diff --git a/helm/openwhisk/configMapFiles/dockerLogin/dockerLogin.sh b/helm/openwhisk/configMapFiles/dockerLogin/dockerLogin.sh new file mode 100755 index 00000000..42682b65 --- /dev/null +++ b/helm/openwhisk/configMapFiles/dockerLogin/dockerLogin.sh @@ -0,0 +1 @@ +docker login $RUNTIMES_REGISTRY -u $RUNTIMES_REGISTRY_USERNAME -p $RUNTIMES_REGISTRY_PASSWORD diff --git a/helm/openwhisk/configMapFiles/genCerts/gencerts.sh b/helm/openwhisk/configMapFiles/genCerts/gencerts.sh index b5dbb199..6fa530c9 100755 --- a/helm/openwhisk/configMapFiles/genCerts/gencerts.sh +++ b/helm/openwhisk/configMapFiles/genCerts/gencerts.sh @@ -19,7 +19,18 @@ if kubectl get secret $NGINX_CERT_SECRET; then echo "using existing $NGINX_CERT_SECRET secret" else echo "generating new $NGINX_CERT_SECRET secret" - genssl.sh "*.$WHISK_API_HOST_NAME" server /cert-gen - kubectl create secret tls $NGINX_CERT_SECRET --cert=/cert-gen/openwhisk-server-cert.pem --key=/cert-gen/openwhisk-server-key.pem + + until genssl.sh "*.$WHISK_API_HOST_NAME" server /cert-gen + do + echo "Network not ready yet" + sleep 1 + done + + until kubectl create secret tls $NGINX_CERT_SECRET --cert=/cert-gen/openwhisk-server-cert.pem --key=/cert-gen/openwhisk-server-key.pem + do + echo "Network not ready yet" + sleep 1 + done fi +exit 0 diff --git a/helm/openwhisk/configMapFiles/initCouchDB/initdb.sh b/helm/openwhisk/configMapFiles/initCouchDB/initdb.sh index 4f462783..99dcae74 100755 --- a/helm/openwhisk/configMapFiles/initCouchDB/initdb.sh +++ b/helm/openwhisk/configMapFiles/initCouchDB/initdb.sh @@ -16,7 +16,11 @@ # # Clone OpenWhisk to get the ansible playbooks needed to initialize CouchDB -git clone https://github.com/apache/openwhisk /openwhisk +until git clone https://github.com/apache/openwhisk /openwhisk +do + echo "Network not ready yet" + sleep 1 +done pushd /openwhisk git checkout $OW_GIT_TAG_OPENWHISK popd @@ -87,3 +91,4 @@ echo "Creating ow_kube_couchdb_initialized_marker database" curl --silent -X PUT -u "$COUCHDB_USER:$COUCHDB_PASSWORD" $DB_PROTOCOL://$DB_HOST:$DB_PORT/ow_kube_couchdb_initialized_marker || exit 1 echo "successfully initialized CouchDB for OpenWhisk" +exit 0 diff --git a/helm/openwhisk/configMapFiles/installPackages/myTask.sh b/helm/openwhisk/configMapFiles/installPackages/myTask.sh index bb390434..b54d591c 100644 --- a/helm/openwhisk/configMapFiles/installPackages/myTask.sh +++ b/helm/openwhisk/configMapFiles/installPackages/myTask.sh @@ -24,7 +24,11 @@ export PROVIDER_DB_URL=$PROVIDER_DB_PROTOCOL://$PROVIDER_DB_USERNAME:$PROVIDER_D ##### # Clone openwhisk repo to get installRouteMgmt.sh and core/routemgmt -git clone https://github.com/apache/openwhisk openwhisk +until git clone https://github.com/apache/openwhisk openwhisk +do + echo "Network not ready yet" + sleep 1 +done pushd openwhisk git checkout $OW_GIT_TAG_OPENWHISK rm -f /openwhisk/ansible/files/auth.guest /openwhisk/ansible/files/auth.whisk.system diff --git a/helm/openwhisk/templates/apigateway-pod.yaml b/helm/openwhisk/templates/apigateway-pod.yaml index 8db4b319..aafe4b4a 100644 --- a/helm/openwhisk/templates/apigateway-pod.yaml +++ b/helm/openwhisk/templates/apigateway-pod.yaml @@ -56,6 +56,10 @@ spec: containerPort: {{ .Values.apigw.mgmtPort }} - name: api containerPort: {{ .Values.apigw.apiPort }} +{{- if .Values.apigw.resources }} + resources: +{{ toYaml .Values.apigw.resources | indent 12 }} +{{- end }} env: - name: "REDIS_HOST" value: "{{ include "openwhisk.redis_host" . }}" @@ -71,3 +75,9 @@ spec: configMapKeyRef: name: {{ .Release.Name }}-whisk.config key: