VOL-3145 - remove etcd operator usage
- removed dependencies as they are not part of VOLTHA
- removed RBAC config (no longer used)
- put each resources in separate file (best practice)
- added security context for containers (best practice)
Change-Id: If9e250ebe998369cb973561d1406517ea622e670
diff --git a/voltha/templates/10-rbac.yaml b/voltha/templates/10-rbac.yaml
deleted file mode 100644
index 430f842..0000000
--- a/voltha/templates/10-rbac.yaml
+++ /dev/null
@@ -1,72 +0,0 @@
-# Copyright 2019-present Open Networking Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: voltha-serviceaccount
-
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
- name: pod-reader
-rules:
- - apiGroups: [""]
- resources: ["pods", "nodes"]
- verbs: ["get", "watch", "list"]
-
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: Role
-metadata:
- name: voltha-role
- namespace: {{ .Release.Namespace }}
-rules:
- - apiGroups: [""]
- resources: ["pods", "secrets", "namespaces", "endpoints"]
- verbs: ["get"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "update", "create"]
-
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: RoleBinding
-metadata:
- name: voltha-role-nisa-binding
- namespace: {{ .Release.Namespace }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: voltha-role
-subjects:
- - kind: ServiceAccount
- name: voltha-serviceaccount
- namespace: {{ .Release.Namespace }}
-
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
- name: voltha-clusterrole-nisa-binding
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: pod-reader
-subjects:
- - kind: ServiceAccount
- name: voltha-serviceaccount
- namespace: {{ .Release.Namespace }}
diff --git a/voltha/templates/api-svc.yaml b/voltha/templates/api-svc.yaml
new file mode 100644
index 0000000..04f8dea
--- /dev/null
+++ b/voltha/templates/api-svc.yaml
@@ -0,0 +1,25 @@
+# Copyright 2019-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: voltha-api
+spec:
+ ports:
+ - name: grpc
+ port: 55555
+ targetPort: 50057
+ selector:
+ app: rw-core
diff --git a/voltha/templates/rw-core.yaml b/voltha/templates/core-deploy.yaml
similarity index 79%
rename from voltha/templates/rw-core.yaml
rename to voltha/templates/core-deploy.yaml
index 3e71aa7..1a805ec 100644
--- a/voltha/templates/rw-core.yaml
+++ b/voltha/templates/core-deploy.yaml
@@ -13,57 +13,10 @@
# limitations under the License.
{{- $log_level := tpl .Values.rw_core.log_level . | upper }}
---
-apiVersion: v1
-kind: Service
-metadata:
- name: voltha-api
- serviceAccountName: {{ .Values.serviceaccount }}
-spec:
- serviceAccountName: {{ .Values.serviceaccount }}
- ports:
- - name: grpc
- port: 55555
- targetPort: 50057
- selector:
- app: rw-core
----
-apiVersion: v1
-kind: Service
-metadata:
- name: voltha-rw-core
- serviceAccountName: {{ .Values.serviceaccount }}
-spec:
- serviceAccountName: {{ .Values.serviceaccount }}
- clusterIP: None
- ports:
- - name: grpc
- port: 50057
- targetPort: 50057
- selector:
- app: rw-core
----
-{{- if .Values.profiler.enabled }}
-apiVersion: v1
-kind: Service
-metadata:
- name: voltha-rw-core-profiler
- serviceAccountName: {{ .Values.serviceaccount }}
-spec:
- serviceAccountName: {{ .Values.serviceaccount }}
- clusterIP: None
- ports:
- - name: rw-core-profiler
- port: 6060
- targetPort: 6060
- selector:
- app: rw-core
----
-{{- end }}
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: voltha-rw-core
- serviceAccountName: {{ .Values.serviceaccount }}
{{- if or (hasKey .Values "extra_deployment_labels") (hasKey .Values "rw_core_deployment_labels") }}
labels:
{{- if hasKey .Values "extra_deployment_labels" }}
@@ -99,10 +52,13 @@
{{ $key }}: {{ $val | quote }}
{{- end }}
{{- end }}
- annotations:
- cni: "calico"
spec:
- serviceAccountName: {{ .Values.serviceaccount }}
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.runAsUser }}
+ runAsGroup: {{ .Values.securityContext.runAsGroup }}
+ fsGroup: {{ .Values.securityContext.fsGroup }}
+ {{- end }}
containers:
- name: voltha
image: '{{ tpl .Values.images.rw_core.registry . }}{{ tpl .Values.images.rw_core.repository . }}:{{ tpl .Values.images.rw_core.tag . }}'
@@ -142,6 +98,10 @@
ports:
- containerPort: 50057
name: grpc
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ {{- end }}
livenessProbe:
httpGet:
path: /healthz
diff --git a/voltha/templates/core-profile-svc.yaml b/voltha/templates/core-profile-svc.yaml
new file mode 100644
index 0000000..967d4ab
--- /dev/null
+++ b/voltha/templates/core-profile-svc.yaml
@@ -0,0 +1,28 @@
