(fix): Remove sudo privilege from helm-charts

- Change security context to anyuid - Changed from deployment to job, now the pods will be in completed

(fix): Remove sudo privilege from helm-charts
ff738b7b · Sagar Arora · 1336a410 · ff738b7b · ff738b7b · ff738b7b
Commit ff738b7b authored 2 years ago by Sagar Arora
--- a/charts/physims/Chart.yaml
+++ b/charts/physims/Chart.yaml
@@ -16,7 +16,7 @@ icon: http://www.openairinterface.org/wp-content/uploads/2015/06/cropped-oai_fin

 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.1.1
+version: 1.0.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.

--- a/charts/physims/charts/dlsim.100rb+tm2/templates/deployment.yaml
+++ b/charts/physims/charts/dlsim.100rb+tm2/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
  name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-dlsim-100rb-tm2.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-dlsim-100rb-tm2.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
  template:
-    metadata:
-      labels:
-        {{- include "oai-dlsim-100rb-tm2.selectorLabels" . | nindent 8 }}
    spec:
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -28,8 +17,6 @@ spec:
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        securityContext:
          {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
        env:
        - name: OPENAIR_DIR
          value: /opt/oai-physim
@@ -37,9 +24,9 @@ spec:
        args:
        - >
          cmake_targets/autotests/run_exec_autotests.bash -g "dlsim.100rb+tm2" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
      dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
      schedulerName: default-scheduler
      serviceAccountName: {{ .Values.global.serviceAccountName }}
      terminationGracePeriodSeconds: 30
--- a/charts/physims/charts/dlsim.100rb+tm2/values.yaml
+++ b/charts/physims/charts/dlsim.100rb+tm2/values.yaml
@@ -27,10 +27,10 @@ podSecurityContext:
  runAsGroup: 0

 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+#  capabilities:
+#    add:
+#      - SYS_CAP_PTRACE
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true

--- a/charts/physims/charts/dlsim.basic/templates/deployment.yaml
+++ b/charts/physims/charts/dlsim.basic/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
  name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-dlsim-basic.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-dlsim-basic.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
  template:
-    metadata:
-      labels:
-        {{- include "oai-dlsim-basic.selectorLabels" . | nindent 8 }}
    spec:
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -26,10 +15,15 @@ spec:
      - name: physim
        image: "{{ .Values.global.image.repository }}:{{ .Values.global.image.version }}"
        imagePullPolicy: {{ .Values.image.pullPolicy }}
+#        resources:
+#          requests:
+#            memory: "4096Mi"
+#            cpu: "4000m"
+#          limits:
+#            memory: "4096Mi"
+#            cpu: "4000m"
        securityContext:
          {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
        env:
        - name: OPENAIR_DIR
          value: /opt/oai-physim
@@ -37,9 +31,9 @@ spec:
        args:
        - >
          cmake_targets/autotests/run_exec_autotests.bash -g "dlsim.basic" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
      dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
      schedulerName: default-scheduler
-      serviceAccountName: {{ .Values.global.serviceAccountName }}
+      serviceAccountName: oai-physim-sa 
      terminationGracePeriodSeconds: 30
--- a/charts/physims/charts/dlsim.basic/values.yaml
+++ b/charts/physims/charts/dlsim.basic/values.yaml
@@ -20,17 +20,17 @@ serviceAccount:
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
-  name: "oai-dlsim-basic"
+  name: "oai-physim-sa" #"oai-dlsim-basic"

 podSecurityContext:
  runAsUser: 0
  runAsGroup: 0

 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+  #capabilities:
+  #  add:
+  #    - SYS_CAP_PTRACE
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
@@ -41,17 +41,13 @@ service:
  type: ClusterIP
  port: 80

-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
+resources:
+   limits:
+     cpu: 100m
+     memory: 128Mi
+   requests:
+     cpu: 100m
+     memory: 128Mi

 nodeSelector: {}


--- a/charts/physims/charts/ldpctest/templates/deployment.yaml
+++ b/charts/physims/charts/ldpctest/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
  name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-ldpctest.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-ldpctest.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
  template:
-    metadata:
-      labels:
-        {{- include "oai-ldpctest.selectorLabels" . | nindent 8 }}
    spec:
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -28,8 +17,6 @@ spec:
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        securityContext:
          {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
        env:
        - name: OPENAIR_DIR
          value: /opt/oai-physim
@@ -37,9 +24,9 @@ spec:
        args:
        - >  
          cmake_targets/autotests/run_exec_autotests.bash -g "ldpctest" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
      dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
      schedulerName: default-scheduler
      serviceAccountName: {{ .Values.global.serviceAccountName }}
      terminationGracePeriodSeconds: 30
--- a/charts/physims/charts/ldpctest/values.yaml
+++ b/charts/physims/charts/ldpctest/values.yaml
@@ -27,10 +27,10 @@ podSecurityContext:
  runAsGroup: 0

