm.py index d0df1797..7867991b 100755 --- a/installers/charm/pla/src/charm.py +++ b/installers/charm/pla/src/charm.py @@ -48,6 +48,7 @@ class ConfigModel(ModelValidator): mongodb_uri: Optional[str] log_level: str image_pull_policy: str + security_context: bool @validator("log_level") def validate_log_level(cls, v): @@ -108,7 +109,9 @@ class PlaCharm(CharmedOsmBase): self._check_missing_dependencies(config) # Create Builder for the PodSpec - pod_spec_builder = PodSpecV3Builder() + pod_spec_builder = PodSpecV3Builder( + enable_security_context=config.security_context + ) # Add secrets to the pod mongodb_secret_name = f"{self.app.name}-mongodb-secret" @@ -122,7 +125,10 @@ class PlaCharm(CharmedOsmBase): # Build Container container_builder = ContainerV3Builder( - self.app.name, image_info, config.image_pull_policy + self.app.name, + image_info, + config.image_pull_policy, + run_as_non_root=config.security_context, ) container_builder.add_port(name=self.app.name, port=PORT) container_builder.add_envs( diff --git a/installers/charm/pol/config.yaml b/installers/charm/pol/config.yaml index 3264ca30..0279bd5e 100644 --- a/installers/charm/pol/config.yaml +++ b/installers/charm/pol/config.yaml @@ -42,9 +42,14 @@ options: description: | If true, debug mode is activated. It means that the service will not run, and instead, the command for the container will be a `sleep infinity`. + Note: If enabled, security_context will be disabled. type: boolean default: false debug_pubkey: description: | Public SSH key that will be injected to the application pod. type: string + security_context: + description: Enables the security context of the pods + type: boolean + default: false diff --git a/installers/charm/pol/src/charm.py b/installers/charm/pol/src/charm.py index 02c8186c..345a87f4 100755 --- a/installers/charm/pol/src/charm.py +++ b/installers/charm/pol/src/charm.py @@ -51,6 +51,8 @@ class ConfigModel(ModelValidator): mongodb_uri: Optional[str] mysql_uri: Optional[str] image_pull_policy: str + debug_mode: bool + security_context: bool @validator("log_level") def validate_log_level(cls, v): @@ -130,8 +132,14 @@ class PolCharm(CharmedOsmBase): # Check relations self._check_missing_dependencies(config) + security_context_enabled = ( + config.security_context if not config.debug_mode else False + ) + # Create Builder for the PodSpec - pod_spec_builder = PodSpecV3Builder() + pod_spec_builder = PodSpecV3Builder( + enable_security_context=security_context_enabled + ) # Add secrets to the pod mongodb_secret_name = f"{self.app.name}-mongodb-secret" @@ -150,7 +158,10 @@ class PolCharm(CharmedOsmBase): # Build Container container_builder = ContainerV3Builder( - self.app.name, image_info, config.image_pull_policy + self.app.name, + image_info, + config.image_pull_policy, + run_as_non_root=security_context_enabled, ) container_builder.add_port(name=self.app.name, port=PORT) container_builder.add_envs( diff --git a/installers/charm/prometheus/config.yaml b/installers/charm/prometheus/config.yaml index 6ce1613b..6db6a60b 100644 --- a/installers/charm/prometheus/config.yaml +++ b/installers/charm/prometheus/config.yaml @@ -71,3 +71,7 @@ options: ImagePullPolicy configuration for the pod. Possible values: always, ifnotpresent, never default: always + security_context: + description: Enables the security context of the pods + type: boolean + default: false diff --git a/installers/charm/prometheus/src/charm.py b/installers/charm/prometheus/src/charm.py index e79de698..61589e20 100755 --- a/installers/charm/prometheus/src/charm.py +++ b/installers/charm/prometheus/src/charm.py @@ -61,6 +61,7 @@ class ConfigModel(ModelValidator): tls_secret_name: Optional[str] enable_web_admin_api: bool image_pull_policy: str + security_context: bool @validator("web_subpath") def validate_web_subpath(cls, v): @@ -159,7 +160,9 @@ class PrometheusCharm(CharmedOsmBase): # Validate config config = ConfigModel(**dict(self.config)) # Create Builder for