fix(pvc): Add default fsGroup & remove empty-volume

yyvess · Jan 31, 2024 · e61aa95 · e61aa95
1 parent ddbc1ce
commit e61aa95
Show file tree

Hide file tree

Showing 15 changed files with 57 additions and 108 deletions.
diff --git a/samples/minimum/ingress-pvc-values.cue b/samples/minimum/ingress-pvc-values.cue
@@ -19,27 +19,13 @@ values: {
 		storageClassName: "sc-kube-playground"
 	}
 
-	httpPort: 80
-	service: port: 80
-
 	resources: {
 		limits: {
 			cpu:    "1000m"
 			memory: "768Mi"
 		}
 	}
 
-	securityContext: {
-		runAsUser:    0
-		runAsGroup:   0
-		runAsNonRoot: false
-		capabilities:
-		{
-			add: ["NET_BIND_SERVICE"]
-			drop: ["ALL"]
-		}
-	}
-
 	ingress: {
 		ingressClassName: "ing-kube-playground"
 		tls: [{
@@ -57,7 +43,7 @@ values: {
 						service: {
 							name: "keycloak-web"
 							port: {
-								number: 80
+								number: 8080
 							}
 						}}
 				}]

diff --git a/templates/config.cue b/templates/config.cue
@@ -97,7 +97,10 @@ import (
 
 	// Pod optional settings.
 	podAnnotations?: {[string]: string}
-	podSecurityContext?: corev1.#PodSecurityContext
+	podSecurityContext: corev1.#PodSecurityContext | *{
+		fsGroup:             1000
+		fsGroupChangePolicy: "OnRootMismatch"
+	}
 	imagePullSecrets?: [...timoniv1.ObjectReference]
 	tolerations?: [...corev1.#Toleration]
 	affinity?: corev1.#Affinity

diff --git a/templates/deployment.cue b/templates/deployment.cue
@@ -144,10 +144,6 @@ import (
 							}
 						}
 						volumeMounts: [
-								{
-									name:      "tmp"
-									mountPath: "/tmp"
-								},
 							if #highAvailability {
 								{
 									name:      "cache"
@@ -181,12 +177,6 @@ import (
 					},
 				]
 				volumes: [
-					{
-						name: "tmp"
-						emptyDir: {
-							sizeLimit: "128Mi"
-						}
-					},
 					if #certSecretName != _|_ {
 						{
 							name: "certs"

diff --git a/test/certificate.yaml b/test/certificate.yaml
@@ -387,8 +387,6 @@ spec:
           initialDelaySeconds: 30
           periodSeconds: 15
         volumeMounts:
-        - mountPath: /tmp
-          name: tmp
         - mountPath: /opt/keycloak/conf
           name: cache
           readOnly: true
@@ -398,11 +396,11 @@ spec:
         - mountPath: /jks
           name: jks
           readOnly: true
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
       serviceAccountName: default
       volumes:
-      - emptyDir:
-          sizeLimit: 128Mi
-        name: tmp
       - name: certs
         secret:
           secretName: keycloak-cert

diff --git a/test/external-secrets.yaml b/test/external-secrets.yaml
@@ -169,19 +169,17 @@ spec:
           initialDelaySeconds: 30
           periodSeconds: 15
         volumeMounts:
-        - mountPath: /tmp
-          name: tmp
         - mountPath: /certs
           name: certs
           readOnly: true
         - mountPath: /jks
           name: jks
           readOnly: true
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
       serviceAccountName: existing-sa
       volumes:
-      - emptyDir:
-          sizeLimit: 128Mi
-        name: tmp
       - name: certs
         secret:
           secretName: keycloak-cert

diff --git a/test/http.yaml b/test/http.yaml
@@ -122,12 +122,10 @@ spec:
             scheme: HTTP
           initialDelaySeconds: 30
           periodSeconds: 15
-        volumeMounts:
-        - mountPath: /tmp
-          name: tmp
+        volumeMounts: []
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
       serviceAccountName: default
-      volumes:
-      - emptyDir:
-          sizeLimit: 128Mi
-        name: tmp
+      volumes: []
 ---
diff --git a/test/ingress-pvc.yaml b/test/ingress-pvc.yaml
@@ -17,7 +17,7 @@ spec:
   ports:
   - appProtocol: http
     name: http
-    port: 80
+    port: 8080
     protocol: TCP
     targetPort: http
   selector:
@@ -61,7 +61,7 @@ spec:
           service:
             name: keycloak-web
             port:
-              number: 80
+              number: 8080
         path: /
         pathType: Prefix
   tls:
@@ -103,8 +103,6 @@ spec:
           value: local
         - name: KC_DB
           value: dev-file
-        - name: KC_HTTP_PORT
-          value: "80"
         - name: KEYCLOAK_ADMIN
           value: admin
         - name: KEYCLOAK_ADMIN_PASSWORD
@@ -126,7 +124,7 @@ spec:
           timeoutSeconds: 10
         name: keycloak
         ports:
-        - containerPort: 80
+        - containerPort: 8080
           name: http
           protocol: TCP
         readinessProbe:
@@ -148,15 +146,11 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
-            add:
-            - NET_BIND_SERVICE
             drop:
             - ALL
           privileged: false
           readOnlyRootFilesystem: false
-          runAsGroup: 0
-          runAsNonRoot: false
-          runAsUser: 0
+          runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
         startupProbe:
@@ -168,15 +162,13 @@ spec:
           initialDelaySeconds: 30
           periodSeconds: 15
         volumeMounts:
-        - mountPath: /tmp
-          name: tmp
         - mountPath: /opt/keycloak/data/h2
           name: data
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
       serviceAccountName: default
       volumes:
-      - emptyDir:
-          sizeLimit: 128Mi
-        name: tmp
       - name: data
         persistentVolumeClaim:
           claimName: keycloak

