From 080964f141113eb68bcd49f20056641ec1fce637 Mon Sep 17 00:00:00 2001 From: harshit-splunk Date: Mon, 23 Jan 2023 14:31:38 +0530 Subject: [PATCH] Allow to overwrite default SCC with values.yaml --- CHANGELOG.md | 4 +++ .../templates/securityContextConstraints.yaml | 30 +++++++++++-------- .../splunk-otel-collector/values.schema.json | 4 +++ helm-charts/splunk-otel-collector/values.yaml | 4 +++ 4 files changed, 29 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c6db882499..992f62c0a0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased +### Added + +- Allow to overwrite default SecurityContextConstraints rules with values.yaml file (#643) + ### Fixed - Default recombine operator for the docker container engine (#627) diff --git a/helm-charts/splunk-otel-collector/templates/securityContextConstraints.yaml b/helm-charts/splunk-otel-collector/templates/securityContextConstraints.yaml index 150552f83e..4cde2aee40 100644 --- a/helm-charts/splunk-otel-collector/templates/securityContextConstraints.yaml +++ b/helm-charts/splunk-otel-collector/templates/securityContextConstraints.yaml @@ -1,16 +1,4 @@ -{{- if eq (include "splunk-otel-collector.distribution" .) "openshift" }} -kind: SecurityContextConstraints -apiVersion: security.openshift.io/v1 -metadata: - name: {{ template "splunk-otel-collector.serviceAccountName" . }} - labels: - {{- include "splunk-otel-collector.commonLabels" . | nindent 4 }} - app: {{ template "splunk-otel-collector.name" . }} - chart: {{ template "splunk-otel-collector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -users: -- system:serviceaccount:{{ .Release.Namespace }}:{{ template "splunk-otel-collector.serviceAccountName" . }} +{{- define "splunk-otel-collector.defaultSecurityContextConstraints" -}} priority: 10 allowHostNetwork: true allowHostPorts: true @@ -44,4 +32,20 @@ supplementalGroups: type: RunAsAny requiredDropCapabilities: - ALL +{{- end -}} +{{- if eq (include "splunk-otel-collector.distribution" .) "openshift" }} +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: {{ template "splunk-otel-collector.serviceAccountName" . }} + labels: + {{- include "splunk-otel-collector.commonLabels" . | nindent 4 }} + app: {{ template "splunk-otel-collector.name" . }} + chart: {{ template "splunk-otel-collector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +users: +- system:serviceaccount:{{ .Release.Namespace }}:{{ template "splunk-otel-collector.serviceAccountName" . }} +{{- $config := include "splunk-otel-collector.defaultSecurityContextConstraints" . | fromYaml }} +{{- .Values.securityContextConstraintsOverwrite | mustMergeOverwrite $config | toYaml }} {{- end }} diff --git a/helm-charts/splunk-otel-collector/values.schema.json b/helm-charts/splunk-otel-collector/values.schema.json index ae19d63243..0079789047 100644 --- a/helm-charts/splunk-otel-collector/values.schema.json +++ b/helm-charts/splunk-otel-collector/values.schema.json @@ -1133,6 +1133,10 @@ "description": "Apply for k8s cluster with windows worker node.", "type": "boolean" }, + "securityContextConstraintsOverwrite": { + "description": "Openshift SecurityContextConstraints can be overriden in this field.", + "type": "object" + }, "gateway": { "description": "Splunk OpenTelemetry Collector gateway deployment configuration.", "type": "object", diff --git a/helm-charts/splunk-otel-collector/values.yaml b/helm-charts/splunk-otel-collector/values.yaml index aa4bee3611..7deefea56b 100644 --- a/helm-charts/splunk-otel-collector/values.yaml +++ b/helm-charts/splunk-otel-collector/values.yaml @@ -964,6 +964,10 @@ livenessProbe: # Specifies whether to apply for k8s cluster with windows worker node. isWindows: false +# Openshift SecurityContextConstraints can be overriden in this field. +# NOTE: This config will only be used when distribution=openshift +securityContextConstraintsOverwrite: {} + ################################################################################ # OpenTelemetry "collector" k8s deployment configuration. # This is an additional deployment of Open-telemetry collector that can be used