Add SecurityContext for cronJob and remove kolla

We do not need kolla and the whole keystone config to run trust_flush.
This patch adds two key items:
1. getCronJobVolumeMounts function to get volumes mounted to the
   destination path directly
2. BaseSecurityContext to run the resulting Pod as an unprivileged one

Signed-off-by: Francesco Pantano <[email protected]>

Author: fmount

pkg/keystone/const.go

@@ -28,9 +28,9 @@ const (
 	KeystonePublicPort int32 = 5000
 	// KeystoneInternalPort -
 	KeystoneInternalPort int32 = 5000
-	// Keystone UID based on kolla
+	// KeystoneUID is based on kolla
 	// https://github.com/openstack/kolla/blob/master/kolla/common/users.py
-	KeystoneUID = 42425
+	KeystoneUID int64 = 42425
 	// DefaultFernetMaxActiveKeys -
 	DefaultFernetMaxActiveKeys = 5
 	// DefaultFernetRotationDays -

pkg/keystone/cronjob.go

@@ -26,7 +26,7 @@ import (
 
 const (
 	// TrustFlushCommand -
-	TrustFlushCommand = "/usr/local/bin/kolla_set_configs && keystone-manage trust_flush"
+	TrustFlushCommand = "keystone-manage trust_flush"
 )
 
 // CronJob func
@@ -35,7 +35,6 @@ func CronJob(
 	labels map[string]string,
 	annotations map[string]string,
 ) *batchv1.CronJob {
-	runAsUser := int64(0)
 
 	args := []string{"-c", TrustFlushCommand + instance.Spec.TrustFlushArgs}
 
@@ -47,12 +46,12 @@ func CronJob(
 
 	// create Volume and VolumeMounts
 	volumes := getVolumes(instance)
-	volumeMounts := getVolumeMounts()
+	volumeMounts := getCronJobVolumeMounts()
 
 	// add CA cert if defined
 	if instance.Spec.TLS.CaBundleSecretName != "" {
 		volumes = append(getVolumes(instance), instance.Spec.TLS.CreateVolume())
-		volumeMounts = append(getVolumeMounts(), instance.Spec.TLS.CreateVolumeMounts(nil)...)
+		volumeMounts = append(getCronJobVolumeMounts(), instance.Spec.TLS.CreateVolumeMounts(nil)...)
 	}
 
 	cronjob := &batchv1.CronJob{
@@ -81,12 +80,10 @@ func CronJob(
 									Command: []string{
 										"/bin/bash",
 									},
-									Args:         args,
-									Env:          env.MergeEnvs([]corev1.EnvVar{}, envVars),
-									VolumeMounts: volumeMounts,
-									SecurityContext: &corev1.SecurityContext{
-										RunAsUser: &runAsUser,
-									},
+									Args:            args,
+									Env:             env.MergeEnvs([]corev1.EnvVar{}, envVars),
+									VolumeMounts:    volumeMounts,
+									SecurityContext: BaseSecurityContext(),
 								},
 							},
 							Volumes:            volumes,

pkg/keystone/funcs.go

@@ -0,0 +1,22 @@
+package keystone
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/ptr"
+)
+
+// BaseSecurityContext - currently used to make sure we don't run cronJob and Log
+// Pods as root user, and we drop privileges and Capabilities we don't need
+func BaseSecurityContext() *corev1.SecurityContext {
+	return &corev1.SecurityContext{
+		RunAsUser:                ptr.To(KeystoneUID),
+		RunAsGroup:               ptr.To(KeystoneUID),
+		RunAsNonRoot:             ptr.To(true),
+		AllowPrivilegeEscalation: ptr.To(false),
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{
+				"ALL",
+			},
+		},
+	}
+}

pkg/keystone/volumes.go

@@ -121,3 +121,26 @@ func getVolumeMounts() []corev1.VolumeMount {
 		},
 	}
 }
+
+// getCronJobVolumeMounts - cronjob volumeMounts
+func getCronJobVolumeMounts() []corev1.VolumeMount {
+	return []corev1.VolumeMount{
+		{
+			Name:      "config-data",
+			MountPath: "/etc/keystone/keystone.conf",
+			SubPath:   "keystone.conf",
+			ReadOnly:  true,
+		},
+		{
+			Name:      "config-data",
+			MountPath: "/etc/my.cnf",
+			SubPath:   "my.cnf",
+			ReadOnly:  true,
+		},
+		{
+			Name:      "fernet-keys",
+			MountPath: "/etc/keystone/fernet-keys",
+			ReadOnly:  true,
+		},
+	}
+}