diff --git a/test/ingress.yaml b/test/ingress.yaml
@@ -136,12 +136,10 @@ spec:
             scheme: HTTP
           initialDelaySeconds: 30
           periodSeconds: 15
-        volumeMounts:
-        - mountPath: /tmp
-          name: tmp
+        volumeMounts: []
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
       serviceAccountName: default
-      volumes:
-      - emptyDir:
-          sizeLimit: 128Mi
-        name: tmp
+      volumes: []
 ---
diff --git a/test/minimum.yaml b/test/minimum.yaml
@@ -109,12 +109,10 @@ spec:
             scheme: HTTP
           initialDelaySeconds: 30
           periodSeconds: 15
-        volumeMounts:
-        - mountPath: /tmp
-          name: tmp
+        volumeMounts: []
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
       serviceAccountName: default
-      volumes:
-      - emptyDir:
-          sizeLimit: 128Mi
-        name: tmp
+      volumes: []
 ---
diff --git a/test/networkpolicy.yaml b/test/networkpolicy.yaml
@@ -138,12 +138,10 @@ spec:
             scheme: HTTP
           initialDelaySeconds: 30
           periodSeconds: 15
-        volumeMounts:
-        - mountPath: /tmp
-          name: tmp
+        volumeMounts: []
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
       serviceAccountName: default
-      volumes:
-      - emptyDir:
-          sizeLimit: 128Mi
-        name: tmp
+      volumes: []
 ---
diff --git a/test/pdb.yaml b/test/pdb.yaml
@@ -262,16 +262,14 @@ spec:
           initialDelaySeconds: 30
           periodSeconds: 15
         volumeMounts:
-        - mountPath: /tmp
-          name: tmp
         - mountPath: /opt/keycloak/conf
           name: cache
           readOnly: true
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
       serviceAccountName: default
       volumes:
-      - emptyDir:
-          sizeLimit: 128Mi
-        name: tmp
       - configMap:
           items:
           - key: cache-ispn.xml

diff --git a/test/postgres-istio.yaml b/test/postgres-istio.yaml
@@ -405,19 +405,17 @@ spec:
           initialDelaySeconds: 30
           periodSeconds: 15
         volumeMounts:
-        - mountPath: /tmp
-          name: tmp
         - mountPath: /opt/keycloak/conf
           name: cache
           readOnly: true
         - mountPath: /jks
           name: jks
           readOnly: true
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
       serviceAccountName: default
       volumes:
-      - emptyDir:
-          sizeLimit: 128Mi
-        name: tmp
       - name: jks
         secret:
           secretName: keycloak-jks

diff --git a/test/pvc.yaml b/test/pvc.yaml
@@ -128,15 +128,13 @@ spec:
           initialDelaySeconds: 30
           periodSeconds: 15
         volumeMounts:
-        - mountPath: /tmp
-          name: tmp
         - mountPath: /opt/keycloak/data/h2
           name: data
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
       serviceAccountName: default
       volumes:
-      - emptyDir:
-          sizeLimit: 128Mi
-        name: tmp
       - name: data
         persistentVolumeClaim:
           claimName: keycloak

diff --git a/test/sa.yaml b/test/sa.yaml
@@ -121,12 +121,10 @@ spec:
             scheme: HTTP
           initialDelaySeconds: 30
           periodSeconds: 15
-        volumeMounts:
-        - mountPath: /tmp
-          name: tmp
+        volumeMounts: []
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
       serviceAccountName: custom-sa
-      volumes:
-      - emptyDir:
-          sizeLimit: 128Mi
-        name: tmp
+      volumes: []
 ---
diff --git a/test/virtualservice.yaml b/test/virtualservice.yaml
@@ -180,12 +180,10 @@ spec:
             scheme: HTTP
           initialDelaySeconds: 30
           periodSeconds: 15
-        volumeMounts:
-        - mountPath: /tmp
-          name: tmp
+        volumeMounts: []
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
       serviceAccountName: default
-      volumes:
-      - emptyDir:
-          sizeLimit: 128Mi
-        name: tmp
+      volumes: []
 ---