[keycloak] Fix iptables permission denied error on Istio 1.1.2 and below (#25)

denniseffing · unguiculus · commit 9e530e438e42 · 2019-05-15T15:28:51.000+02:00
Istio 1.1.2 and below does not include an explicit security context configuration for its init containers. They instead inherit the security context configuration defined on the PodSpecification level. This change splits security context config into separate pod and container security contexts. This allows for a more fine grained security context configuration and is less obtrusive regarding additionally injected containers. Fixes: #24 Signed-off-by: Dennis Effing <dennis.effing@codecentric.de>
diff --git a/charts/keycloak/Chart.yaml b/charts/keycloak/Chart.yaml
@@ -1,5 +1,5 @@
 name: keycloak
-version: 4.13.1
+version: 4.13.2
 appVersion: 5.0.0
 description: Open Source Identity and Access Management For Modern Applications and Services
 keywords:
diff --git a/charts/keycloak/README.md b/charts/keycloak/README.md
@@ -70,7 +70,8 @@ Parameter | Description | Default
 `keycloak.podAnnotations` | Extra annotations to add to pod | `{}`
 `keycloak.hostAliases` | Mapping between IP and hostnames that will be injected as entries in the pod's hosts files | `[]`
 `keycloak.enableServiceLinks` | Indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links | `false`
-`keycloak.securityContext` | Security context for the pod | `{runAsUser: 1000, fsGroup: 1000, runAsNonRoot: true}`
+`keycloak.securityContext` | Security context for the entire pod. Every container running in the pod will inherit this security context. This might be relevant when other components of the environment inject additional containers into running pods (service meshs are the most prominent example for this) | `{fsGroup: 1000}`
+`keycloak.containerSecurityContext` | Security context for containers running in the pod. Will not be inherited by additionally injected containers | `{runAsUser: 1000, runAsNonRoot: true}`
 `keycloak.preStartScript` | Custom script to run before Keycloak starts up | ``
 `keycloak.lifecycleHooks` | Container lifecycle hooks. Passed through the `tpl` function and thus to be configured a string | ``
 `keycloak.extraArgs` | Additional arguments to the start command | ``
@@ -117,7 +118,8 @@ Parameter | Description | Default
 `test.image.repository` | Test image repository | `unguiculus/docker-python3-phantomjs-selenium`
 `test.image.tag` | Test image tag | `v1`
 `test.image.pullPolicy` | Test image pull policy | `IfNotPresent`
-`test.securityContext` | Security context for the test pod | `{runAsUser: 1000, fsGroup: 1000, runAsNonRoot: true}`
+`test.securityContext` | Security context for the test pod. Every container running in the pod will inherit this security context. This might be relevant when other components of the environment inject additional containers into the running pod (service meshs are the most prominent example for this) | `{fsGroup: 1000}`
+`test.containerSecurityContext` | Security context for containers running in the test pod. Will not be inherited by additionally injected containers | `{runAsUser: 1000, runAsNonRoot: true}`
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
 
diff --git a/charts/keycloak/templates/statefulset.yaml b/charts/keycloak/templates/statefulset.yaml
@@ -51,6 +51,8 @@ spec:
         - name: wait-for-postgresql
           image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}"
           imagePullPolicy: {{ .Values.init.image.pullPolicy }}
+          securityContext:
+{{ toYaml .Values.keycloak.containerSecurityContext | indent 12 }}
           command:
             - sh
             - -c
@@ -69,6 +71,8 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.keycloak.image.repository }}:{{ .Values.keycloak.image.tag }}"
           imagePullPolicy: {{ .Values.keycloak.image.pullPolicy }}
+          securityContext:
+{{ toYaml .Values.keycloak.containerSecurityContext | indent 12 }}
           command:
             - /scripts/keycloak.sh
         {{- if .Values.keycloak.lifecycleHooks }}
diff --git a/charts/keycloak/templates/test/test-pod.yaml b/charts/keycloak/templates/test/test-pod.yaml
@@ -13,11 +13,13 @@ metadata:
     "helm.sh/hook": test-success
 spec:
   securityContext:
-{{ toYaml .Values.test.securityContext | indent 8 }}
+{{ toYaml .Values.test.securityContext | indent 4 }}
   containers:
     - name: {{ .Chart.Name }}-test
       image: "{{ .Values.test.image.repository }}:{{ .Values.test.image.tag }}"
       imagePullPolicy: {{ .Values.test.image.pullPolicy }}
+      securityContext:  
+{{ toYaml .Values.test.containerSecurityContext | indent 8 }}
       command:
         - python3
         - /tests/test.py
diff --git a/charts/keycloak/values.yaml b/charts/keycloak/values.yaml
@@ -29,8 +29,10 @@ keycloak:
   enableServiceLinks: false
 
   securityContext:
-    runAsUser: 1000
     fsGroup: 1000
+
+  containerSecurityContext:
+    runAsUser: 1000
     runAsNonRoot: true
 
   ## The path keycloak will be served from. To serve keycloak from the root path, use two quotes (e.g. "").
@@ -288,6 +290,7 @@ test:
     tag: v1
     pullPolicy: IfNotPresent
   securityContext:
-    runAsUser: 1000
     fsGroup: 1000
+  containerSecurityContext:
+    runAsUser: 1000
     runAsNonRoot: true
