mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Operator-UI security context configuration (#1089)

Browse Source 
- fix: check all pages are valid in  Add tenant wizard before enabling
  Create button
- Added: security context menu configuration for MinIO, logsearch api,
  postgres, prometheus and KES

Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
This commit is contained in:
Lenin Alevski
2021-10-19 09:42:36 -07:00
committed by GitHub
parent ccebc17f3f
commit ff433549b6
16 changed files with 1162 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
operatorapi/embedded_spec.go
View File

@@ -1732,6 +1732,10 @@ func init() {
"replicas": {
"type": "string"
},
"securityContext": {
"type": "object",
"$ref": "#/definitions/securityContext"
},
"server": {
"type": "object",
"$ref": "#/definitions/keyPairConfiguration"
@@ -2136,6 +2140,14 @@ func init() {
"postgres_init_image": {
"type": "string"
},
"postgres_securityContext": {
"type": "object",
"$ref": "#/definitions/securityContext"
},
"securityContext": {
"type": "object",
"$ref": "#/definitions/securityContext"
},
"storageClass": {
"type": "string",
"default": ""
@@ -2445,6 +2457,10 @@ func init() {
"resources": {
"$ref": "#/definitions/poolResources"
},
"securityContext": {
"type": "object",
"$ref": "#/definitions/securityContext"
},
"servers": {
"type": "integer"
},
@@ -2778,19 +2794,16 @@ func init() {
],
"properties": {
"fsGroup": {
"type": "integer",
"format": "int64"
"type": "string"
},
"runAsGroup": {
"type": "integer",
"format": "int64"
"type": "string"
},
"runAsNonRoot": {
"type": "boolean"
},
"runAsUser": {
"type": "integer",
"format": "int64"
"type": "string"
}
}
},
@@ -5570,6 +5583,10 @@ func init() {
"replicas": {
"type": "string"
},
"securityContext": {
"type": "object",
"$ref": "#/definitions/securityContext"
},
"server": {
"type": "object",
"$ref": "#/definitions/keyPairConfiguration"
@@ -5962,6 +5979,14 @@ func init() {
"postgres_init_image": {
"type": "string"
},
"postgres_securityContext": {
"type": "object",
"$ref": "#/definitions/securityContext"
},
"securityContext": {
"type": "object",
"$ref": "#/definitions/securityContext"
},
"storageClass": {
"type": "string",
"default": ""
@@ -6205,6 +6230,10 @@ func init() {
"resources": {
"$ref": "#/definitions/poolResources"
},
"securityContext": {
"type": "object",
"$ref": "#/definitions/securityContext"
},
"servers": {
"type": "integer"
},
@@ -6469,19 +6498,16 @@ func init() {
],
"properties": {
"fsGroup": {
"type": "integer",
"format": "int64"
"type": "string"
},
"runAsGroup": {
"type": "integer",
"format": "int64"
"type": "string"
},
"runAsNonRoot": {
"type": "boolean"
},
"runAsUser": {
"type": "integer",
"format": "int64"
"type": "string"
}
}
},

