From e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe Mon Sep 17 00:00:00 2001 From: "Suren A. Chilingaryan" Date: Tue, 20 Feb 2018 15:10:45 +0100 Subject: Handling GlusterFS storage security in OpenShift containers --- roles/ands_kaas/tasks/file.yml | 18 +++++++++++-- roles/ands_kaas/templates/0-gfs-volumes.yml.j2 | 9 ++++--- roles/ands_kaas/templates/6-kaas-pods.yml.j2 | 35 +++++++++++++++++++++----- 3 files changed, 50 insertions(+), 12 deletions(-) (limited to 'roles/ands_kaas') diff --git a/roles/ands_kaas/tasks/file.yml b/roles/ands_kaas/tasks/file.yml index 9a36e74..479ec68 100644 --- a/roles/ands_kaas/tasks/file.yml +++ b/roles/ands_kaas/tasks/file.yml @@ -1,9 +1,23 @@ --- +- name: Set group + set_fact: group="{{ file.group | default(kaas_project_config.file_group | default(ands_default_file_group)) }}" + +- name : Resolve project groups + set_fact: group="{{ (kaas_project_config.gids | default(ands_openshift_gids))[group].id }}" + when: group in ( kaas_project_config.gids | default(ands_openshift_gids) ) + +- name: Set owner + set_fact: owner="{{ file.owner | default(kaas_project_config.file_owner | default(ands_default_file_owner)) }}" + +- name : Resolve project uids + set_fact: owner="{{ (kaas_project_config.uids | default(ands_openshift_uids) )[owner].id }}" + when: owner in ( kaas_project_config.uids | default(ands_openshift_uids) ) + - name: "Setting up files in {{ path }}" file: path: "{{ path }}" recurse: "{{ file.recurse | default(true) }}" mode: "{{ file.mode | default( ((file.state | default('directory')) == 'directory') | ternary('0755', '0644') ) }}" - owner: "{{ file.owner | default(kaas_project_config.file_owner) | default(kaas_default_file_owner) }}" - group: "{{ file.group | default(kaas_project_config.file_group) | default(kaas_default_file_group) }}" + owner: "{{ owner }}" + group: "{{ group }}" state: "{{ file.state | default('directory') }}" diff --git a/roles/ands_kaas/templates/0-gfs-volumes.yml.j2 b/roles/ands_kaas/templates/0-gfs-volumes.yml.j2 index a162c8b..8e5842a 100644 --- a/roles/ands_kaas/templates/0-gfs-volumes.yml.j2 +++ b/roles/ands_kaas/templates/0-gfs-volumes.yml.j2 @@ -7,10 +7,11 @@ metadata: descriptions: "KATRIN Volumes" objects: {% for name, vol in (kaas_project_config.volumes | default(kaas_openshift_volumes)).iteritems() %} +{% set oc_name = vol.name | default(name) | regex_replace('_','-') %} - apiVersion: v1 kind: PersistentVolume metadata: - name: {{ vol.name | default(name) }} + name: {{ oc_name }} spec: persistentVolumeReclaimPolicy: Retain glusterfs: @@ -22,14 +23,14 @@ objects: capacity: storage: {{ vol.capacity | default(kaas_default_volume_capacity) }} claimRef: - name: {{ vol.name | default(name) }} + name: {{ oc_name }} namespace: {{ kaas_project }} - apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: {{ vol.name | default(name) }} + name: {{ oc_name }} spec: - volumeName: {{ vol.name | default(name) }} + volumeName: {{ oc_name }} accessModes: - {{ vol.access | default('ReadWriteMany') }} resources: diff --git a/roles/ands_kaas/templates/6-kaas-pods.yml.j2 b/roles/ands_kaas/templates/6-kaas-pods.yml.j2 index 479b343..d5418d3 100644 --- a/roles/ands_kaas/templates/6-kaas-pods.yml.j2 +++ b/roles/ands_kaas/templates/6-kaas-pods.yml.j2 @@ -36,7 +36,7 @@ objects: - apiVersion: v1 kind: Route metadata: - name: kaas + name: {{ pod.name | default(name) }} spec: host: {{ pod.service.host }} to: @@ -66,7 +66,7 @@ objects: - apiVersion: v1 kind: DeploymentConfig metadata: - name: kaas + name: {{ pod.name | default(name) }} spec: replicas: {{ pod.sched.replicas | default(1) }} selector: @@ -93,11 +93,32 @@ objects: {% for img in pod.images %} {% set imgidx = loop.index %} {% for vol in img.mappings %} + {% set oc_name = vol.name | default(name) | regex_replace('_','-') %} - name: vol-{{imgidx}}-{{loop.index}} persistentVolumeClaim: - claimName: {{ vol.name }} + claimName: {{ oc_name }} {% endfor %} {% endfor %} + {% endif %} + {% if (pod.groups is defined) or (pod.run_as is defined) %} + securityContext: + {% if (pod.run_as is defined) %} + {% if (kaas_project_config.uids | default(kaas_openshift_uids))[pod.run_as] is defined %} + - {{ (kaas_project_config.uids | default(kaas_openshift_uids))[pod.run_as].id }} + {% else %} + - pod.run_as + {% endif %} + {% endif %} + {% if (pod.groups is defined) %} + supplementalGroups: + {% for group in pod.groups %} + {% if (kaas_project_config.gids | default(kaas_openshift_gids))[group] is defined %} + - {{ (kaas_project_config.gids | default(kaas_openshift_gids))[group].id }} + {% else %} + - group + {% endif %} + {% endfor %} + {% endif %} {% endif %} containers: {% for img in pod.images %} @@ -118,10 +139,12 @@ objects: {% endif %} {% if img.env is defined %} env: - {% for env_name, env_val in img.env.iteritems() %} + {% for env_item in img.env %} + {% set env_name = env_item.name %} + {% set env_val = env_item.value %} {% set env_parts = (env_val | string).split('@') %} + - name: "{{ env_name }}" {% if env_parts[0] == "secret" %} - - name: {{ env_name }} {% set env_sec = (env_parts[1] | string).split('/') %} valueFrom: secretKeyRef: @@ -134,7 +157,7 @@ objects: name: {{ env_cm[0] }} key: {{ env_cm[1] }} {% else %} - value: {{ env_val }} + value: "{{ env_val }}" {% endif %} {% endfor %} {% endif %} -- cgit v1.2.3