Home Explore Help
Register Sign In
lcy
/
truenas
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 452b3fd151
Branches Tags
truenas
/
library
/
common
/
templates
/
lib
/
pod
/
_podSecurityContext.tpl

_podSecurityContext.tpl 3.6 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192 
  1. {{/* Returns Pod Security Context */}}
    2. 

  2. {{/* Call this template:
    3. 

  3. {{ include "ix.v1.common.lib.pod.securityContext" (dict "rootCtx" $ "objectData" $objectData) }}
    4. 

  4. rootCtx: The root context of the chart.
    5. 

  5. objectData: The object data to be used to render the Pod.
    6. 

  6. */}}
    7. 

  7. {{- define "ix.v1.common.lib.pod.securityContext" -}}
    8. 

  8.   {{- $rootCtx := .rootCtx -}}
    9. 

  9.   {{- $objectData := .objectData -}}
    10. 

  10. 

  11.   {{- if not $rootCtx.Values.securityContext.pod -}}
    12. 

  12.     {{- fail "Pod - Expected non-empty <.Values.securityContext.pod>" -}}
    13. 

  13.   {{- end -}}
    14. 

  14. 

  15.   {{/* Initialize from the "global" option */}}
    16. 

  16.   {{- $secContext := mustDeepCopy $rootCtx.Values.securityContext.pod -}}
    17. 

  17. 

  18.   {{/* Override with pods option */}}
    19. 

  19.   {{- with $objectData.podSpec.securityContext -}}
    20. 

  20.     {{- $secContext = mustMergeOverwrite $secContext . -}}
    21. 

  21.   {{- end -}}
    22. 

  22. 

  23.   {{/* TODO: Add supplemental groups
    24. 

  24.     devices (5, 10, 20, 24) (Only when devices is assigned on the pods containers)
    25. 

  25.     TODO: Unit Test the above cases
    26. 

  26.   */}}
    27. 

  27. 

  28.   {{- $gpuAdded := false -}}
    29. 

  29.   {{- range $GPUValues := $rootCtx.Values.scaleGPU -}}
    30. 

  30.     {{/* If there is a selector and pod is selected */}}
    31. 

  31.     {{- if $GPUValues.targetSelector -}}
    32. 

  32.       {{- if mustHas $objectData.shortName ($GPUValues.targetSelector | keys) -}}
    33. 

  33.         {{- $gpuAdded = true -}}
    34. 

  34.       {{- end -}}
    35. 

  35.     {{/* If there isnt a selector, but pod is primary */}}
    36. 

  36.     {{- else if $objectData.primary -}}
    37. 

  37.       {{- $gpuAdded = true -}}
    38. 

  38.     {{- end -}}
    39. 

  39.   {{- end -}}
    40. 

  40. 

  41.   {{- if $gpuAdded -}}
    42. 

  42.     {{- $_ := set $secContext "supplementalGroups" (concat $secContext.supplementalGroups (list 44 107)) -}}
    43. 

  43.   {{- end -}}
    44. 

  44. 

  45.   {{- $portRange := fromJson (include "ix.v1.common.lib.helpers.securityContext.getPortRange" (dict "rootCtx" $rootCtx "objectData" $objectData)) -}}
    46. 

  46.   {{- if and $portRange.low (le (int $portRange.low) 1024) -}} {{/* If a container wants to bind a port <= 1024 change the unprivileged_port_start */}}
    47. 

  47.     {{- if ne (include "ix.v1.common.lib.pod.hostNetwork" (dict "rootCtx" $rootCtx "objectData" $objectData)) "true" -}}
    48. 

  48.       {{- $_ := set $secContext "sysctls" (mustAppend $secContext.sysctls (dict "name" "net.ipv4.ip_unprivileged_port_start" "value" (printf "%v" $portRange.low))) -}}
    49. 

  49.     {{- end -}}
    50. 

  50.   {{- end -}}
    51. 

  51. 

  52.   {{- if or (kindIs "invalid" $secContext.fsGroup) (eq (toString $secContext.fsGroup) "") -}}
    53. 

  53.     {{- fail "Pod - Expected non-empty <fsGroup>" -}}
    54. 

  54.   {{- end -}}
    55. 

  55. 

  56.   {{/* Used by the fixedEnv template */}}
    57. 

  57.   {{- $_ := set $objectData.podSpec "calculatedFSGroup" $secContext.fsGroup -}}
    58. 

  58. 

  59.   {{- if not $secContext.fsGroupChangePolicy -}}
    60. 

  60.     {{- fail "Pod - Expected non-empty <fsGroupChangePolicy>" -}}
    61. 

  61.   {{- end -}}
    62. 

  62. 

  63.   {{- $policies := (list "Always" "OnRootMismatch") -}}
    64. 

  64.   {{- if not (mustHas $secContext.fsGroupChangePolicy $policies) -}}
    65. 

  65.     {{- fail (printf "Pod - Expected <fsGroupChangePolicy> to be one of [%s], but got [%s]" (join ", " $policies) $secContext.fsGroupChangePolicy) -}}
    66. 

  66.   {{- end }}
    67. 

  67. fsGroup: {{ include "ix.v1.common.helper.makeIntOrNoop" $secContext.fsGroup }}
    68. 

  68. fsGroupChangePolicy: {{ $secContext.fsGroupChangePolicy }}
    69. 

  69.   {{- with $secContext.supplementalGroups }}
    70. 

  70. supplementalGroups:
    71. 

  71.     {{- range . }}
    72. 

  72.   - {{ include "ix.v1.common.helper.makeIntOrNoop" . }}
    73. 

  73.     {{- end -}}
    74. 

  74.   {{- else }}
    75. 

  75. supplementalGroups: []
    76. 

  76.   {{- end -}}
    77. 

  77.   {{- with $secContext.sysctls }}
    78. 

  78. sysctls:
    79. 

  79.     {{- range . }}
    80. 

  80.     {{- if not .name -}}
    81. 

  81.       {{- fail "Pod - Expected non-empty <name> in <sysctls>" -}}
    82. 

  82.     {{- end -}}
    83. 

  83.     {{- if not .value -}}
    84. 

  84.       {{- fail "Pod - Expected non-empty <value> in <sysctls>" -}}
    85. 

  85.     {{- end }}
    86. 

  86.   - name: {{ tpl .name $rootCtx | quote }}
    87. 

  87.     value: {{ tpl .value $rootCtx | quote }}
    88. 

  88.     {{- end -}}
    89. 

  89.   {{- else }}
    90. 

  90. sysctls: []
    91. 

  91.   {{- end -}}
    92. 

  92. {{- end -}}
    93.