From a35b8ddde503986b396fb3c9c4e281dad1fea499 Mon Sep 17 00:00:00 2001 From: Kjeld Schouten Date: Sat, 18 Nov 2023 21:35:18 +0100 Subject: [PATCH] feat(common): add hostUser support (#612) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **Description** `hostUser:false` provides extra security for stateless pods, it has specific requirements of being enabled, if those are valid it's safe to enable. Just in case we also allow to manually override. ⚒️ Fixes #607 **⚙️ Type of change** - [x] ⚙️ Feature/App addition - [ ] 🪛 Bugfix - [ ] ⚠️ Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] 🔃 Refactor of current code **🧪 How Has This Been Tested?** **📃 Notes:** **✔️ Checklist:** - [ ] ⚖️ My code follows the style guidelines of this project - [ ] 👀 I have performed a self-review of my own code - [ ] #️⃣ I have commented my code, particularly in hard-to-understand areas - [ ] 📄 I have made corresponding changes to the documentation - [ ] ⚠️ My changes generate no new warnings - [ ] 🧪 I have added tests to this description that prove my fix is effective or that my feature works - [ ] ⬆️ I increased versions for any altered app according to semantic versioning **➕ App addition** If this PR is an app addition please make sure you have done the following. - [ ] 🪞 I have opened a PR on [truecharts/containers](https://github.com/truecharts/containers) adding the container to TrueCharts mirror repo. - [ ] 🖼️ I have added an icon in the Chart's root directory called `icon.png` --- _Please don't blindly check all the boxes. Read them and only check those that apply. Those checkboxes are there for the reviewer to see what is this all about and the status of this PR with a quick glance._ --------- Co-authored-by: Stavros kois Co-authored-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com> --- library/common-test/Chart.yaml | 2 +- .../common-test/tests/pod/host_ipc_test.yaml | 78 +++++ .../tests/pod/host_users_test.yaml | 316 ++++++++++++++++++ .../tests/pod/securityContext.yaml | 2 +- library/common/Chart.yaml | 2 +- library/common/templates/lib/pod/_hostIPC.tpl | 24 ++ .../common/templates/lib/pod/_hostUsers.tpl | 32 ++ .../templates/lib/pod/_podSecurityContext.tpl | 55 ++- .../common/templates/lib/workload/_pod.tpl | 2 + library/common/values.yaml | 2 + 10 files changed, 502 insertions(+), 13 deletions(-) create mode 100644 library/common-test/tests/pod/host_ipc_test.yaml create mode 100644 library/common-test/tests/pod/host_users_test.yaml create mode 100644 library/common/templates/lib/pod/_hostIPC.tpl create mode 100644 library/common/templates/lib/pod/_hostUsers.tpl diff --git a/library/common-test/Chart.yaml b/library/common-test/Chart.yaml index 8f35abd6..5bafe0a7 100644 --- a/library/common-test/Chart.yaml +++ b/library/common-test/Chart.yaml @@ -3,7 +3,7 @@ appVersion: "" dependencies: - name: common repository: file://../common - version: ~15.1.0 + version: ~15.2.0 deprecated: false description: Helper chart to test different use cases of the common library home: https://github.com/truecharts/apps/tree/master/charts/library/common-test diff --git a/library/common-test/tests/pod/host_ipc_test.yaml b/library/common-test/tests/pod/host_ipc_test.yaml new file mode 100644 index 00000000..06a88b1c --- /dev/null +++ b/library/common-test/tests/pod/host_ipc_test.yaml @@ -0,0 +1,78 @@ +suite: pod hostIPC test +templates: + - common.yaml +release: + name: test-release-name + namespace: test-release-namespace +tests: + - it: should pass with hostIPC disabled from "global" + set: + podOptions: + hostIPC: false + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: {} + asserts: + - documentIndex: &deploymentDoc 0 + isKind: + of: Deployment + - documentIndex: *deploymentDoc + equal: + path: spec.template.spec.hostIPC + value: false + + - it: should pass with hostIPC enabled from "global" + set: + podOptions: + hostIPC: true + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: {} + asserts: + - documentIndex: *deploymentDoc + isKind: + of: Deployment + - documentIndex: *deploymentDoc + equal: + path: spec.template.spec.hostIPC + value: true + + - it: should pass with disabled hostIPC from pod + set: + podOptions: + hostIPC: true + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: + hostIPC: false + asserts: + - documentIndex: *deploymentDoc + equal: + path: spec.template.spec.hostIPC + value: false + + - it: should pass with enabled hostIPC from pod + set: + podOptions: + hostIPC: false + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: + hostIPC: true + asserts: + - documentIndex: *deploymentDoc + equal: + path: spec.template.spec.hostIPC + value: true diff --git a/library/common-test/tests/pod/host_users_test.yaml b/library/common-test/tests/pod/host_users_test.yaml new file mode 100644 index 00000000..6e43c03d --- /dev/null +++ b/library/common-test/tests/pod/host_users_test.yaml @@ -0,0 +1,316 @@ +suite: pod hostUsers test +templates: + - common.yaml +release: + name: test-release-name + namespace: test-release-namespace +tests: + - it: should pass with hostUsers enabled from "global" + set: + podOptions: + hostUsers: true + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: {} + asserts: + - documentIndex: &deploymentDoc 0 + isKind: + of: Deployment + - documentIndex: *deploymentDoc + equal: + path: spec.template.spec.hostUsers + value: true + + - it: should pass with hostUsers enabled from podSpec + set: + podOptions: + hostUsers: false + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: + hostUsers: true + asserts: + - documentIndex: *deploymentDoc + isKind: + of: Deployment + - documentIndex: *deploymentDoc + equal: + path: spec.template.spec.hostUsers + value: true + + - it: should pass with enabled hostUsers because of pvc + set: + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: {} + persistence: + vol1: + enabled: true + type: pvc + asserts: + - documentIndex: *deploymentDoc + equal: + path: spec.template.spec.hostUsers + value: true + + - it: should pass with enabled hostUsers because of hostNet + set: + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: + hostNetwork: true + asserts: + - documentIndex: *deploymentDoc + equal: + path: spec.template.spec.hostUsers + value: true + + - it: should pass with enabled hostUsers because of hostPID + set: + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: + hostPID: true + asserts: + - documentIndex: *deploymentDoc + equal: + path: spec.template.spec.hostUsers + value: true + + - it: should pass with enabled hostUsers because of hostIPC + set: + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: + hostIPC: true + asserts: + - documentIndex: *deploymentDoc + equal: + path: spec.template.spec.hostUsers + value: true + + # Tests that eq