the PodSpec - pod_spec_builder = PodSpecV3Builder() + pod_spec_builder = PodSpecV3Builder( + enable_security_context=config.security_context + ) # Build Backup Container backup_image = OCIImageResource(self, "backup-image") @@ -171,7 +174,10 @@ class PrometheusCharm(CharmedOsmBase): # Build Container container_builder = ContainerV3Builder( - self.app.name, image_info, config.image_pull_policy + self.app.name, + image_info, + config.image_pull_policy, + run_as_non_root=config.security_context, ) container_builder.add_port(name=self.app.name, port=PORT) container_builder.add_http_readiness_probe( diff --git a/installers/charm/ro/config.yaml b/installers/charm/ro/config.yaml index 98284382..ab4cd5d8 100644 --- a/installers/charm/ro/config.yaml +++ b/installers/charm/ro/config.yaml @@ -80,9 +80,14 @@ options: description: | If true, debug mode is activated. It means that the service will not run, and instead, the command for the container will be a `sleep infinity`. + Note: If enabled, security_context will be disabled. type: boolean default: false debug_pubkey: description: | Public SSH key that will be injected to the application pod. type: string + security_context: + description: Enables the security context of the pods + type: boolean + default: false diff --git a/installers/charm/ro/src/charm.py b/installers/charm/ro/src/charm.py index 3b6b7e28..2a8c110d 100755 --- a/installers/charm/ro/src/charm.py +++ b/installers/charm/ro/src/charm.py @@ -79,6 +79,8 @@ class ConfigModel(ModelValidator): openmano_tenant: str certificates: Optional[str] image_pull_policy: str + debug_mode: bool + security_context: bool @validator("log_level") def validate_log_level(cls, v): @@ -216,12 +218,21 @@ class RoCharm(CharmedOsmBase): # Check relations self._check_missing_dependencies(config) + security_context_enabled = ( + config.security_context if not config.debug_mode else False + ) + # Create Builder for the PodSpec - pod_spec_builder = PodSpecV3Builder() + pod_spec_builder = PodSpecV3Builder( + enable_security_context=security_context_enabled + ) # Build Container container_builder = ContainerV3Builder( - self.app.name, image_info, config.image_pull_policy + self.app.name, + image_info, + config.image_pull_policy, + run_as_non_root=security_context_enabled, ) certs_files = self._build_cert_files(config) diff --git a/installers/charm/zookeeper/config.yaml b/installers/charm/zookeeper/config.yaml index d9b89a41..149d3881 100644 --- a/installers/charm/zookeeper/config.yaml +++ b/installers/charm/zookeeper/config.yaml @@ -87,3 +87,7 @@ options: For example, the minimum session timeout will be two ticks. type: int default: 2000 + security_context: + description: Enables the security context of the pods + type: boolean + default: false diff --git a/installers/charm/zookeeper/src/charm.py b/installers/charm/zookeeper/src/charm.py index 6e4588c4..c2acf0be 100755 --- a/installers/charm/zookeeper/src/charm.py +++ b/installers/charm/zookeeper/src/charm.py @@ -52,6 +52,7 @@ class ConfigModel(ModelValidator): sync_limit: int init_limit: int tick_time: int + security_context: bool @validator("log_level") def validate_log_level(cls, v): @@ -99,7 +100,7 @@ class ZookeeperCharm(CharmedOsmBase): Args: event (EventBase): Zookeeper Cluster relation event. """ - self._publish_zookeeper_info(event) + self._publish_info(event) self.configure_pod() def _publish_info(self, event: EventBase): @@ -120,11 +121,16 @@ class ZookeeperCharm(CharmedOsmBase): config = ConfigModel(**dict(self.config)) # Create Builder for the PodSpec - pod_spec_builder = PodSpecV3Builder() + pod_spec_builder = PodSpecV3Builder( + enable_security_context=config.security_context + ) # Build Container container_builder = ContainerV3Builder( - self.app.name, image_info, config.image_pull_policy + self.app.name, + image_info, + config.image_pull_policy, + run_as_non_root=config.security_context, ) container_builder.add_port(name="client", port=CLIENT_PORT) -- 2.17.1