Skip to content

Commit 1dd9746

Browse files
jshum2479rjeberhard
jshum2479
authored and
rjeberhard
committed
Add readonly root file system support for operator and webhook pods.
1 parent 9fcb076 commit 1dd9746

File tree

3 files changed

+91
-2
lines changed

3 files changed

+91
-2
lines changed

kubernetes/charts/weblogic-operator/templates/_operator-dep.tpl

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,16 @@ spec:
5252
tolerations:
5353
{{- toYaml . | nindent 8 }}
5454
{{- end }}
55+
initContainers:
56+
- name: "copy-container"
57+
image: {{ .image | quote }}
58+
imagePullPolicy: "IfNotPresent"
59+
command: ["/bin/sh", "-c", "cp /deployment/* /deployment_copy && cp /probes/* /probes_copy"]
60+
volumeMounts:
61+
- name: "deployment-volume"
62+
mountPath: "/deployment_copy"
63+
- name: "probes-volume"
64+
mountPath: "/probes_copy"
5565
containers:
5666
- name: "weblogic-operator"
5767
image: {{ .image | quote }}
@@ -129,6 +139,7 @@ spec:
129139
runAsUser: {{ .runAsUser | default 1000 }}
130140
{{- end }}
131141
runAsNonRoot: true
142+
readOnlyRootFilesystem: true
132143
privileged: false
133144
allowPrivilegeEscalation: false
134145
capabilities:
@@ -141,6 +152,12 @@ spec:
141152
- name: "weblogic-operator-secrets-volume"
142153
mountPath: "/deployment/secrets"
143154
readOnly: true
155+
- name: "deployment-volume"
156+
mountPath: "/deployment"
157+
- name: "log-volume"
158+
mountPath: "/logs"
159+
- name: "probes-volume"
160+
mountPath: "/probes"
144161
{{- if and .elkIntegrationEnabled .operatorLogPVC }}
145162
{{- fail "Error: elkIntegrationEnabled and opeatorLogPVC cannot be set at the same time."}}
146163
{{- else if .elkIntegrationEnabled }}
@@ -201,6 +218,12 @@ spec:
201218
- name: "weblogic-operator-secrets-volume"
202219
secret:
203220
secretName: "weblogic-operator-secrets"
221+
- name: "deployment-volume"
222+
emptyDir: {}
223+
- name: "log-volume"
224+
emptyDir: {}
225+
- name: "probes-volume"
226+
emptyDir: {}
204227
{{- if .elkIntegrationEnabled }}
205228
- name: "log-dir"
206229
emptyDir:
@@ -229,6 +252,7 @@ spec:
229252
persistentVolumeClaim:
230253
claimName: {{ .operatorLogPVC }}
231254
{{- end }}
255+
232256
{{- end }}
233257
---
234258
{{ $chartVersion := .Chart.Version }}
@@ -311,6 +335,16 @@ spec:
311335
tolerations:
312336
{{- toYaml . | nindent 12 }}
313337
{{- end }}
338+
initContainers:
339+
- name: "copy-container"
340+
image: {{ .image | quote }}
341+
imagePullPolicy: "IfNotPresent"
342+
command: ["/bin/sh", "-c", "cp /deployment/* /deployment_copy && cp /probes/* /probes_copy"]
343+
volumeMounts:
344+
- name: "deployment-volume"
345+
mountPath: "/deployment_copy"
346+
- name: "probes-volume"
347+
mountPath: "/probes_copy"
314348
containers:
315349
- name: "weblogic-operator-webhook"
316350
image: {{ .image | quote }}
@@ -374,6 +408,7 @@ spec:
374408
runAsNonRoot: true
375409
privileged: false
376410
allowPrivilegeEscalation: false
411+
readOnlyRootFilesystem: true
377412
capabilities:
378413
drop: ["ALL"]
379414
volumeMounts:
@@ -382,6 +417,12 @@ spec:
382417
- name: "weblogic-webhook-secrets-volume"
383418
mountPath: "/deployment/secrets"
384419
readOnly: true
420+
- name: "deployment-volume"
421+
mountPath: "/deployment"
422+
- name: "log-volume"
423+
mountPath: "/logs"
424+
- name: "probes-volume"
425+
mountPath: "/probes"
385426
{{- if and .elkIntegrationEnabled .operatorLogPVC }}
386427
{{- fail "Error: elkIntegrationEnabled and opeatorLogPVC cannot be set at the same time."}}
387428
{{- else if .elkIntegrationEnabled }}
@@ -437,6 +478,12 @@ spec:
437478
- name: "weblogic-webhook-secrets-volume"
438479
secret:
439480
secretName: "weblogic-webhook-secrets"
481+
- name: "deployment-volume"
482+
emptyDir: {}
483+
- name: "log-volume"
484+
emptyDir: {}
485+
- name: "probes-volume"
486+
emptyDir: {}
440487
{{- if .elkIntegrationEnabled }}
441488
- name: "log-dir"
442489
emptyDir:

kubernetes/charts/weblogic-operator/values.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -288,3 +288,4 @@ clusterSizePaddingValidationEnabled: true
288288