whisk_internal_api_host_url +{{- if .Values.apigw.secure }} + securityContext: + capabilities: + drop: + - all +{{- end }} diff --git a/helm/openwhisk/templates/controller-pod.yaml b/helm/openwhisk/templates/controller-pod.yaml index 66813700..04e2ca3c 100644 --- a/helm/openwhisk/templates/controller-pod.yaml +++ b/helm/openwhisk/templates/controller-pod.yaml @@ -35,11 +35,14 @@ spec: name: {{ .Release.Name }}-controller {{ include "openwhisk.label_boilerplate" . | indent 8 }} - {{- if .Values.metrics.prometheusEnabled }} annotations: + {{- if .Values.metrics.prometheusEnabled }} prometheus.io/scrape: 'true' prometheus.io/port: '{{ .Values.controller.port }}' {{- end }} + {{- if .Values.controller.secure }} + seccomp.security.alpha.kubernetes.io/pod: localhost/controller.json + {{- end }} spec: serviceAccountName: {{ .Release.Name }}-core @@ -79,6 +82,11 @@ spec: {{- if .Values.controller.lean }} securityContext: privileged: true +{{- else if .Values.controller.secure }} + securityContext: + capabilities: + drop: + - all {{- end }} command: ["/bin/bash", "-c", "/init.sh `hostname | awk -F '-' '{print $NF}'`"] ports: @@ -107,6 +115,10 @@ spec: initialDelaySeconds: {{ .Values.probes.controller.readinessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.probes.controller.readinessProbe.periodSeconds }} timeoutSeconds: {{ .Values.probes.controller.readinessProbe.timeoutSeconds }} +{{- if .Values.controller.resources }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} +{{- end }} env: - name: "PORT" value: {{ .Values.controller.port | quote }} diff --git a/helm/openwhisk/templates/frontdoor-secrets.yaml b/helm/openwhisk/templates/frontdoor-secrets.yaml index 583ee814..4043a261 100644 --- a/helm/openwhisk/templates/frontdoor-secrets.yaml +++ b/helm/openwhisk/templates/frontdoor-secrets.yaml @@ -25,7 +25,7 @@ metadata: {{ include "openwhisk.label_boilerplate" . | indent 4 }} type: {{ .Values.whisk.ingress.tls.secrettype | quote }} data: - tls.crt: {{ .Values.whisk.ingress.tls.crt }} - tls.key: {{ .Values.whisk.ingress.tls.key }} + tls.crt: {{ .Values.whisk.ingress.tls.crt | b64enc }} + tls.key: {{ .Values.whisk.ingress.tls.key | b64enc }} {{- end}} {{- end }} diff --git a/helm/openwhisk/templates/invoker-pod.yaml b/helm/openwhisk/templates/invoker-pod.yaml index dbb80289..42943249 100644 --- a/helm/openwhisk/templates/invoker-pod.yaml +++ b/helm/openwhisk/templates/invoker-pod.yaml @@ -43,12 +43,14 @@ spec: labels: name: {{ .Release.Name }}-invoker {{ include "openwhisk.label_boilerplate" . | indent 8 }} - - {{- if .Values.metrics.prometheusEnabled }} annotations: + {{- if .Values.metrics.prometheusEnabled }} prometheus.io/scrape: 'true' prometheus.io/port: '{{ .Values.invoker.port }}' {{- end }} + {{- if .Values.invoker.secure }} + seccomp.security.alpha.kubernetes.io/pod: localhost/invoker.json + {{- end }} spec: {{- if eq .Values.invoker.containerFactory.impl "kubernetes" }} @@ -83,10 +85,17 @@ spec: - name: invoker image: "{{- .Values.docker.registry.name -}}{{- .Values.invoker.imageName -}}:{{- .Values.invoker.imageTag -}}" imagePullPolicy: {{ .Values.invoker.imagePullPolicy | quote }} + command: + - /bin/bash + - -c + - {{- if and (eq .Values.invoker.containerFactory.impl "docker") .Values.invoker.containerFactory.networkConfig.dns.inheritInvokerConfig }} - command: [ "/bin/bash", "-c", ". /invoker-scripts/configureDNS.sh && /init.sh --uniqueName $INVOKER_NAME" ] -{{- else }} - command: [ "/bin/bash", "-c", "/init.sh --uniqueName $INVOKER_NAME" ] + . /invoker-scripts/configureDNS.sh && +{{- end }} + /init.sh --uniqueName $INVOKER_NAME +{{- if .Values.invoker.resources }} + resources: +{{ toYaml .Values.invoker.resources | indent 10 }} {{- end }} env: - name: "PORT" @@ -211,8 +220,33 @@ spec: value: "{{ .Values.akka.actorSystemTerminateTimeout }}" - name: "CONFIG_whisk_runtime_delete_timeout" value: "{{ .Values.invoker.runtimeDeleteTimeout }}" +{{- if ne .Values.docker.registry.name "" }} + - name: "RUNTIMES_REGISTRY" + value: "{{- .Values.docker.registry.name -}}" + - name: "RUNTIMES_REGISTRY_USERNAME" + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-docker.registry.auth + key: docker_registry_username + - name: "RUNTIMES_REGISTRY_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-docker.registry.auth + key: docker_registry_password +{{- end }} ports: - name: invoker containerPort: {{ .Values.invoker.port }} +{{- if .Values.invoker.secure }} + securityContext: + capabilities: + drop: + - all + add: + - SYS_ADMIN +{{- range .Values.invoker.extraCaps }} + - {{ . }} +{{- end }} +{{- end }} {{ include "openwhisk.invoker.volume_mounts" . }} {{- end }} diff --git a/helm/openwhisk/templates/kafka-pod.yaml b/helm/openwhisk/templates/kafka-pod.yaml index 82265e7c..283e53e1 100644 --- a/helm/openwhisk/templates/kafka-pod.yaml +++ b/helm/openwhisk/templates/kafka-pod.yaml @@ -73,7 +73,10 @@ spec: ports: - containerPort: {{ .Values.kafka.port }} name: kafka - +{{- if .Values.kafka.resources }} + resources: +{{ toYaml .Values.kafka.resources | indent 10 }} +{{- end }} livenessProbe: tcpSocket: port: {{ .Values.kafka.port }} diff --git a/helm/openwhisk/templates/nginx-pod.yaml b/helm/openwhisk/templates/nginx-pod.yaml index 5b040d66..a6ad9538 100644 --- a/helm/openwhisk/templates/nginx-pod.yaml +++ b/helm/openwhisk/templates/nginx-pod.yaml @@ -76,6 +76,10 @@ spec: containerPort: {{ .Values.nginx.httpPort }} - name: https containerPort: {{ .Values.nginx.httpsPort }} +{{- if .Values.nginx.resources }} + resources: +{{ toYaml .Values.nginx.resources | indent 10 }} +{{- end }} volumeMounts: - name: nginx-conf mountPath: "/etc/nginx/nginx.conf" diff --git a/helm/openwhisk/templates/redis-pod.yaml b/helm/openwhisk/templates/redis-pod.yaml index 30c74b1e..781ef5c1 100644 --- a/helm/openwhisk/templates/redis-pod.yaml +++ b/helm/openwhisk/templates/redis-pod.yaml @@ -87,4 +87,8 @@ spec: ports: - name: redis containerPort: {{ .Values.redis.port }} +{{- if .Values.redis.resources }} + resources: +{{ toYaml .Values.redis.resources | indent 12 }} +{{- end }} {{ end }} diff --git a/helm/openwhisk/templates/seccomp-cm.yaml b/helm/openwhisk/templates/seccomp-cm.yaml new file mode 100644 index 00000000..69368e22 --- /dev/null +++ b/helm/openwhisk/templates/seccomp-cm.yaml @@ -0,0 +1,923 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-seccomp-profile + labels: + name: {{ .Release.Name }}-seccomp-profile +data: + invoker.json: | + { + "defaultAction": "SCMP_ACT_ERRNO", + "archMap": [ + { + "architecture": "SCMP_ARCH_X86_64", + "subArchitectures": [ + "SCMP_ARCH_X86", + "SCMP_ARCH_X32" + ] + }, + { + "architecture": "SCMP_ARCH_AARCH64", + "subArchitectures": [ + "SCMP_ARCH_ARM" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64" + ] + }, + { + "architecture": "SCMP_ARCH_S390X", + "subArchitectures": [ + "SCMP_ARCH_S390" + ] + } + ], + "syscalls": [ + { + "names": [ + "setgid", + "setuid", + "access", + "bind", + "brk", + "capget", + "capset", + "chdir", + "chmod", + "chown", + "chown32", + "clock_getres", + "clock_getres_time64", + "clock_gettime", + "clock_gettime64", + "close", + "connect", + "copy_file_range", + "creat", + "dup", + "dup2", + "dup3", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_ctl_old", + "epoll_pwait", + "epoll_pwait2", + "epoll_wait", + "epoll_wait_old", + "eventfd", + "eventfd2", + "execve", + "execveat", + "exit", + "exit_group", + "faccessat", + "faccessat2", + "fadvise64", + "fadvise64_64", + "fallocate", + "fanotify_mark", + "fchdir", + "fchmod", + "fchmodat", + "fchown", + "fchown32", + "fchownat", + "fcntl", + "fcntl64", + "fdatasync", + "fgetxattr", + "flistxattr", + "flock", + "fork", + "fremovexattr", + "fsetxattr", + "fstat", + "fstat64", + "fstatat64", + "fstatfs", + "fstatfs64", + "fsync", + "ftruncate", + "ftruncate64", + "futex", + "futex_time64", + "futimesat", + "getcpu", + "getcwd", + "getdents", + "getdents64", + "getegid", + "getegid32", + "geteuid", + "geteuid32", + "getgid", + "getgid32", + "getgroups", + "getgroups32", + "getitimer", + "getpeername", + "getpgid", + "getpgrp", + "getpid", + "getppid", + "getpriority", + "getrandom", + "getresgid", + "getresgid32", + "getresuid", + "getresuid32", + "getrlimit", + "get_robust_list", + "getrusage", + "getsid", + "getsockname", + "getsockopt", + "get_thread_area", + "gettid", + "gettimeofday", + "getuid", + "getuid32", + "getxattr", + "inotify_add_watch", + "inotify_init", + "inotify_init1", + "inotify_rm_watch", + "ioctl", + "ioprio_get", + "ioprio_set", + "ipc", + "kill", + "lgetxattr", + "link", + "linkat", + "listen", + "listxattr", + "llistxattr", + "_llseek", + "lremovexattr", + "lseek", + "lsetxattr", + "lstat", + "lstat64", + "madvise", + "membarrier", + "memfd_create", + "mincore", + "mkdir", + "mkdirat", + "mknod", + "mknodat", + "mlock", + "mlock2", + "mlockall", + "mmap", + "mmap2", + "mprotect", + "mremap", + "msgctl", + "msgget", + "msgrcv", + "msgsnd", + "msync", + "munmap", + "nanosleep", + "newfstatat", + "_newselect", + "open", + "openat", + "openat2", + "pause", + "pidfd_open", + "pidfd_send_signal", + "pipe", + "pipe2", + "poll", + "ppoll", + "ppoll_time64", + "prctl", + "pread64", + "preadv", + "preadv2", + "prlimit64", + "read", + "readahead", + "readlink", + "readlinkat", + "readv", + "recv", + "recvfrom", + "recvmmsg", + "recvmmsg_time64", + "recvmsg", + "remap_file_pages", + "removexattr", + "rename", + "renameat", + "renameat2", + "restart_syscall", + "rmdir", + "rseq", + "rt_sigaction", + "rt_sigpending", + "rt_sigprocmask", + "rt_sigqueueinfo", + "rt_sigreturn", + "rt_sigsuspend", + "rt_sigtimedwait", + "rt_sigtimedwait_time64", + "rt_tgsigqueueinfo", + "sched_getaffinity", + "sched_getattr", + "sched_getparam", + "sched_get_priority_max", + "sched_get_priority_min", + "sched_getscheduler", + "sched_rr_get_interval", + "sched_rr_get_interval_time64", + "sched_setaffinity", + "sched_setattr", + "sched_setparam", + "sched_setscheduler", + "sched_yield", + "seccomp", + "select", + "semctl", + "semget", + "semop", + "semtimedop", + "semtimedop_time64", + "send", + "sendfile", + "sendfile64", + "sendmmsg", + "sendmsg", + "sendto", + "setgroups", + "setgroups32", + "setitimer", + "setpgid", + "setpriority", + "setregid", + "setregid32", + "setresgid", + "setresgid32", + "setrlimit", + "set_robust_list", + "setsid", + "setsockopt", + "set_thread_area", + "set_tid_address", + "setxattr", + "shmat", + "shmctl", + "shmdt", + "shmget", + "sigaltstack", + "signalfd", + "signalfd4", + "sigprocmask", + "sigreturn", + "socket", + "socketcall", + "socketpair", + "splice", + "stat", + "stat64", + "statfs", + "statfs64", + "statx", + "symlink", + "symlinkat", + "sync", + "sync_file_range", + "syncfs", + "sysinfo", + "tee", + "tgkill", + "time", + "times", + "tkill", + "truncate", + "truncate64", + "ugetrlimit", + "umask", + "uname", + "unlink", + "unlinkat", + "utime", + "utimensat", + "utimensat_time64", + "utimes", + "vfork", + "vmsplice", + "wait4", + "waitid", + "waitpid", + "write", + "writev" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "arch_prctl" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "amd64", + "x32" + ] + }, + "excludes": {} + }, + { + "names": [ + "bpf", + "clone", + "fanotify_init", + "fsconfig", + "fsmount", + "fsopen", + "fspick", + "lookup_dcookie", + "mount", + "move_mount", + "name_to_handle_at", + "open_tree", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns", + "syslog", + "umount", + "umount2", + "unshare" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + }, + "excludes": {} + }, + { + "names": [ + "clone" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 2114060288, + "op": "SCMP_CMP_MASKED_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ], + "arches": [ + "s390", + "s390x" + ] + } + } + ] + } + controller.json: | + { + "defaultAction": "SCMP_ACT_ERRNO", + "archMap": [ + { + "architecture": "SCMP_ARCH_X86_64", + "subArchitectures": [ + "SCMP_ARCH_X86", + "SCMP_ARCH_X32" + ] + }, + { + "architecture": "SCMP_ARCH_AARCH64", + "subArchitectures": [ + "SCMP_ARCH_ARM" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPS64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPS", + "SCMP_ARCH_MIPS64" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64N32" + ] + }, + { + "architecture": "SCMP_ARCH_MIPSEL64N32", + "subArchitectures": [ + "SCMP_ARCH_MIPSEL", + "SCMP_ARCH_MIPSEL64" + ] + }, + { + "architecture": "SCMP_ARCH_S390X", + "subArchitectures": [ + "SCMP_ARCH_S390" + ] + } + ], + "syscalls": [ + { + "names": [ + "accept", + "accept4", + "access", + "adjtimex", + "alarm", + "bind", + "brk", + "capget", + "capset", + "chdir", + "chmod", + "chown", + "chown32", + "clock_adjtime", + "clock_adjtime64", + "clock_getres", + "clock_getres_time64", + "clock_gettime", + "clock_gettime64", + "clock_nanosleep", + "clock_nanosleep_time64", + "close", + "close_range", + "connect", + "copy_file_range", + "creat", + "dup", + "dup2", + "dup3", + "epoll_create", + "epoll_create1", + "epoll_ctl", + "epoll_ctl_old", + "epoll_pwait", + "epoll_pwait2", + "epoll_wait", + "epoll_wait_old", + "eventfd", + "eventfd2", + "execve", + "execveat", + "exit", + "exit_group", + "faccessat", + "faccessat2", + "fadvise64", + "fadvise64_64", + "fallocate", + "fanotify_mark", + "fchdir", + "fchmod", + "fchmodat", + "fchown", + "fchown32", + "fchownat", + "fcntl", + "fcntl64", + "fdatasync", + "fgetxattr", + "flistxattr", + "flock", + "fork", + "fremovexattr", + "fsetxattr", + "fstat", + "fstat64", + "fstatat64", + "fstatfs", + "fstatfs64", + "fsync", + "ftruncate", + "ftruncate64", + "futex", + "futex_time64", + "futimesat", + "getcpu", + "getcwd", + "getdents", + "getdents64", + "getegid", + "getegid32", + "geteuid", + "geteuid32", + "getgid", + "getgid32", + "getgroups", + "getgroups32", + "getitimer", + "getpeername", + "getpgid", + "getpgrp", + "getpid", + "getppid", + "getpriority", + "getrandom", + "getresgid", + "getresgid32", + "getresuid", + "getresuid32", + "getrlimit", + "get_robust_list", + "getrusage", + "getsid", + "getsockname", + "getsockopt", + "get_thread_area", + "gettid", + "gettimeofday", + "getuid", + "getuid32", + "getxattr", + "inotify_add_watch", + "inotify_init", + "inotify_init1", + "inotify_rm_watch", + "ioctl", + "ioprio_get", + "ioprio_set", + "ipc", + "kill", + "lchown", + "lchown32", + "lgetxattr", + "link", + "linkat", + "listen", + "listxattr", + "llistxattr", + "_llseek", + "lremovexattr", + "lseek", + "lsetxattr", + "lstat", + "lstat64", + "madvise", + "membarrier", + "memfd_create", + "mincore", + "mkdir", + "mkdirat", + "mknod", + "mknodat", + "mlock", + "mlock2", + "mlockall", + "mmap", + "mmap2", + "mprotect", + "mremap", + "msgctl", + "msgget", + "msgrcv", + "msgsnd", + "msync", + "munlock", + "munlockall", + "munmap", + "nanosleep", + "newfstatat", + "_newselect", + "open", + "openat", + "openat2", + "pause", + "pidfd_open", + "pidfd_send_signal", + "pipe", + "pipe2", + "poll", + "ppoll", + "ppoll_time64", + "prctl", + "pread64", + "preadv", + "preadv2", + "prlimit64", + "pselect6", + "pselect6_time64", + "pwrite64", + "pwritev", + "pwritev2", + "read", + "readahead", + "readlink", + "readlinkat", + "readv", + "recv", + "recvfrom", + "recvmmsg", + "recvmmsg_time64", + "recvmsg", + "remap_file_pages", + "removexattr", + "rename", + "renameat", + "renameat2", + "restart_syscall", + "rmdir", + "rseq", + "rt_sigaction", + "rt_sigpending", + "rt_sigprocmask", + "rt_sigqueueinfo", + "rt_sigreturn", + "rt_sigsuspend", + "rt_sigtimedwait", + "rt_sigtimedwait_time64", + "rt_tgsigqueueinfo", + "sched_getaffinity", + "sched_getattr", + "sched_getparam", + "sched_get_priority_max", + "sched_get_priority_min", + "sched_getscheduler", + "sched_rr_get_interval", + "sched_rr_get_interval_time64", + "sched_setaffinity", + "sched_setattr", + "sched_setparam", + "sched_setscheduler", + "sched_yield", + "seccomp", + "select", + "semctl", + "semget", + "semop", + "semtimedop", + "semtimedop_time64", + "send", + "sendfile", + "sendfile64", + "sendmmsg", + "sendmsg", + "sendto", + "setfsgid", + "setfsgid32", + "setfsuid", + "setfsuid32", + "setgid", + "setgid32", + "setgroups", + "setgroups32", + "setitimer", + "setpgid", + "setpriority", + "setregid", + "setregid32", + "setresgid", + "setresgid32", + "setresuid", + "setresuid32", + "setreuid", + "setreuid32", + "setrlimit", + "set_robust_list", + "setsid", + "setsockopt", + "set_thread_area", + "set_tid_address", + "setuid", + "setuid32", + "setxattr", + "shmat", + "shmctl", + "shmdt", + "shmget", + "shutdown", + "sigaltstack", + "signalfd", + "signalfd4", + "sigprocmask", + "sigreturn", + "socket", + "socketcall", + "socketpair", + "splice", + "stat", + "stat64", + "statfs", + "statfs64", + "statx", + "symlink", + "symlinkat", + "sync", + "sync_file_range", + "syncfs", + "sysinfo", + "tee", + "tgkill", + "time", + "timer_create", + "timer_delete", + "timer_getoverrun", + "timer_gettime", + "timer_gettime64", + "timer_settime", + "timer_settime64", + "timerfd_create", + "timerfd_gettime", + "timerfd_gettime64", + "timerfd_settime", + "timerfd_settime64", + "times", + "tkill", + "truncate", + "truncate64", + "ugetrlimit", + "umask", + "uname", + "unlink", + "unlinkat", + "utime", + "utimensat", + "utimensat_time64", + "utimes", + "vfork", + "vmsplice", + "wait4", + "waitid", + "waitpid", + "write", + "writev" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": {}, + "excludes": {} + }, + { + "names": [ + "arch_prctl" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "arches": [ + "amd64", + "x32" + ] + }, + "excludes": {} + }, + { + "names": [ + "bpf", + "clone", + "fanotify_init", + "fsconfig", + "fsmount", + "fsopen", + "fspick", + "lookup_dcookie", + "mount", + "move_mount", + "name_to_handle_at", + "open_tree", + "perf_event_open", + "quotactl", + "setdomainname", + "sethostname", + "setns", + "syslog", + "umount", + "umount2", + "unshare" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + }, + "excludes": {} + }, + { + "names": [ + "clone" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 2114060288, + "op": "SCMP_CMP_MASKED_EQ" + } + ], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ], + "arches": [ + "s390", + "s390x" + ] + } + }, + { + "names": [ + "clone" + ], + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 1, + "value": 2114060288, + "op": "SCMP_CMP_MASKED_EQ" + } + ], + "comment": "s390 parameter ordering for clone is different", + "includes": { + "arches": [ + "s390", + "s390x" + ] + }, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" + ] + } + }, + { + "names": [ + "syslog" + ], + "action": "SCMP_ACT_ALLOW", + "args": [], + "comment": "", + "includes": { + "caps": [ + "CAP_SYSLOG" + ] + }, + "excludes": {} + } + ] + } diff --git a/helm/openwhisk/templates/seccomp-pod.yaml b/helm/openwhisk/templates/seccomp-pod.yaml new file mode 100644 index 00000000..8a4b6626 --- /dev/null +++ b/helm/openwhisk/templates/seccomp-pod.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ .Release.Name }}-seccomp + labels: + name: {{ .Release.Name }}-seccomp +{{ include "openwhisk.label_boilerplate" . | indent 4 }} +spec: + selector: + matchLabels: + name: {{ .Release.Name }}-seccomp + template: + metadata: + labels: + name: {{ .Release.Name }}-seccomp + spec: + initContainers: + - name: installer + image: alpine:3.10.0 + command: ["/bin/sh", "-c", "cp -r -L /seccomp/*.json /host/seccomp/"] + volumeMounts: + - name: profiles + mountPath: /seccomp + - name: hostseccomp + mountPath: /host/seccomp + readOnly: false + containers: + - name: pause + image: k8s.gcr.io/pause:3.1 + terminationGracePeriodSeconds: 5 + volumes: + - name: hostseccomp + hostPath: + path: /var/lib/kubelet/seccomp + - name: profiles + configMap: + name: {{ .Release.Name }}-seccomp-profile diff --git a/helm/openwhisk/templates/zookeeper-pod.yaml b/helm/openwhisk/templates/zookeeper-pod.yaml index 1f01d73a..277162ff 100644 --- a/helm/openwhisk/templates/zookeeper-pod.yaml +++ b/helm/openwhisk/templates/zookeeper-pod.yaml @@ -75,7 +75,10 @@ spec: containerPort: {{ .Values.zookeeper.serverPort }} - name: leader-election containerPort: {{ .Values.zookeeper.leaderElectionPort }} - +{{- if .Values.zookeeper.resources }} + resources: +{{ toYaml .Values.zookeeper.resources | indent 10 }} +{{- end }} livenessProbe: tcpSocket: port: {{ .Values.zookeeper.port }} diff --git a/helm/openwhisk/values.yaml b/helm/openwhisk/values.yaml index bc748ff2..f893f933 100644 --- a/helm/openwhisk/values.yaml +++ b/helm/openwhisk/values.yaml @@ -185,6 +185,7 @@ zookeeper: syncLimit: 2 dataDir: "/data" dataLogDir: "/datalog" + resources: ~ # kafka configurations kafka: @@ -198,6 +199,7 @@ kafka: port: 9092 persistence: size: 512Mi + resources: ~ # Database configuration db: @@ -245,6 +247,7 @@ nginx: cert_file: "" key_file: "" sslPassword: "" + resources: ~ # Controller configurations controller: @@ -258,6 +261,8 @@ controller: jvmHeapMB: "1024" jvmOptions: "" loglevel: "INFO" + resources: ~ + secure: false # Invoker configurations invoker: @@ -288,6 +293,9 @@ invoker: kubernetes: isolateUserActions: true replicaCount: 1 + resources: ~ + secure: false + extraCaps: [] # API Gateway configurations apigw: @@ -299,6 +307,8 @@ apigw: restartPolicy: "Always" apiPort: 9000 mgmtPort: 8080 + resources: ~ + secure: false # Redis (used by apigateway) redis: @@ -313,6 +323,7 @@ redis: port: 6379 persistence: size: 256Mi + resources: ~ # User-events configuration user_events: