feat(helm): add securityContexts to jobs

Signed-off-by: Zemtsov Vladimir <zemtsov.v@mail366.com>

api/v1beta2/tenant_conversion_hub.go

@@ -154,7 +154,15 @@ func (in *Tenant) ConvertFrom(raw conversion.Hub) error {
 
 	in.Status.Namespaces = src.Status.Namespaces
 	in.Status.Size = src.Status.Size
-	in.Status.State = tenantState(src.Status.State)
+
+	switch src.Status.State {
+	case capsulev1beta1.TenantStateActive:
+		in.Status.State = TenantStateActive
+	case capsulev1beta1.TenantStateCordoned:
+		in.Status.State = TenantStateCordoned
+	default:
+		in.Status.State = TenantStateActive
+	}
 
 	return nil
 }
@@ -265,5 +273,17 @@ func (in *Tenant) ConvertTo(raw conversion.Hub) error {
 
 	dst.SetAnnotations(annotations)
 
+	dst.Status.Size = in.Status.Size
+	dst.Status.Namespaces = in.Status.Namespaces
+
+	switch in.Status.State {
+	case TenantStateActive:
+		dst.Status.State = capsulev1beta1.TenantStateActive
+	case TenantStateCordoned:
+		dst.Status.State = capsulev1beta1.TenantStateCordoned
+	default:
+		dst.Status.State = capsulev1beta1.TenantStateActive
+	}
+
 	return nil
 }

charts/capsule/Chart.yaml

@@ -21,8 +21,8 @@ sources:
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.3.0
+version: 0.3.4
 
 # This is the version number of the application being deployed.
 # This version number should be incremented each time you make changes to the application.
-appVersion: 0.2.0
+appVersion: 0.2.1

charts/capsule/README.md

@@ -72,9 +72,11 @@ Here the values you can override:
 | mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks |
 | nodeSelector | object | `{}` | Set the node selector for the Capsule pod |
 | podAnnotations | object | `{}` | Annotations to add to the capsule pod. |
+| podSecurityContext | object | `{"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002,"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Capsule pod |
 | podSecurityPolicy.enabled | bool | `false` | Specify if a Pod Security Policy must be created |
 | priorityClassName | string | `""` | Set the priority class name of the Capsule pod |
 | replicaCount | int | `1` | Set the replica count for capsule pod |
+| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | Set the securityContext for the Capsule container |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
 | serviceAccount.name | string | `"capsule"` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
@@ -119,8 +121,6 @@ Here the values you can override:
 | serviceMonitor.labels | object | `{}` | Assign additional labels according to Prometheus' serviceMonitorSelector matching labels |
 | serviceMonitor.matchLabels | object | `{}` | Change matching labels |
 | serviceMonitor.namespace | string | `""` | Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one) |
-| serviceMonitor.serviceAccount.name | string | `"capsule"` | ServiceAccount for Metrics RBAC |
-| serviceMonitor.serviceAccount.namespace | string | `"capsule-system"` | ServiceAccount Namespace for Metrics RBAC |
 | serviceMonitor.targetLabels | list | `[]` | Set targetLabels for the serviceMonitor |
 
 ### Webhook Parameters

charts/capsule/templates/daemonset.yaml

@@ -29,6 +29,10 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "capsule.serviceAccountName" . }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- if .Values.manager.hostNetwork }}
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
@@ -84,5 +88,5 @@ spec:
           resources:
             {{- toYaml .Values.manager.resources | nindent 12 }}
           securityContext:
-            allowPrivilegeEscalation: false
+            {{- toYaml .Values.securityContext | nindent 12 }}
 {{- end }}

charts/capsule/templates/deployment.yaml

@@ -28,6 +28,10 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "capsule.serviceAccountName" . }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- if .Values.manager.hostNetwork }}
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
@@ -83,5 +87,5 @@ spec:
           resources:
             {{- toYaml .Values.manager.resources | nindent 12 }}
           securityContext:
-            allowPrivilegeEscalation: false
+            {{- toYaml .Values.securityContext | nindent 12 }}
 {{- end }}

