Startsida Utforska Hjälp
Registrera dig Logga in
lcy
/
truenas
1
0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Träd: 929e60d801
Grenar Taggar
truenas
/
library
/
common
/
templates
/
lib
/
pod
/
_podSecurityContext.tpl

_podSecurityContext.tpl 3.3 KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990 
  1. {{/* Returns Pod Security Context */}}
    2. 

  2. {{/* Call this template:
    3. 

  3. {{ include "ix.v1.common.lib.pod.securityContext" (dict "rootCtx" $ "objectData" $objectData) }}
    4. 

  4. rootCtx: The root context of the chart.
    5. 

  5. objectData: The object data to be used to render the Pod.
    6. 

  6. */}}
    7. 

  7. {{- define "ix.v1.common.lib.pod.securityContext" -}}
    8. 

  8.   {{- $rootCtx := .rootCtx -}}
    9. 

  9.   {{- $objectData := .objectData -}}
    10. 

  10. 

  11.   {{- if not $rootCtx.Values.securityContext.pod -}}
    12. 

  12.     {{- fail "Pod - Expected non-empty <.Values.securityContext.pod>" -}}
    13. 

  13.   {{- end -}}
    14. 

  14. 

  15.   {{/* Initialize from the "global" option */}}
    16. 

  16.   {{- $secContext := mustDeepCopy $rootCtx.Values.securityContext.pod -}}
    17. 

  17. 

  18.   {{/* Override with pod's option */}}
    19. 

  19.   {{- with $objectData.podSpec.securityContext -}}
    20. 

  20.     {{- $secContext = mustMergeOverwrite $secContext . -}}
    21. 

  21.   {{- end -}}
    22. 

  22. 

  23.   {{/* TODO: Add supplemental groups
    24. 

  24.     devices (5, 10, 20, 24) (Only when devices is assigned on the pod's containers)
    25. 

  25.     TODO: Unit Test the above cases
    26. 

  26.   */}}
    27. 

  27. 

  28.   {{- $gpuAdded := false -}}
    29. 

  29.   {{- range $GPUValues := $rootCtx.Values.scaleGPU -}}
    30. 

  30.     {{/* If there is a selector and pod is selected */}}
    31. 

  31.     {{- if $GPUValues.targetSelector -}}
    32. 

  32.       {{- if mustHas $objectData.shortName ($GPUValues.targetSelector | keys) -}}
    33. 

  33.         {{- $gpuAdded = true -}}
    34. 

  34.       {{- end -}}
    35. 

  35.     {{/* If there isn't a selector, but pod is primary */}}
    36. 

  36.     {{- else if $objectData.primary -}}
    37. 

  37.       {{- $gpuAdded = true -}}
    38. 

  38.     {{- end -}}
    39. 

  39.   {{- end -}}
    40. 

  40. 

  41.   {{- if $gpuAdded -}}
    42. 

  42.     {{- $_ := set $secContext "supplementalGroups" (concat $secContext.supplementalGroups (list 44)) -}}
    43. 

  43.   {{- end -}}
    44. 

  44. 

  45.   {{- $portRange := fromJson (include "ix.v1.common.lib.helpers.securityContext.getPortRange" (dict "rootCtx" $rootCtx "objectData" $objectData)) -}}
    46. 

  46.   {{- if and $portRange.low (le (int $portRange.low) 1024) -}} {{/* If a container wants to bind a port <= 1024 change the unprivileged_port_start */}}
    47. 

  47.     {{- $_ := set $secContext "sysctls" (mustAppend $secContext.sysctls (dict "name" "net.ipv4.ip_unprivileged_port_start" "value" (printf "%v" $portRange.low))) -}}
    48. 

  48.   {{- end -}}
    49. 

  49. 

  50.   {{- if not $secContext.fsGroup -}}
    51. 

  51.     {{- fail "Pod - Expected non-empty <fsGroup>" -}}
    52. 

  52.   {{- end -}}
    53. 

  53. 

  54.   {{/* Used by the fixedEnv template */}}
    55. 

  55.   {{- $_ := set $objectData.podSpec "calculatedFSGroup" $secContext.fsGroup -}}
    56. 

  56. 

  57.   {{- if not $secContext.fsGroupChangePolicy -}}
    58. 

  58.     {{- fail "Pod - Expected non-empty <fsGroupChangePolicy>" -}}
    59. 

  59.   {{- end -}}
    60. 

  60. 

  61.   {{- $policies := (list "Always" "OnRootMismatch") -}}
    62. 

  62.   {{- if not (mustHas $secContext.fsGroupChangePolicy $policies) -}}
    63. 

  63.     {{- fail (printf "Pod - Expected <fsGroupChangePolicy> to be one of [%s], but got [%s]" (join ", " $policies) $secContext.fsGroupChangePolicy) -}}
    64. 

  64.   {{- end }}
    65. 

  65. fsGroup: {{ $secContext.fsGroup }}
    66. 

  66. fsGroupChangePolicy: {{ $secContext.fsGroupChangePolicy }}
    67. 

  67.   {{- with $secContext.supplementalGroups }}
    68. 

  68. supplementalGroups:
    69. 

  69.     {{- range . }}
    70. 

  70.   - {{ . }}
    71. 

  71.     {{- end -}}
    72. 

  72.   {{- else }}
    73. 

  73. supplementalGroups: []
    74. 

  74.   {{- end -}}
    75. 

  75.   {{- with $secContext.sysctls }}
    76. 

  76. sysctls:
    77. 

  77.     {{- range . }}
    78. 

  78.     {{- if not .name -}}
    79. 

  79.       {{- fail "Pod - Expected non-empty <name> in <sysctls>" -}}
    80. 

  80.     {{- end -}}
    81. 

  81.     {{- if not .value -}}
    82. 

  82.       {{- fail "Pod - Expected non-empty <value> in <sysctls>" -}}
    83. 

  83.     {{- end }}
    84. 

  84.   - name: {{ tpl .name $rootCtx | quote }}
    85. 

  85.     value: {{ tpl .value $rootCtx | quote }}
    86. 

  86.     {{- end -}}
    87. 

  87.   {{- else }}
    88. 

  88. sysctls: []
    89. 

  89.   {{- end -}}
    90. 

  90. {{- end -}}
    91.