 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+#  capabilities:
+#    add:
+#      - SYS_CAP_PTRACE
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true

--- a/charts/physims/charts/nr-dlschsim/templates/deployment.yaml
+++ b/charts/physims/charts/nr-dlschsim/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
  name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-nr-dlschsim.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-nr-dlschsim.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
  template:
-    metadata:
-      labels:
-        {{- include "oai-nr-dlschsim.selectorLabels" . | nindent 8 }}
    spec:
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -28,8 +17,6 @@ spec:
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        securityContext:
          {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
        env:
        - name: OPENAIR_DIR
          value: /opt/oai-physim
@@ -37,9 +24,9 @@ spec:
        args:
        - >  
          cmake_targets/autotests/run_exec_autotests.bash -g "nr_dlschsim" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
      dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
      schedulerName: default-scheduler
      serviceAccountName: {{ .Values.global.serviceAccountName }}
      terminationGracePeriodSeconds: 30
--- a/charts/physims/charts/nr-dlschsim/values.yaml
+++ b/charts/physims/charts/nr-dlschsim/values.yaml
@@ -27,10 +27,10 @@ podSecurityContext:
  runAsGroup: 0

 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+#  capabilities:
+#    add:
+#      - SYS_CAP_PTRACE
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true

--- a/charts/physims/charts/nr-dlsim.basic/templates/deployment.yaml
+++ b/charts/physims/charts/nr-dlsim.basic/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
  name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-nr-dlsim-basic.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-nr-dlsim-basic.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
  template:
-    metadata:
-      labels:
-        {{- include "oai-nr-dlsim-basic.selectorLabels" . | nindent 8 }}
    spec:
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -28,8 +17,6 @@ spec:
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        securityContext:
          {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
        env:
        - name: OPENAIR_DIR
          value: /opt/oai-physim
@@ -37,9 +24,9 @@ spec:
        args:
        - >
          cmake_targets/autotests/run_exec_autotests.bash -g "nr_dlsim.basic" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
      dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
      schedulerName: default-scheduler
      serviceAccountName: {{ .Values.global.serviceAccountName }}
      terminationGracePeriodSeconds: 30
--- a/charts/physims/charts/nr-dlsim.basic/values.yaml
+++ b/charts/physims/charts/nr-dlsim.basic/values.yaml
@@ -27,10 +27,10 @@ podSecurityContext:
  runAsGroup: 0

 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+#  capabilities:
+#    add:
+#      - SYS_CAP_PTRACE
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true

--- a/charts/physims/charts/nr-dlsim.dmrs+ptrs/templates/deployment.yaml
+++ b/charts/physims/charts/nr-dlsim.dmrs+ptrs/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
  name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-nr-dlsim-dmrs-ptrs.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-nr-dlsim-dmrs-ptrs.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
  template:
-    metadata:
-      labels:
-        {{- include "oai-nr-dlsim-dmrs-ptrs.selectorLabels" . | nindent 8 }}
    spec:
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -28,8 +17,6 @@ spec:
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        securityContext:
          {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
        env:
        - name: OPENAIR_DIR
          value: /opt/oai-physim
@@ -37,9 +24,9 @@ spec:
        args:
        - >
          cmake_targets/autotests/run_exec_autotests.bash -g "nr_dlsim.dmrs+ptrs" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
      dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
      schedulerName: default-scheduler
      serviceAccountName: {{ .Values.global.serviceAccountName }}
      terminationGracePeriodSeconds: 30
--- a/charts/physims/charts/nr-dlsim.dmrs+ptrs/values.yaml
+++ b/charts/physims/charts/nr-dlsim.dmrs+ptrs/values.yaml
@@ -27,10 +27,10 @@ podSecurityContext:
  runAsGroup: 0

 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+#  capabilities:
+#    add:
+#      - SYS_CAP_PTRACE
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true

--- a/charts/physims/charts/nr-dlsim.mcs+mimo/templates/deployment.yaml
+++ b/charts/physims/charts/nr-dlsim.mcs+mimo/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
  name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-nr-dlsim-mcs-mimo.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-nr-dlsim-mcs-mimo.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
  template:
-    metadata:
-      labels:
-        {{- include "oai-nr-dlsim-mcs-mimo.selectorLabels" . | nindent 8 }}
    spec:
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -28,8 +17,6 @@ spec:
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        securityContext:
          {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
        env:
        - name: OPENAIR_DIR
          value: /opt/oai-physim
@@ -37,9 +24,9 @@ spec:
        args:
        - >
          cmake_targets/autotests/run_exec_autotests.bash -g "nr_dlsim.mcs+mimo" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
      dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
      schedulerName: default-scheduler
      serviceAccountName: {{ .Values.global.serviceAccountName }}
      terminationGracePeriodSeconds: 30
--- a/charts/physims/charts/nr-dlsim.mcs+mimo/values.yaml
+++ b/charts/physims/charts/nr-dlsim.mcs+mimo/values.yaml
@@ -27,10 +27,10 @@ podSecurityContext:
  runAsGroup: 0

 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+#  capabilities:
+#    add:
+#      - SYS_CAP_PTRACE
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true

--- a/charts/physims/charts/nr-dlsim.offset/templates/deployment.yaml
+++ b/charts/physims/charts/nr-dlsim.offset/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
  name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-nr-dlsim-offset.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-nr-dlsim-offset.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
  template:
-    metadata:
-      labels:
-        {{- include "oai-nr-dlsim-offset.selectorLabels" . | nindent 8 }}
    spec:
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -28,8 +17,6 @@ spec:
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        securityContext:
          {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
        env:
        - name: OPENAIR_DIR
          value: /opt/oai-physim
@@ -37,9 +24,9 @@ spec:
        args:
        - >
          cmake_targets/autotests/run_exec_autotests.bash -g "nr_dlsim.offset" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
      dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
      schedulerName: default-scheduler
      serviceAccountName: {{ .Values.global.serviceAccountName }}
      terminationGracePeriodSeconds: 30
--- a/charts/physims/charts/nr-dlsim.offset/values.yaml
+++ b/charts/physims/charts/nr-dlsim.offset/values.yaml
@@ -27,10 +27,10 @@ podSecurityContext:
  runAsGroup: 0

 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+#  capabilities:
+#    add:
+#      - SYS_CAP_PTRACE
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true

--- a/charts/physims/charts/nr-pbchsim.106rb/templates/deployment.yaml
+++ b/charts/physims/charts/nr-pbchsim.106rb/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
  name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-nr-pbchsim-106rb.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-nr-pbchsim-106rb.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
  template:
    metadata:
      labels:
@@ -28,8 +20,6 @@ spec:
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        securityContext:
          {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
        env:
        - name: OPENAIR_DIR
          value: /opt/oai-physim
@@ -37,9 +27,9 @@ spec:
        args:
        - >
          cmake_targets/autotests/run_exec_autotests.bash -g "nr_pbchsim.106rb" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
      dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
      schedulerName: default-scheduler
      serviceAccountName: {{ .Values.global.serviceAccountName }}
      terminationGracePeriodSeconds: 30
--- a/charts/physims/charts/nr-pbchsim.106rb/values.yaml
+++ b/charts/physims/charts/nr-pbchsim.106rb/values.yaml
@@ -27,10 +27,10 @@ podSecurityContext:
  runAsGroup: 0

 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+#  capabilities:
+#    add:
+#      - SYS_CAP_PTRACE
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true

--- a/charts/physims/charts/nr-pbchsim.217rb/templates/deployment.yaml
+++ b/charts/physims/charts/nr-pbchsim.217rb/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
  name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-nr-pbchsim-217rb.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-nr-pbchsim-217rb.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
  template:
-    metadata:
-      labels:
-        {{- include "oai-nr-pbchsim-217rb.selectorLabels" . | nindent 8 }}
    spec:
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -28,8 +17,6 @@ spec:
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        securityContext:
          {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
        env:
        - name: OPENAIR_DIR
          value: /opt/oai-physim
@@ -37,9 +24,9 @@ spec:
        args:
        - >
          cmake_targets/autotests/run_exec_autotests.bash -g "nr_pbchsim.217rb" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
      dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
      schedulerName: default-scheduler
      serviceAccountName: {{ .Values.global.serviceAccountName }}
      terminationGracePeriodSeconds: 30