charts/capsule/templates/metrics-rbac.yaml

@@ -1,46 +0,0 @@
-{{- if .Values.serviceMonitor.enabled }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
-  {{- if .Values.serviceMonitor.labels }}
-    {{- toYaml .Values.serviceMonitor.labels | nindent 4 }}
-  {{- end }}
-  {{- with .Values.customAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  name: {{ include "capsule.fullname" . }}-metrics-role
-  namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }}
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - services
-  - endpoints
-  - pods
-  verbs:
-  - get
-  - list
-  - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    {{- include "capsule.labels" . | nindent 4 }}
-    {{- if .Values.serviceMonitor.labels }}
-    {{- toYaml .Values.serviceMonitor.labels | nindent 4 }}
-    {{- end }}
-  name: {{ include "capsule.fullname" . }}-metrics-rolebinding
-  namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "capsule.fullname" . }}-metrics-role
-subjects:
-- kind: ServiceAccount
-  name: {{ .Values.serviceMonitor.serviceAccount.name }}
-  namespace: {{ .Values.serviceMonitor.serviceAccount.namespace | default .Release.Namespace }}
-{{- end }}

charts/capsule/templates/post-install-job.yaml

@@ -45,5 +45,11 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
       serviceAccountName: {{ include "capsule.serviceAccountName" . }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
 {{- end }}

charts/capsule/templates/pre-delete-job.yaml

@@ -47,4 +47,10 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
       serviceAccountName: {{ include "capsule.serviceAccountName" . }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/capsule/values.yaml

@@ -77,6 +77,23 @@ podAnnotations: {}
 # -- Set the priority class name of the Capsule pod
 priorityClassName: '' # system-cluster-critical
 
+# -- Set the securityContext for the Capsule pod
+podSecurityContext:
+  seccompProfile:
+    type: "RuntimeDefault"
+  runAsGroup: 1002
+  runAsNonRoot: true
+  runAsUser: 1002
+
+
+# -- Set the securityContext for the Capsule container
+securityContext:
+  capabilities:
+    drop:
+    - ALL
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+
 # -- Set the node selector for the Capsule pod
 nodeSelector: {}
 #  node-role.kubernetes.io/master: ""
@@ -212,11 +229,6 @@ serviceMonitor:
   matchLabels: {}
   # -- Set targetLabels for the serviceMonitor
   targetLabels: []
-  serviceAccount:
-    # -- ServiceAccount for Metrics RBAC
-    name: capsule
-    # -- ServiceAccount Namespace for Metrics RBAC
-    namespace: capsule-system
   endpoint:
     # -- Set the scrape interval for the endpoint of the serviceMonitor
     interval: "15s"

config/install.yaml

@@ -2767,7 +2767,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: clastix/capsule:v0.2.0
+        image: clastix/capsule:v0.2.1
         imagePullPolicy: IfNotPresent
         name: manager
         ports:

config/manager/kustomization.yaml

@@ -7,4 +7,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: clastix/capsule
-  newTag: v0.2.0
+  newTag: v0.2.1

config/prometheus/kustomization.yaml

@@ -1,4 +1,2 @@
 resources:
 - monitor.yaml
-- role.yaml
-- rolebinding.yaml

config/prometheus/role.yaml

@@ -1,18 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  labels:
-    control-plane: controller-manager
-  name: capsule-metrics-role
-  namespace: capsule-system
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - services
-  - endpoints
-  - pods
-  verbs:
-  - get
-  - list
-  - watch

config/prometheus/rolebinding.yaml

@@ -1,15 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    control-plane: controller-manager
-  name: capsule-metrics-rolebinding
-  namespace: system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: capsule-metrics-role
-subjects:
-- kind: ServiceAccount
-  name: capsule
-  namespace: capsule-system

controllers/resources/processor.go

@@ -252,12 +252,13 @@ func (r *Processor) createOrUpdate(ctx context.Context, obj *unstructured.Unstru
 
 			_, err = controllerutil.CreateOrUpdate(ctx, r.client, actual, func() error {
 				UID := actual.GetUID()
+				rv := actual.GetResourceVersion()
 
 				actual.SetUnstructuredContent(desired.Object)
 				actual.SetNamespace(ns)
 				actual.SetLabels(labels)
 				actual.SetAnnotations(annotations)
-				actual.SetResourceVersion("")
+				actual.SetResourceVersion(rv)
 				actual.SetUID(UID)
 
 				return nil

docs/content/guides/upgrading.md

@@ -14,7 +14,7 @@ As an installation method, Helm is given for granted, YMMV using the `kustomize`
 We strongly suggest performing a full backup of your Kubernetes cluster, such as storage and etcd.
 Use your favourite tool according to your needs.
 