50
operatorapi/operator_tenants.go
View File

@@ -1147,6 +1147,14 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
minInst.Spec.KES.Labels = tenantReq.Encryption.Labels
minInst.Spec.KES.Annotations = tenantReq.Encryption.Annotations
minInst.Spec.KES.NodeSelector = tenantReq.Encryption.NodeSelector
if tenantReq.Encryption.SecurityContext != nil {
sc, err := parseSecurityContext(tenantReq.Encryption.SecurityContext)
if err != nil {
return nil, prepareError(err)
}
minInst.Spec.KES.SecurityContext = sc
}
}
// External TLS CA certificates for MinIO
if tenantReq.TLS != nil && len(tenantReq.TLS.CaCertificates) > 0 {
@@ -1229,6 +1237,8 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
logSearchImage := ""
logSearchPgImage := ""
logSearchPgInitImage := ""
var logSearchSecurityContext *corev1.PodSecurityContext
var logSearchPgSecurityContext *corev1.PodSecurityContext
if tenantReq.LogSearchConfiguration != nil {
if tenantReq.LogSearchConfiguration.StorageSize != nil {
@@ -1249,6 +1259,22 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
if tenantReq.LogSearchConfiguration.PostgresInitImage != "" {
logSearchPgInitImage = tenantReq.LogSearchConfiguration.PostgresInitImage
}
// if security context for logSearch is present, configure it.
if tenantReq.LogSearchConfiguration.SecurityContext != nil {
sc, err := parseSecurityContext(tenantReq.LogSearchConfiguration.SecurityContext)
if err != nil {
return nil, prepareError(err)
}
logSearchSecurityContext = sc
}
// if security context for logSearch is present, configure it.
if tenantReq.LogSearchConfiguration.PostgresSecurityContext != nil {
sc, err := parseSecurityContext(tenantReq.LogSearchConfiguration.PostgresSecurityContext)
if err != nil {
return nil, prepareError(err)
}
logSearchPgSecurityContext = sc
}
}
logSearchDiskSpace := resource.NewQuantity(diskSpaceFromAPI, resource.DecimalExponent)
@@ -1290,6 +1316,12 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
if logSearchPgInitImage != "" {
minInst.Spec.Log.Db.InitImage = logSearchPgInitImage
}
if logSearchSecurityContext != nil {
minInst.Spec.Log.SecurityContext = logSearchSecurityContext
}
if logSearchPgSecurityContext != nil {
minInst.Spec.Log.Db.SecurityContext = logSearchPgSecurityContext
}
prometheusDiskSpace := 5 // Default is 5 by API
prometheusStorageClass := "" // Default is ""
@@ -1336,13 +1368,11 @@ func getTenantCreatedResponse(session *models.Principal, params operator_api.Cre
}
// if security context for prometheus is present, configure it.
if tenantReq.PrometheusConfiguration != nil && tenantReq.PrometheusConfiguration.SecurityContext != nil {
sc := tenantReq.PrometheusConfiguration.SecurityContext
minInst.Spec.Prometheus.SecurityContext = &corev1.PodSecurityContext{
RunAsUser: sc.RunAsUser,
RunAsGroup: sc.RunAsGroup,
RunAsNonRoot: sc.RunAsNonRoot,
FSGroup: sc.FsGroup,
sc, err := parseSecurityContext(tenantReq.PrometheusConfiguration.SecurityContext)
if err != nil {
return nil, prepareError(err)
}
minInst.Spec.Prometheus.SecurityContext = sc
}
// expose services
@@ -1912,6 +1942,14 @@ func parseTenantPoolRequest(poolParams *models.Pool) (*miniov2.Pool, error) {
Affinity: affinity,
Tolerations: tolerations,
}
// if security context for Tenant is present, configure it.
if poolParams.SecurityContext != nil {
sc, err := parseSecurityContext(poolParams.SecurityContext)
if err != nil {
return nil, err
}
pool.SecurityContext = sc
}
return pool, nil
}

25
operatorapi/operator_tenants_helper.go
View File

@@ -38,6 +38,31 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// parseSecurityContext validate and return securityContext for pods
func parseSecurityContext(sc *models.SecurityContext) (*corev1.PodSecurityContext, error) {
if sc == nil {
return nil, errors.New("invalid security context")
}
runAsUser, err := strconv.ParseInt(*sc.RunAsUser, 10, 64)
if err != nil {
return nil, err
}
RunAsGroup, err := strconv.ParseInt(*sc.RunAsGroup, 10, 64)
if err != nil {
return nil, err
}
FsGroup, err := strconv.ParseInt(*sc.FsGroup, 10, 64)
if err != nil {
return nil, err
}
return &corev1.PodSecurityContext{
RunAsUser: &runAsUser,
RunAsGroup: &RunAsGroup,
RunAsNonRoot: sc.RunAsNonRoot,
FSGroup: &FsGroup,
}, nil
}
// tenantUpdateCertificates receives the keyPair certificates (public and private keys) for Minio and Console and will try
// to replace the existing kubernetes secrets with the new values, then will restart the affected pods so the new volumes can be mounted
func tenantUpdateCertificates(ctx context.Context, operatorClient OperatorClientI, clientSet K8sClientI, namespace string, params operator_api.TenantUpdateCertificateParams) error {