Skip to content

Commit 96308f8

Browse files
cognifloydcognifloyd
committed
add securityContext for more containers using st2actionrunner as fallback for some
Some of the jobs and other utility containers need more permissions to modify files. The st2actionrunner pods are most likely to have the most permissive permissions, so default to that if the deployment/job-specific securityContext values are not defined.
1 parent 14d4559 commit 96308f8

File tree

4 files changed

+23
-14
lines changed

4 files changed

+23
-14
lines changed

templates/_helpers.tpl

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -344,7 +344,8 @@ Merge packs and virtualenvs from st2 with those from st2packs images
344344
- |
345345
/bin/cp -aR /opt/stackstorm/packs/. /opt/stackstorm/packs-shared &&
346346
/bin/cp -aR /opt/stackstorm/virtualenvs/. /opt/stackstorm/virtualenvs-shared
347-
{{- with $.Values.securityContext }}
347+
{{- with .securityContext | default $.Values.st2actionrunner.securityContext | default $.Values.securityContext }}
348+
{{/* st2actionrunner is likely the most permissive so use that if defined. */}}
348349
securityContext: {{- toYaml . | nindent 8 }}
349350
{{- end }}
350351
{{- end }}
@@ -365,7 +366,8 @@ Merge packs and virtualenvs from st2 with those from st2packs images
365366
- |
366367
/bin/cp -aR /opt/stackstorm/packs/. /opt/stackstorm/packs-shared &&
367368
/bin/cp -aR /opt/stackstorm/virtualenvs/. /opt/stackstorm/virtualenvs-shared
368-
{{- with .Values.securityContext }}
369+
{{- with .Values.st2actionrunner.securityContext | default .Values.securityContext }}
370+
{{/* st2actionrunner is likely the most permissive so use that if defined. */}}
369371
securityContext: {{- toYaml . | nindent 8 }}
370372
{{- end }}
371373
{{- end }}
@@ -384,7 +386,8 @@ Merge packs and virtualenvs from st2 with those from st2packs images
384386
- '-ec'
385387
- |
386388
/bin/cp -aR /opt/stackstorm/configs/. /opt/stackstorm/configs-shared
387-
{{- with .Values.securityContext }}
389+
{{- with .Values.st2actionrunner.securityContext | default .Values.securityContext }}
390+
{{/* st2actionrunner is likely the most permissive so use that if defined. */}}
388391
securityContext: {{- toYaml . | nindent 8 }}
389392
{{- end }}
390393
{{- end }}

templates/deployments.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1600,7 +1600,7 @@ spec:
16001600
- name: generate-st2client-config
16011601
image: '{{ template "stackstorm-ha.imageRepository" . }}/st2actionrunner:{{ tpl (.Values.st2client.image.tag | default (.Values.st2actionrunner.image.tag | default .Values.image.tag)) . }}'
16021602
imagePullPolicy: {{ .Values.image.pullPolicy }}
1603-
{{- with .Values.securityContext }}
1603+
{{- with .Values.st2client.securityContext | default .Values.st2actionrunner.securityContext | default .Values.securityContext }}
16041604
securityContext: {{- toYaml . | nindent 10 }}
16051605
{{- end }}
16061606
envFrom:
@@ -1627,7 +1627,7 @@ spec:
16271627
- name: st2client
16281628
image: '{{ template "stackstorm-ha.imageRepository" . }}/st2actionrunner:{{ tpl (.Values.st2client.image.tag | default .Values.image.tag) . }}'
16291629
imagePullPolicy: {{ .Values.image.pullPolicy }}
1630-
{{- with default .Values.securityContext .Values.st2actionrunner.securityContext }}
1630+
{{- with .Values.st2client.securityContext | default .Values.st2actionrunner.securityContext | default .Values.securityContext }}
16311631
securityContext: {{- toYaml . | nindent 10 }}
16321632
{{- end }}
16331633
env:
@@ -1728,7 +1728,7 @@ spec:
17281728
{{- with .Values.dnsConfig }}
17291729
dnsConfig: {{- toYaml . | nindent 8 }}
17301730
{{- end }}
1731-
{{- with default .Values.podSecurityContext .Values.st2client.podSecurityContext }}
1731+
{{- with .Values.st2client.podSecurityContext | default .Values.st2actionrunner.podSecurityContext | default .Values.podSecurityContext }}
17321732
securityContext: {{- toYaml . | nindent 8 }}
17331733
{{- end }}
17341734
{{- with .Values.st2client.nodeSelector }}