-# Upgrading from v0.1.3 to v0.2.0
+# Upgrading from v0.1.3 to v0.2.x
 
 ## Scale down the Capsule controller
 
@@ -28,19 +28,19 @@ helm upgrade -n capsule-system capsule --set "replicaCount=0"
 
 ## Migrate manually the `CapsuleConfiguration` to the latest API version
 
-With the v0.2.0 release of Capsule and the new features introduced, the resource `CapsuleConfiguration` is offering a new API version, bumped to `v1beta1` from `v1alpha1`.
+With the v0.2.x release of Capsule and the new features introduced, the resource `CapsuleConfiguration` is offering a new API version, bumped to `v1beta1` from `v1alpha1`.
 
 Essentially, the `CapsuleConfiguration` is storing configuration flags that allow Capsule to be configured on the fly without requiring the operator to reload.
 This resource is read at the operator init-time when the conversion webhook offered by Capsule is not yet ready to serve any request.
 
-Migrating from v0.1.3 to v0.2.0 requires a manual conversion of your `CapsuleConfiguration` according to the latest version (currently, `v1beta2`).
+Migrating from v0.1.3 to v0.2.x requires a manual conversion of your `CapsuleConfiguration` according to the latest version (currently, `v1beta2`).
 You can find further information about it at the section `CRDs APIs`.
 
 The deletion of the `CapsuleConfiguration` resource is required, along with the update of the related CRD.
 
 ```
 kubectl delete capsuleconfiguration default
-kubectl apply -f https://raw.githubusercontent.com/clastix/capsule/v0.2.0/config/crd/bases/capsuleconfiguration-crd.yaml
+kubectl apply -f https://raw.githubusercontent.com/clastix/capsule/v0.2.1/config/crd/bases/capsuleconfiguration-crd.yaml
 ```
 
 During the Helm upgrade, a new `CapsuleConfiguration` will be created: please, refer to the Helm Chart values to pick up your desired settings.
@@ -52,9 +52,9 @@ Unfortunately, Helm doesn't manage the lifecycle of Custom Resource Definitions,
 This process must be executed manually as follows:
 
 ```
-kubectl apply -f https://raw.githubusercontent.com/clastix/capsule/v0.2.0/config/crd/bases/globaltenantresources-crd.yaml
-kubectl apply -f https://raw.githubusercontent.com/clastix/capsule/v0.2.0/config/crd/bases/tenant-crd.yaml
-kubectl apply -f https://raw.githubusercontent.com/clastix/capsule/v0.2.0/config/crd/bases/tenantresources-crd.yaml
+kubectl apply -f https://raw.githubusercontent.com/clastix/capsule/v0.2.1/config/crd/bases/globaltenantresources-crd.yaml
+kubectl apply -f https://raw.githubusercontent.com/clastix/capsule/v0.2.1/config/crd/bases/tenant-crd.yaml
+kubectl apply -f https://raw.githubusercontent.com/clastix/capsule/v0.2.1/config/crd/bases/tenantresources-crd.yaml
 ```
 
 > We're giving for granted that Capsule is installed in the `capsule-system` Namespace.
@@ -76,7 +76,7 @@ Ensure to update the Capsule repository to fetch the latest changes.
 helm repo update
 ```
 
-The latest Chart must be used, at the current time, 0.3.0 is expected for Capsule v0.2.0, you can fetch the full list of available charts with the following command.
+The latest Chart must be used, at the current time, >0.3.0 is expected for Capsule >v0.2.0, you can fetch the full list of available charts with the following command.
 
 ```
 helm search repo -l clastix/capsule

go.mod

@@ -29,7 +29,7 @@ require (
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful v2.15.0+incompatible // indirect
+	github.com/emicklei/go-restful v2.16.0+incompatible // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/go-logr/zapr v1.2.0 // indirect

go.sum

@@ -127,8 +127,8 @@ github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25Kn
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/emicklei/go-restful v2.15.0+incompatible h1:8KpYO/Xl/ZudZs5RNOEhWMBY4hmzlZhhRd9cu+jrZP4=
-github.com/emicklei/go-restful v2.15.0+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/emicklei/go-restful v2.16.0+incompatible h1:rgqiKNjTnFQA6kkhFe16D8epTksy9HQ1MyrbDXSdYhM=
+github.com/emicklei/go-restful v2.16.0+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=