From 17afc3a77f9d71b4c8e36758a3e88073529df8d6 Mon Sep 17 00:00:00 2001 From: nimalank7 Date: Thu, 16 Jan 2025 18:18:57 +0000 Subject: [PATCH] Use NFS PersistentVolume for asset-manager clamav for compliance with PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs` (see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow us to use a `PersistentVolume` of type NFS - As part of https://github.com/alphagov/govuk-helm-charts/issues/1883 --- .../templates/_freshclam_podspec.yaml | 5 ++--- charts/asset-manager/templates/clamav-pv.yaml | 21 +++++++++++++++++++ .../asset-manager/templates/clamav-pvc.yaml | 21 +++++++++++++++++++ .../templates/worker-deployment.yaml | 6 ++---- charts/asset-manager/values.yaml | 2 ++ 5 files changed, 48 insertions(+), 7 deletions(-) create mode 100644 charts/asset-manager/templates/clamav-pv.yaml create mode 100644 charts/asset-manager/templates/clamav-pvc.yaml diff --git a/charts/asset-manager/templates/_freshclam_podspec.yaml b/charts/asset-manager/templates/_freshclam_podspec.yaml index 6c01b038bca..e990a4c5114 100644 --- a/charts/asset-manager/templates/_freshclam_podspec.yaml +++ b/charts/asset-manager/templates/_freshclam_podspec.yaml @@ -37,9 +37,8 @@ spec: readOnlyRootFilesystem: true volumes: - name: clam-virus-db - nfs: - server: "{{ .Values.assetManagerNFS }}" - path: /clamav-db + persistentVolumeClaim: + claimName: {{ include "licensify.name" . }}-{{ .Values.appName }}-db - name: etc-clamav configMap: name: {{ $fullName }}-etc-clamav diff --git a/charts/asset-manager/templates/clamav-pv.yaml b/charts/asset-manager/templates/clamav-pv.yaml new file mode 100644 index 00000000000..1f72637c341 --- /dev/null +++ b/charts/asset-manager/templates/clamav-pv.yaml @@ -0,0 +1,21 @@ +{{- define "asset-manager.freshclam.podspec" }} +{{- $fullName := include "asset-manager.fullname" . }} +apiVersion: v1 +kind: PersistentVolume +metadata: + name: {{ $fullName }}-freshclam-db + labels: + {{- include "asset-manager.labels" . | nindent 4 }} + app: {{ .Values.fullName }} + app.kubernetes.io/name: {{ .Values.fullName }}-freshclam-db + app.kubernetes.io/component: {{ .Values.fullName }}-freshclam-db #V Verify this +spec: + capacity: + storage: {{ .Values.nfs.storage }} + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + nfs: + server: "{{ .Values.assetManagerNFS }}" + path: /clamav-db + readOnly: true diff --git a/charts/asset-manager/templates/clamav-pvc.yaml b/charts/asset-manager/templates/clamav-pvc.yaml new file mode 100644 index 00000000000..a53bd3f95ae --- /dev/null +++ b/charts/asset-manager/templates/clamav-pvc.yaml @@ -0,0 +1,21 @@ +{{- define "asset-manager.freshclam.podspec" }} +{{- $fullName := include "asset-manager.fullname" . }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ $fullName }}-freshclam-db + labels: + {{- include "asset-manager.labels" . | nindent 4 }} + app: {{ $fullName }}-freshclam + app.kubernetes.io/name: {{ $fullName }}-freshclam-db # Verify this + app.kubernetes.io/component: {{ $fullName }}-freshclam-db # Verify this +spec: + storageClassName: "" + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.nfs.storage }} + selector: + matchLabels: + {{- include "asset-manager.selectorLabels" . | nindent 6 }} diff --git a/charts/asset-manager/templates/worker-deployment.yaml b/charts/asset-manager/templates/worker-deployment.yaml index 8b051663ca2..b7f9b847d54 100644 --- a/charts/asset-manager/templates/worker-deployment.yaml +++ b/charts/asset-manager/templates/worker-deployment.yaml @@ -45,10 +45,8 @@ spec: server: "{{ .Values.assetManagerNFS }}" path: /asset-manager - name: clam-virus-db - nfs: - server: "{{ .Values.assetManagerNFS }}" - path: /clamav-db - readOnly: true + persistentVolumeClaim: + claimName: {{ include "licensify.name" . }}-{{ .Values.appName }}-db - name: etc-clamav configMap: name: {{ $fullName }}-etc-clamav diff --git a/charts/asset-manager/values.yaml b/charts/asset-manager/values.yaml index c3b9edeeac5..a4077e51a11 100644 --- a/charts/asset-manager/values.yaml +++ b/charts/asset-manager/values.yaml @@ -141,3 +141,5 @@ redis: redisUrlOverride: app: "" workers: "" +nfs: + storage: 15Gi