Merge pull request #14094 from richardkchapman/securitypolicies

HPCC-24636 Fix issues with missing service accounts

Reviewed-by: Jake Smith
Reviewed-by: Gavin Halliday <ghalliday@hpccsystems.com>
Merged-by: Gavin Halliday <ghalliday@hpccsystems.com>

helm/hpcc/templates/_helpers.tpl

@@ -463,16 +463,24 @@ Add any bundles
 Add security context
 Pass in a dictionary with root and me defined
 */}}
-{{- define "hpcc.addSecurityContext" -}}
-{{- if .root.Values.global.privileged }}
+{{- define "hpcc.addSecurityContext" }}
 securityContext:
+{{- if .root.Values.global.privileged }}
   privileged: true
   capabilities:
     add:
     - SYS_PTRACE
+{{- else }}
+  capabilities:
+    drop:
+    - ALL
+  allowPrivilegeEscalation: false
 {{- end }}
-{{- end -}}
-
+  runAsNonRoot: true
+  runAsUser: 999
+  runAsGroup: 1000
+  readOnlyRootFilesystem: false
+{{ end -}}
 
 {{/*
 Generate instance queue names

helm/hpcc/templates/dali.yaml

@@ -14,6 +14,7 @@ spec:
       labels:
         run: {{ .name | quote }}
     spec:
+      serviceAccountName: "hpcc-default"
       initContainers: 
         {{- include "hpcc.checkDaliMount" (dict "root" $) | indent 6 }}
       containers:

helm/hpcc/templates/eclagent.yaml

@@ -16,7 +16,7 @@ spec:
       labels:
         run: {{ .name | quote }}
     spec:
-      serviceAccountName: hpcc
+      serviceAccountName: {{ .useChildProcesses | default false | ternary "hpcc-default" "hpcc-agent" }}
       initContainers:
         {{- include "hpcc.checkDataMount" (dict "root" $) | indent 6 }}
       containers:
@@ -55,6 +55,7 @@ data:
 {{- include "hpcc.generateLoggingConfig" (dict "root" $ "me" .) | indent 6 }}
     global:
 {{ include "hpcc.generateGlobalConfigMap" $ | indent 6 }}
+{{- if not .useChildProcesses }} 
   {{ $apptype }}-jobspec.yaml: |
     apiVersion: batch/v1
     kind: Job
@@ -64,6 +65,7 @@ data:
       ttlSecondsAfterFinished: 100
       template:
         spec:
+          serviceAccountName: "hpcc-default"
           containers:
           - name: %jobname
 {{- include "hpcc.addSecurityContext" (dict "root" $ "me" .) | indent 12 }}
@@ -94,7 +96,7 @@ data:
 {{ include "hpcc.addSecretVolumes" (dict "root" $ "categories" (list "all" "ecl" "storage" ) ) | indent 10 }}
           restartPolicy: Never
       backoffLimit: 0
-      
+{{- end }}      
 ---
 {{- end }}
 {{- end }}

helm/hpcc/templates/eclccserver.yaml

@@ -14,7 +14,7 @@ spec:
       labels:
         run: {{ .name | quote }}
     spec:
-      serviceAccountName: hpcc
+      serviceAccountName: {{ .useChildProcesses | default false | ternary "hpcc-default" "hpcc-agent" }}
       terminationGracePeriodSeconds: {{ .terminationGracePeriodSeconds | default 600 }}
       initContainers:
         {{- include "hpcc.checkDllMount" (dict "root" $) | indent 6 }}
@@ -58,6 +58,7 @@ data:
 {{ include "hpcc.generateConfigMapQueues" $ | indent 6 }}
     global:
 {{ include "hpcc.generateGlobalConfigMap" $ | indent 6 }}
+{{- if not .useChildProcesses }} 
   compile-jobspec.yaml: |
     apiVersion: batch/v1
     kind: Job
@@ -67,6 +68,7 @@ data:
       ttlSecondsAfterFinished: 100
       template:
         spec:
+          serviceAccountName: "hpcc-default"
           containers:
           - name: %jobname
 {{- include "hpcc.addSecurityContext" (dict "root" $ "me" .) | indent 12 }}
@@ -97,7 +99,8 @@ data:
 {{ include "hpcc.addSecretVolumes" (dict "root" $ "categories" (list "all" ) ) | indent 10 }}
           restartPolicy: Never
       backoffLimit: 0
-      
+{{- end }}      
+
 ---
 {{- end }}
 {{- end }}

helm/hpcc/templates/esp.yaml

@@ -15,6 +15,7 @@ spec:
       labels:
         run: {{ .name | quote }}
     spec:
+      serviceAccountName: "hpcc-default"
       containers:
       - name: {{ .name | quote }}
         workingDir: /var/lib/HPCCSystems

helm/hpcc/templates/localroxie.yaml

@@ -20,6 +20,7 @@ spec:
         run: {{ $roxie.name | quote }}
         roxie-server: {{ $servername | quote }}
     spec:
+      serviceAccountName: "hpcc-default"
       initContainers:
         {{- include "hpcc.checkDataMount" (dict "root" $) | indent 6 }}
       containers:

helm/hpcc/templates/roxie.yaml

@@ -21,6 +21,7 @@ spec:
       labels:
         run: {{ $toponame | quote }}
     spec:
+      serviceAccountName: "hpcc-default"
       containers:
       - name: {{ $toponame | quote }}
 {{- include "hpcc.addSecurityContext" (dict "root" $ "me" .) | indent 8 }}
@@ -103,6 +104,7 @@ spec:
         run: {{ $servername | quote }}
         roxie-server: {{ $servername | quote }}
     spec:
+      serviceAccountName: "hpcc-default"
       initContainers:
         {{- include "hpcc.checkDataMount" (dict "root" $) | indent 6 }}
       containers:
@@ -161,6 +163,7 @@ spec:
         roxie-server: {{ $servername | quote }}
 {{- end }}
     spec:
+      serviceAccountName: "hpcc-default"
       initContainers:
         {{- include "hpcc.checkDataMount" (dict "root" $) | indent 6 }}
       containers:

helm/hpcc/templates/service-account.yaml

@@ -1,13 +1,19 @@
-# { {- if .Values.rbac.create -}}
+# The hpcc-default service account is used by ay component that doesn't need API access to launch child jobs
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: hpcc
+  name: hpcc-default
+---
+# The hpcc-agent service account is used by any component that DOES need API access to launch child jobs
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: hpcc-agent
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: hpcc
+  name: hpcc-agent
 rules:
   - apiGroups: [ "" ] # core API group
     resources: [ "pods" ]
@@ -19,13 +25,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: hpcc
+  name: hpcc-agent
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: hpcc
+  name: hpcc-agent
 subjects:
   - kind: ServiceAccount
-    name: hpcc
-    #namespace: hpcc
-#{ {- end -}}
+    name: hpcc-agent
+    namespace: {{ .Release.Namespace }}

helm/hpcc/templates/thor.yaml

@@ -29,7 +29,7 @@ spec:
       labels:
         run: {{ $eclAgentName | quote }}
     spec:
-      serviceAccountName: hpcc
+      serviceAccountName: {{ $eclAgentScope.useChildProcesses | default false | ternary "hpcc-default" "hpcc-agent" }}
       containers:
       - name: {{ $eclAgentName | quote }}
         workingDir: /var/lib/HPCCSystems
@@ -66,7 +66,7 @@ spec:
       labels:
         run: {{ $thorAgentName | quote }}
     spec:
-      serviceAccountName: hpcc
+      serviceAccountName: {{ $thorAgentScope.useChildProcesses | default false | ternary "hpcc-default" "hpcc-agent" }}
       containers:
       - name: {{ $thorAgentName | quote }}
         workingDir: /var/lib/HPCCSystems
@@ -138,7 +138,7 @@ data:
       ttlSecondsAfterFinished: 100
       template:
         spec:
-          serviceAccountName: hpcc
+          serviceAccountName: {{ $thorAgentScope.useChildProcesses | default false | ternary "hpcc-default" "hpcc-agent" }}
           initContainers: 
             {{- include "hpcc.checkDataMount" (dict "root" $) | indent 10 }}
           containers:
@@ -183,7 +183,7 @@ data:
       ttlSecondsAfterFinished: 100
       template:
         spec:
-          serviceAccountName: hpcc
+          serviceAccountName: hpcc-agent
           initContainers:
             {{- include "hpcc.checkDataMount" (dict "root" $) | indent 10 }}
           containers:
@@ -228,7 +228,7 @@ data:
       ttlSecondsAfterFinished: 100
       template:
         spec:
-          serviceAccountName: hpcc
+          serviceAccountName: hpcc-default
           containers:
           - name: %jobname
 {{- include "hpcc.addSecurityContext" (dict "root" $ "me" .) | indent 12 }}

testing/helm/run.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-options="--set global.image.version=latest"
+options="--set global.image.version=someversion --set global.image.pullPolicy=Always"
 hpccchart=$scriptdir/../../helm/hpcc
 failed=0