289289
# operatorLogMount specifies the operator logging volumeMount. The operator will mount this path with the operatorLogPVC
290290
#operatorLogMount:
291+

kubernetes/src/test/java/oracle/kubernetes/operator/create/CreateOperatorGeneratedFilesTestBase.java

Lines changed: 43 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@
1313
import io.kubernetes.client.openapi.models.V1Container;
1414
import io.kubernetes.client.openapi.models.V1Deployment;
1515
import io.kubernetes.client.openapi.models.V1DeploymentStrategy;
16+
import io.kubernetes.client.openapi.models.V1EmptyDirVolumeSource;
1617
import io.kubernetes.client.openapi.models.V1EnvVarSource;
1718
import io.kubernetes.client.openapi.models.V1ExecAction;
1819
import io.kubernetes.client.openapi.models.V1LabelSelector;
@@ -222,6 +223,20 @@ protected V1Deployment getExpectedWeblogicOperatorDeployment() {
222223
.serviceAccountName(getInputs().getServiceAccount())
223224
.securityContext(new V1PodSecurityContext().seccompProfile(
224225
new V1SeccompProfile().type("RuntimeDefault")))
226+
.addInitContainersItem(
227+
newContainer()
228+
.name("copy-container")
229+
.image(getInputs().getWeblogicOperatorImage())
230+
.imagePullPolicy("IfNotPresent")
231+
.addCommandItem("/bin/sh")
232+
.addCommandItem("-c")
233+
.addCommandItem(
234+
"cp /deployment/* /deployment_copy && cp /probes/* /probes_copy")
235+
.addVolumeMountsItem(
236+
newVolumeMount().name("deployment-volume").mountPath("/deployment_copy"))
237+
.addVolumeMountsItem(
238+
newVolumeMount().name("probes-volume").mountPath("/probes_copy"))
239+
)
225240
.addContainersItem(
226241
newContainer()
227242
.name("weblogic-operator")
@@ -280,6 +295,7 @@ protected V1Deployment getExpectedWeblogicOperatorDeployment() {
280295
.securityContext(
281296
new V1SecurityContext().runAsUser(1000L)
282297
.runAsNonRoot(true)
298+
.readOnlyRootFilesystem(true)
283299
.privileged(false).allowPrivilegeEscalation(false)
284300
.capabilities(new V1Capabilities().addDropItem("ALL")))
285301
.addVolumeMountsItem(
@@ -294,7 +310,19 @@ protected V1Deployment getExpectedWeblogicOperatorDeployment() {
294310
newVolumeMount()
295311
.name("weblogic-operator-secrets-volume")
296312
.mountPath("/deployment/secrets")
297-
.readOnly(true)))
313+
.readOnly(true))
314+
.addVolumeMountsItem(
315+
newVolumeMount()
316+
.name("deployment-volume")
317+
.mountPath("/deployment"))
318+
.addVolumeMountsItem(
319+
newVolumeMount()
320+
.name("log-volume")
321+
.mountPath("/logs"))
322+
.addVolumeMountsItem(
323+
newVolumeMount()
324+
.name("probes-volume")
325+
.mountPath("/probes")))
298326
.addVolumesItem(
299327
newVolume()
300328
.name("weblogic-operator-cm-volume")
@@ -313,7 +341,20 @@ protected V1Deployment getExpectedWeblogicOperatorDeployment() {
313341
.name("weblogic-operator-secrets-volume")
314342
.secret(
315343
newSecretVolumeSource()
316-
.secretName("weblogic-operator-secrets"))))));
344+
.secretName("weblogic-operator-secrets")))
345+
.addVolumesItem(
346+
newVolume()
347+
.name("deployment-volume")
348+
.emptyDir(new V1EmptyDirVolumeSource()))
349+
.addVolumesItem(
350+
newVolume()
351+
.name("log-volume")
352+
.emptyDir(new V1EmptyDirVolumeSource()))
353+
.addVolumesItem(
354+
newVolume()
355+
.name("probes-volume")
356+
.emptyDir(new V1EmptyDirVolumeSource()))
357+
)));
317358
}
318359

319360
void expectProbes(V1Container container) {

0 commit comments

Comments
 (0)