support limited capabilities for controller, invoker, and apigw pods

Author: Mike Ludwig

helm/openwhisk/templates/apigateway-pod.yaml

@@ -75,3 +75,9 @@ spec:
               configMapKeyRef:
                 name: {{ .Release.Name }}-whisk.config
                 key: whisk_api_host_url
+{{- if .Values.apigw.secure }}
+          securityContext:
+            capabilities:
+              drop:
+                - all
+{{- end }}

helm/openwhisk/templates/controller-pod.yaml

@@ -79,6 +79,11 @@ spec:
 {{- if .Values.controller.lean }}
         securityContext:
           privileged: true
+{{- else if .Values.controller.secure }}
+        securityContext:
+          capabilities:
+            drop:
+              - all
 {{- end }}
         command: ["/bin/bash", "-c", "/init.sh `hostname | awk -F '-' '{print $NF}'`"]
         ports:

helm/openwhisk/templates/invoker-pod.yaml

@@ -238,5 +238,13 @@ spec:
         ports:
         - name: invoker
           containerPort: {{ .Values.invoker.port }}
+{{- if .Values.invoker.secure }}
+        securityContext:
+          capabilities:
+            drop:
+              - all
+            add:
+              - SYS_ADMIN
+{{- end }}
 {{ include "openwhisk.invoker.volume_mounts" . }}
 {{- end }}

helm/openwhisk/values.yaml

@@ -263,6 +263,7 @@ controller:
   jvmOptions: ""
   loglevel: "INFO"
   resources: ~
+  secure: false
 
 # Invoker configurations
 invoker:
@@ -294,6 +295,7 @@ invoker:
       isolateUserActions: true
       replicaCount: 1
   resources: ~
+  secure: false
 
 # API Gateway configurations
 apigw:
@@ -306,6 +308,7 @@ apigw:
   apiPort: 9000
   mgmtPort: 8080
   resources: ~
+  secure: false
 
 # Redis (used by apigateway)
 redis: