From a5fcfa6e17b11262c2503349cf653cb4e23147ff Mon Sep 17 00:00:00 2001 From: eli Date: Mon, 27 Nov 2023 11:54:03 -0800 Subject: [PATCH 1/8] Change /tmp/ansible-operator/runner volume mount path to just /tmp so other services may write to ephemeral volume --- kiali-operator/templates/deployment.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kiali-operator/templates/deployment.yaml b/kiali-operator/templates/deployment.yaml index c21c918..b7a8a17 100644 --- a/kiali-operator/templates/deployment.yaml +++ b/kiali-operator/templates/deployment.yaml @@ -66,8 +66,8 @@ spec: - ALL {{- end }} volumeMounts: - - mountPath: /tmp/ansible-operator/runner - name: runner + - mountPath: /tmp + name: tmp env: - name: WATCH_NAMESPACE value: {{ .Values.watchNamespace | default "\"\"" }} @@ -120,7 +120,7 @@ spec: {{- toYaml .Values.resources | nindent 10 }} {{- end }} volumes: - - name: runner + - name: tmp emptyDir: {} affinity: {{- toYaml .Values.affinity | nindent 8 }} From 755bc0557256687966820ad37e9a0858a9a93ae5 Mon Sep 17 00:00:00 2001 From: eli Date: Tue, 28 Nov 2023 16:26:29 -0800 Subject: [PATCH 2/8] mount emptyDir to ansible tmp directory --- kiali-operator/templates/deployment.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kiali-operator/templates/deployment.yaml b/kiali-operator/templates/deployment.yaml index b7a8a17..1525838 100644 --- a/kiali-operator/templates/deployment.yaml +++ b/kiali-operator/templates/deployment.yaml @@ -68,6 +68,8 @@ spec: volumeMounts: - mountPath: /tmp name: tmp + - mountPath: /opt/ansible/.ansible/tmp + name: ansible-tmp env: - name: WATCH_NAMESPACE value: {{ .Values.watchNamespace | default "\"\"" }} @@ -122,6 +124,8 @@ spec: volumes: - name: tmp emptyDir: {} + - name: ansible-tmp + emptyDir: {} affinity: {{- toYaml .Values.affinity | nindent 8 }} ... From abc433e60b794ca81d13bc7b7775b9de0cb33f6e Mon Sep 17 00:00:00 2001 From: eli Date: Wed, 29 Nov 2023 11:05:21 -0800 Subject: [PATCH 3/8] remove opt mount and create env variable for ANSIBlE_LOCAL_TEMP --- kiali-operator/templates/deployment.yaml | 6 ++---- kiali-operator/values.yaml | 5 +++++ 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/kiali-operator/templates/deployment.yaml b/kiali-operator/templates/deployment.yaml index 1525838..39abea8 100644 --- a/kiali-operator/templates/deployment.yaml +++ b/kiali-operator/templates/deployment.yaml @@ -68,8 +68,6 @@ spec: volumeMounts: - mountPath: /tmp name: tmp - - mountPath: /opt/ansible/.ansible/tmp - name: ansible-tmp env: - name: WATCH_NAMESPACE value: {{ .Values.watchNamespace | default "\"\"" }} @@ -85,6 +83,8 @@ spec: value: {{ .Values.allowAdHocKialiNamespace | quote }} - name: ALLOW_AD_HOC_KIALI_IMAGE value: {{ .Values.allowAdHocKialiImage | quote }} + - name: ANSIBLE_LOCAL_TEMP + value: {{ .Values.localAnsibleTmpPath | quote }} {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} - name: ALLOW_AD_HOC_OSSMCONSOLE_IMAGE value: {{ .Values.allowAdHocOSSMConsoleImage | quote }} @@ -124,8 +124,6 @@ spec: volumes: - name: tmp emptyDir: {} - - name: ansible-tmp - emptyDir: {} affinity: {{- toYaml .Values.affinity | nindent 8 }} ... diff --git a/kiali-operator/values.yaml b/kiali-operator/values.yaml index 0827938..9dd372e 100644 --- a/kiali-operator/values.yaml +++ b/kiali-operator/values.yaml @@ -89,6 +89,11 @@ allowSecurityContextOverride: false # Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.accessible_namespaces is ['**']. allowAllAccessibleNamespaces: true +# localAnsibleTmpPath is the path of the local Ansible temp directory. This sets the ANSIBLE_LOCAL_TEMP variable which +# in turn sets the DEFAULT_LOCAL_TMP configuration. An emptyDir is mounted to /tmp for the kiali-operator container. +# Ansible needs write access on this directory so modifying it might have implications if read-only root filesystem is enabled. +localAnsibleTmpPath: /tmp + # accessibleNamespacesLabel restricts the namespaces that a user can add to the Kiali CR spec.deployment.accessible_namespaces. # This value is either an empty string (which disables this feature) or a label name with an optional label value # (e.g. "mylabel" or "mylabel=myvalue"). Only namespaces that have that label will be permitted in From f65930bccbe2291d1f2d133fd6fe8c7d2c7e990c Mon Sep 17 00:00:00 2001 From: eli Date: Wed, 29 Nov 2023 11:14:59 -0800 Subject: [PATCH 4/8] Update localAnsibleTmpPath default value to /tmp/ansible/tmp for better organization --- kiali-operator/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kiali-operator/values.yaml b/kiali-operator/values.yaml index 9dd372e..9539757 100644 --- a/kiali-operator/values.yaml +++ b/kiali-operator/values.yaml @@ -92,7 +92,7 @@ allowAllAccessibleNamespaces: true # localAnsibleTmpPath is the path of the local Ansible temp directory. This sets the ANSIBLE_LOCAL_TEMP variable which # in turn sets the DEFAULT_LOCAL_TMP configuration. An emptyDir is mounted to /tmp for the kiali-operator container. # Ansible needs write access on this directory so modifying it might have implications if read-only root filesystem is enabled. -localAnsibleTmpPath: /tmp +localAnsibleTmpPath: /tmp/ansible/tmp # accessibleNamespacesLabel restricts the namespaces that a user can add to the Kiali CR spec.deployment.accessible_namespaces. # This value is either an empty string (which disables this feature) or a label name with an optional label value From f6084c3107c28158952b62dff6efe805f9cba856 Mon Sep 17 00:00:00 2001 From: eli Date: Wed, 29 Nov 2023 11:48:26 -0800 Subject: [PATCH 5/8] read-only filesystem enabled by default --- kiali-operator/templates/deployment.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kiali-operator/templates/deployment.yaml b/kiali-operator/templates/deployment.yaml index 39abea8..09ad53a 100644 --- a/kiali-operator/templates/deployment.yaml +++ b/kiali-operator/templates/deployment.yaml @@ -61,6 +61,7 @@ spec: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true + readOnlyRootFilesystem: true capabilities: drop: - ALL From ad9b4d5d47023a7f818c8f6a6b6c983ec1c35d1b Mon Sep 17 00:00:00 2001 From: eli Date: Wed, 29 Nov 2023 14:20:16 -0800 Subject: [PATCH 6/8] hardcode ANSIBLE_LOCAL_TEMP to prevent changes --- kiali-operator/templates/deployment.yaml | 2 +- kiali-operator/values.yaml | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/kiali-operator/templates/deployment.yaml b/kiali-operator/templates/deployment.yaml index 09ad53a..fc2aaf5 100644 --- a/kiali-operator/templates/deployment.yaml +++ b/kiali-operator/templates/deployment.yaml @@ -85,7 +85,7 @@ spec: - name: ALLOW_AD_HOC_KIALI_IMAGE value: {{ .Values.allowAdHocKialiImage | quote }} - name: ANSIBLE_LOCAL_TEMP - value: {{ .Values.localAnsibleTmpPath | quote }} + value: "/tmp/ansible/tmp" {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} - name: ALLOW_AD_HOC_OSSMCONSOLE_IMAGE value: {{ .Values.allowAdHocOSSMConsoleImage | quote }} diff --git a/kiali-operator/values.yaml b/kiali-operator/values.yaml index 9539757..0827938 100644 --- a/kiali-operator/values.yaml +++ b/kiali-operator/values.yaml @@ -89,11 +89,6 @@ allowSecurityContextOverride: false # Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.accessible_namespaces is ['**']. allowAllAccessibleNamespaces: true -# localAnsibleTmpPath is the path of the local Ansible temp directory. This sets the ANSIBLE_LOCAL_TEMP variable which -# in turn sets the DEFAULT_LOCAL_TMP configuration. An emptyDir is mounted to /tmp for the kiali-operator container. -# Ansible needs write access on this directory so modifying it might have implications if read-only root filesystem is enabled. -localAnsibleTmpPath: /tmp/ansible/tmp - # accessibleNamespacesLabel restricts the namespaces that a user can add to the Kiali CR spec.deployment.accessible_namespaces. # This value is either an empty string (which disables this feature) or a label name with an optional label value # (e.g. "mylabel" or "mylabel=myvalue"). Only namespaces that have that label will be permitted in From 1834c368015de05c8f35d2559ea2581603fed1ea Mon Sep 17 00:00:00 2001 From: eli Date: Wed, 29 Nov 2023 14:38:20 -0800 Subject: [PATCH 7/8] move ANSIBLE_LOCAL_TEMP down with other ansible env vars --- kiali-operator/templates/deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kiali-operator/templates/deployment.yaml b/kiali-operator/templates/deployment.yaml index fc2aaf5..c75ddee 100644 --- a/kiali-operator/templates/deployment.yaml +++ b/kiali-operator/templates/deployment.yaml @@ -84,8 +84,6 @@ spec: value: {{ .Values.allowAdHocKialiNamespace | quote }} - name: ALLOW_AD_HOC_KIALI_IMAGE value: {{ .Values.allowAdHocKialiImage | quote }} - - name: ANSIBLE_LOCAL_TEMP - value: "/tmp/ansible/tmp" {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} - name: ALLOW_AD_HOC_OSSMCONSOLE_IMAGE value: {{ .Values.allowAdHocOSSMConsoleImage | quote }} @@ -112,6 +110,8 @@ spec: {{- else }} value: "/etc/ansible/ansible.cfg" {{- end }} + - name: ANSIBLE_LOCAL_TEMP + value: "/tmp/ansible/tmp" {{- if .Values.env }} {{- toYaml .Values.env | nindent 8 }} {{- end }} From 439fec594032369e99aa89126b29e7b243c376d3 Mon Sep 17 00:00:00 2001 From: eli Date: Thu, 30 Nov 2023 09:05:55 -0800 Subject: [PATCH 8/8] add ANSIBLE_REMOTE_TEMP env var --- kiali-operator/templates/deployment.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kiali-operator/templates/deployment.yaml b/kiali-operator/templates/deployment.yaml index c75ddee..5f70bb4 100644 --- a/kiali-operator/templates/deployment.yaml +++ b/kiali-operator/templates/deployment.yaml @@ -112,6 +112,8 @@ spec: {{- end }} - name: ANSIBLE_LOCAL_TEMP value: "/tmp/ansible/tmp" + - name: ANSIBLE_REMOTE_TEMP + value: "/tmp/ansible/tmp" {{- if .Values.env }} {{- toYaml .Values.env | nindent 8 }} {{- end }}