+# Copyright 2019-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.profiler.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: voltha-rw-core-profiler
+spec:
+ clusterIP: None
+ ports:
+ - name: rw-core-profiler
+ port: 6060
+ targetPort: 6060
+ selector:
+ app: rw-core
+{{- end }}
diff --git a/voltha/templates/ofagent-go.yaml b/voltha/templates/ofagent-go-deploy.yaml
similarity index 85%
rename from voltha/templates/ofagent-go.yaml
rename to voltha/templates/ofagent-go-deploy.yaml
index 324850d..a32e19a 100644
--- a/voltha/templates/ofagent-go.yaml
+++ b/voltha/templates/ofagent-go-deploy.yaml
@@ -1,4 +1,3 @@
-{{- if and (hasKey .Values "use_ofagent_go") .Values.use_ofagent_go }}
# Copyright 2020-present Open Networking Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -12,30 +11,13 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
+{{- if .Values.use_ofagent_go }}
{{- $log_level := tpl .Values.ofagent.log_level . | upper }}
-{{- if .Values.profiler.enabled }}
----
-apiVersion: v1
-kind: Service
-metadata:
- name: voltha-of-agent-profiler
- serviceAccountName: {{ .Values.serviceaccount }}
-spec:
- serviceAccountName: {{ .Values.serviceaccount }}
- clusterIP: None
- ports:
- - name: ofagent-profiler
- port: 6060
- targetPort: 6060
- selector:
- app: ofagent
-{{- end }}
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: voltha-ofagent
- serviceAccountName: {{ .Values.serviceaccount }}
{{- if or (hasKey .Values "extra_deployment_labels") (hasKey .Values "ofagent_deployment_labels") }}
labels:
{{- if hasKey .Values "extra_deployment_labels" }}
@@ -71,11 +53,14 @@
{{ $key }}: {{ $val | quote }}
{{- end }}
{{- end }}
- annotations:
- cni: "calico"
spec:
terminationGracePeriodSeconds: 10
- serviceAccountName: {{ .Values.serviceaccount }}
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.runAsUser }}
+ runAsGroup: {{ .Values.securityContext.runAsGroup }}
+ fsGroup: {{ .Values.securityContext.fsGroup }}
+ {{- end }}
containers:
- name: ofagent
image: '{{ tpl .Values.images.ofagent_go.registry . }}{{ tpl .Values.images.ofagent_go.repository . }}:{{ tpl .Values.images.ofagent_go.tag . }}'
@@ -97,6 +82,10 @@
- "--kv_store_request_timeout=60s"
- "--log_level={{ $log_level }}"
- "--probe=:8080"
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ {{- end }}
livenessProbe:
httpGet:
path: /healthz
diff --git a/voltha/templates/ofagent-go-profile-svc.yaml b/voltha/templates/ofagent-go-profile-svc.yaml
new file mode 100644
index 0000000..0bcbb93
--- /dev/null
+++ b/voltha/templates/ofagent-go-profile-svc.yaml
@@ -0,0 +1,28 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if and .Values.use_ofagent_go .Values.profiler.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: voltha-of-agent-profiler
+spec:
+ clusterIP: None
+ ports:
+ - name: ofagent-profiler
+ port: 6060
+ targetPort: 6060
+ selector:
+ app: ofagent
+{{- end }}
diff --git a/voltha/templates/ofagent-py.yaml b/voltha/templates/ofagent-py-deploy.yaml
similarity index 86%
rename from voltha/templates/ofagent-py.yaml
rename to voltha/templates/ofagent-py-deploy.yaml
index 711c4d6..1372c18 100644
--- a/voltha/templates/ofagent-py.yaml
+++ b/voltha/templates/ofagent-py-deploy.yaml
@@ -1,4 +1,3 @@
-{{- if not (and (hasKey .Values "use_ofagent_go") .Values.use_ofagent_go) }}
# Copyright 2019-present Open Networking Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -12,13 +11,12 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-
+{{- if not .Values.use_ofagent_go }}
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: voltha-ofagent
- serviceAccountName: {{ .Values.serviceaccount }}
{{- if or (hasKey .Values "extra_deployment_labels") (hasKey .Values "ofagent_deployment_labels") }}
labels:
{{- if hasKey .Values "extra_deployment_labels" }}
@@ -54,11 +52,14 @@
{{ $key }}: {{ $val | quote }}
{{- end }}
{{- end }}
- annotations:
- cni: "calico"
spec:
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.runAsUser }}
+ runAsGroup: {{ .Values.securityContext.runAsGroup }}
+ fsGroup: {{ .Values.securityContext.fsGroup }}
+ {{- end }}
terminationGracePeriodSeconds: 10
- serviceAccountName: {{ .Values.serviceaccount }}
containers:
- name: ofagent
image: '{{ tpl .Values.images.ofagent_py.registry . }}{{ tpl .Values.images.ofagent_py.repository . }}:{{ tpl .Values.images.ofagent_py.tag . }}'
@@ -72,6 +73,10 @@
{{- end }}
- "--grpc-endpoint=voltha-api.{{ .Release.Namespace }}.svc.cluster.local:55555"
- "--probe=:8080"
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ {{- end }}
livenessProbe:
httpGet:
path: /healthz