templates/jobs.yaml

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -411,7 +411,8 @@ spec:
411411
- name: st2-register-content-custom-init
412412
image: '{{ template "stackstorm-ha.imageRepository" . }}/st2actionrunner:{{ tpl (.Values.jobs.image.tag | default (.Values.st2actionrunner.image.tag | default .Values.image.tag)) . }}'
413413
imagePullPolicy: {{ .Values.image.pullPolicy }}
414-
{{- with .Values.securityContext }}
414+
{{- with .Values.st2actionrunner.securityContext | default .Values.securityContext }}
415+
{{/* st2actionrunner is likely the most permissive so use that if defined. */}}
415416
securityContext: {{- toYaml . | nindent 10 }}
416417
{{- end }}
417418
command: {{- toYaml $.Values.jobs.preRegisterContentCommand | nindent 8 }}
@@ -425,7 +426,8 @@ spec:
425426
- name: st2-register-content
426427
image: '{{ template "stackstorm-ha.imageRepository" . }}/st2actionrunner:{{ tpl (.Values.jobs.image.tag | default (.Values.st2actionrunner.image.tag | default .Values.image.tag)) . }}'
427428
imagePullPolicy: {{ .Values.image.pullPolicy }}
428-
{{- with .Values.securityContext }}
429+
{{- with .Values.st2actionrunner.securityContext | default .Values.securityContext }}
430+
{{/* st2actionrunner is likely the most permissive so use that if defined. */}}
429431
securityContext: {{- toYaml . | nindent 10 }}
430432
{{- end }}
431433
command:
@@ -470,7 +472,8 @@ spec:
470472
{{- with .Values.dnsConfig }}
471473
dnsConfig: {{- toYaml . | nindent 8 }}
472474
{{- end }}
473-
{{- with .Values.podSecurityContext }}
475+
{{- with .Values.st2actionrunner.podSecurityContext | default .Values.podSecurityContext }}
476+
{{/* st2actionrunner is likely the most permissive so use that if defined. */}}
474477
securityContext: {{- toYaml . | nindent 8 }}
475478
{{- end }}
476479
{{- with .Values.jobs.nodeSelector }}
@@ -641,7 +644,7 @@ spec:
641644
- name: generate-st2client-config
642645
image: '{{ template "stackstorm-ha.imageRepository" $ }}/st2actionrunner:{{ tpl ($.Values.jobs.image.tag | default ($.Values.st2actionrunner.image.tag | default $.Values.image.tag)) $ }}'
643646
imagePullPolicy: {{ $.Values.image.pullPolicy }}
644-
{{- with $.Values.securityContext }}
647+
{{- with default $.Values.st2actionrunner.securityContext | default $.Values.securityContext }}
645648
securityContext: {{- toYaml . | nindent 10 }}
646649
{{- end }}
647650
envFrom:
@@ -668,7 +671,7 @@ spec:
668671
- name: {{ $name }}
669672
image: '{{ template "stackstorm-ha.imageRepository" $ }}/st2actionrunner:{{ tpl ($.Values.jobs.image.tag | default ($.Values.st2actionrunner.image.tag | default $.Values.image.tag)) $ }}'
670673
imagePullPolicy: {{ $.Values.image.pullPolicy }}
671-
{{- with $.Values.securityContext }}
674+
{{- with .securityContext | default $.Values.st2actionrunner.securityContext | default $.Values.securityContext }}
672675
securityContext: {{- toYaml . | nindent 10 }}
673676
{{- end }}
674677
{{- if $.Values.jobs.env }}
@@ -718,7 +721,7 @@ spec:
718721
{{- with $.Values.dnsConfig }}
719722
dnsConfig: {{- toYaml . | nindent 8 }}
720723
{{- end }}
721-
{{- with $.Values.podSecurityContext }}
724+
{{- with $.Values.jobs.podSecurityContext | default $.Values.st2actionrunner.podSecurityContext | default $.Values.podSecurityContext }}
722725
securityContext: {{- toYaml . | nindent 8 }}
723726
{{- end }}
724727
{{- with $.Values.jobs.nodeSelector }}

values.yaml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -150,6 +150,8 @@ st2:
150150
# pullPolicy: IfNotPresent
151151
# Optional name of the imagePullSecret if your custom packs image is hosted by a private Docker registry
152152
# pullSecret: st2packs-auth
153+
# Optional .securityContext override for container
154+
# securityContext:
153155

154156
# Custom packs volumes definitions.
155157
#
@@ -288,7 +290,7 @@ st2:
288290

289291
##
290292
## Default SecurityContext for pods and containers.
291-
## Overrides available for st2web, st2actionrunner, st2sensorcontainer, and st2client pods.
293+
## Overrides available for st2web, st2actionrunner, st2sensorcontainer, st2client pods, and custom packs images.
292294
##
293295
podSecurityContext: {}
294296
securityContext: {}
@@ -703,7 +705,7 @@ st2actionrunner:
703705
attach: false
704706
# override the default .podSecurityContext or .securityContext here
705707
podSecurityContext: {}
706-
securityContext: {}
708+
securityContext: {} # also applies to init or jobs containers that copy/modify files
707709
# postStartScript is optional. It has the contents of a bash script.
708710
# k8s will run the script in the st2 container in parallel with the ENTRYPOINT.
709711
# The pod will not be marked as "running" until this script completes successfully.
@@ -984,6 +986,7 @@ jobs:
984986
# hook: post-install # required "helm.sh/hook"
985987
# hook_weight: 10 # optional hook_weight (defaults to 10)
986988
# resources: {} # optional definition of resources to request
989+
# securityContext: {} # optional definition of container securityContext override
987990
# command: # required command to run
988991
# - st2
989992
# - run

0 commit comments

Comments
 (0)