(fix): Remove sudo privilege from helm-charts

- Change security context to anyuid
- Changed from deployment to job, now the pods will be in completed

charts/physims/Chart.yaml

@@ -16,7 +16,7 @@ icon: http://www.openairinterface.org/wp-content/uploads/2015/06/cropped-oai_fin
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.1.1
+version: 1.0.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.

charts/physims/charts/dlsim.100rb+tm2/templates/deployment.yaml → charts/physims/charts/dlsim.100rb+tm2/templates/job.yaml

-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
   name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-dlsim-100rb-tm2.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-dlsim-100rb-tm2.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
   template:
-    metadata:
-      labels:
-        {{- include "oai-dlsim-100rb-tm2.selectorLabels" . | nindent 8 }}
     spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -28,8 +17,6 @@ spec:
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
         env:
         - name: OPENAIR_DIR
           value: /opt/oai-physim
@@ -37,9 +24,9 @@ spec:
         args:
         - >
           cmake_targets/autotests/run_exec_autotests.bash -g "dlsim.100rb+tm2" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
       dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
       schedulerName: default-scheduler
       serviceAccountName: {{ .Values.global.serviceAccountName }}
       terminationGracePeriodSeconds: 30

charts/physims/charts/dlsim.100rb+tm2/values.yaml

@@ -27,10 +27,10 @@ podSecurityContext:
   runAsGroup: 0
 
 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+#  capabilities:
+#    add:
+#      - SYS_CAP_PTRACE
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true

charts/physims/charts/dlsim.basic/templates/deployment.yaml → charts/physims/charts/dlsim.basic/templates/job.yaml

-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
   name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-dlsim-basic.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-dlsim-basic.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
   template:
-    metadata:
-      labels:
-        {{- include "oai-dlsim-basic.selectorLabels" . | nindent 8 }}
     spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -26,10 +15,15 @@ spec:
       - name: physim
         image: "{{ .Values.global.image.repository }}:{{ .Values.global.image.version }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
+#        resources:
+#          requests:
+#            memory: "4096Mi"
+#            cpu: "4000m"
+#          limits:
+#            memory: "4096Mi"
+#            cpu: "4000m"
         securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
         env:
         - name: OPENAIR_DIR
           value: /opt/oai-physim
@@ -37,9 +31,9 @@ spec:
         args:
         - >
           cmake_targets/autotests/run_exec_autotests.bash -g "dlsim.basic" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
       dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
       schedulerName: default-scheduler
-      serviceAccountName: {{ .Values.global.serviceAccountName }}
+      serviceAccountName: oai-physim-sa 
       terminationGracePeriodSeconds: 30

charts/physims/charts/dlsim.basic/values.yaml

@@ -20,17 +20,17 @@ serviceAccount:
   annotations: {}
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
-  name: "oai-dlsim-basic"
+  name: "oai-physim-sa" #"oai-dlsim-basic"
 
 podSecurityContext:
   runAsUser: 0
   runAsGroup: 0
 
 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+  #capabilities:
+  #  add:
+  #    - SYS_CAP_PTRACE
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true
@@ -41,17 +41,13 @@ service:
   type: ClusterIP
   port: 80
 
-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
+resources:
+   limits:
+     cpu: 100m
+     memory: 128Mi
+   requests:
+     cpu: 100m
+     memory: 128Mi
 
 nodeSelector: {}
 

charts/physims/charts/ldpctest/templates/deployment.yaml → charts/physims/charts/ldpctest/templates/job.yaml

-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
   name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-ldpctest.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-ldpctest.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
   template:
-    metadata:
-      labels:
-        {{- include "oai-ldpctest.selectorLabels" . | nindent 8 }}
     spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -28,8 +17,6 @@ spec:
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
         env:
         - name: OPENAIR_DIR
           value: /opt/oai-physim
@@ -37,9 +24,9 @@ spec:
         args:
         - >  
           cmake_targets/autotests/run_exec_autotests.bash -g "ldpctest" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
       dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
       schedulerName: default-scheduler
       serviceAccountName: {{ .Values.global.serviceAccountName }}
       terminationGracePeriodSeconds: 30

charts/physims/charts/ldpctest/values.yaml

@@ -27,10 +27,10 @@ podSecurityContext:
   runAsGroup: 0
 
 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+#  capabilities:
+#    add:
+#      - SYS_CAP_PTRACE
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true

charts/physims/charts/nr-dlschsim/templates/deployment.yaml → charts/physims/charts/nr-dlschsim/templates/job.yaml

-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
   name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-nr-dlschsim.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-nr-dlschsim.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
   template:
-    metadata:
-      labels:
-        {{- include "oai-nr-dlschsim.selectorLabels" . | nindent 8 }}
     spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -28,8 +17,6 @@ spec:
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
         env:
         - name: OPENAIR_DIR
           value: /opt/oai-physim
@@ -37,9 +24,9 @@ spec:
         args:
         - >  
           cmake_targets/autotests/run_exec_autotests.bash -g "nr_dlschsim" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
       dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
       schedulerName: default-scheduler
       serviceAccountName: {{ .Values.global.serviceAccountName }}
       terminationGracePeriodSeconds: 30

charts/physims/charts/nr-dlschsim/values.yaml

@@ -27,10 +27,10 @@ podSecurityContext:
   runAsGroup: 0
 
 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+#  capabilities:
+#    add:
+#      - SYS_CAP_PTRACE
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true

charts/physims/charts/nr-dlsim.basic/templates/deployment.yaml → charts/physims/charts/nr-dlsim.basic/templates/job.yaml

-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
   name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-nr-dlsim-basic.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-nr-dlsim-basic.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
   template:
-    metadata:
-      labels:
-        {{- include "oai-nr-dlsim-basic.selectorLabels" . | nindent 8 }}
     spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -28,8 +17,6 @@ spec:
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
         env:
         - name: OPENAIR_DIR
           value: /opt/oai-physim
@@ -37,9 +24,9 @@ spec:
         args:
         - >
           cmake_targets/autotests/run_exec_autotests.bash -g "nr_dlsim.basic" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
       dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
       schedulerName: default-scheduler
       serviceAccountName: {{ .Values.global.serviceAccountName }}
       terminationGracePeriodSeconds: 30

charts/physims/charts/nr-dlsim.basic/values.yaml

@@ -27,10 +27,10 @@ podSecurityContext:
   runAsGroup: 0
 
 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+#  capabilities:
+#    add:
+#      - SYS_CAP_PTRACE
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true

charts/physims/charts/nr-dlsim.dmrs+ptrs/templates/deployment.yaml → charts/physims/charts/nr-dlsim.dmrs+ptrs/templates/job.yaml

-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
   name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-nr-dlsim-dmrs-ptrs.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-nr-dlsim-dmrs-ptrs.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
   template:
-    metadata:
-      labels:
-        {{- include "oai-nr-dlsim-dmrs-ptrs.selectorLabels" . | nindent 8 }}
     spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -28,8 +17,6 @@ spec:
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
         env:
         - name: OPENAIR_DIR
           value: /opt/oai-physim
@@ -37,9 +24,9 @@ spec:
         args:
         - >
           cmake_targets/autotests/run_exec_autotests.bash -g "nr_dlsim.dmrs+ptrs" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
       dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
       schedulerName: default-scheduler
       serviceAccountName: {{ .Values.global.serviceAccountName }}
       terminationGracePeriodSeconds: 30

charts/physims/charts/nr-dlsim.dmrs+ptrs/values.yaml

@@ -27,10 +27,10 @@ podSecurityContext:
   runAsGroup: 0
 
 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+#  capabilities:
+#    add:
+#      - SYS_CAP_PTRACE
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true

charts/physims/charts/nr-dlsim.mcs+mimo/templates/deployment.yaml → charts/physims/charts/nr-dlsim.mcs+mimo/templates/job.yaml

-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
   name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-nr-dlsim-mcs-mimo.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-nr-dlsim-mcs-mimo.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
   template:
-    metadata:
-      labels:
-        {{- include "oai-nr-dlsim-mcs-mimo.selectorLabels" . | nindent 8 }}
     spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -28,8 +17,6 @@ spec:
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
         env:
         - name: OPENAIR_DIR
           value: /opt/oai-physim
@@ -37,9 +24,9 @@ spec:
         args:
         - >
           cmake_targets/autotests/run_exec_autotests.bash -g "nr_dlsim.mcs+mimo" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
       dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
       schedulerName: default-scheduler
       serviceAccountName: {{ .Values.global.serviceAccountName }}
       terminationGracePeriodSeconds: 30

charts/physims/charts/nr-dlsim.mcs+mimo/values.yaml

@@ -27,10 +27,10 @@ podSecurityContext:
   runAsGroup: 0
 
 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+#  capabilities:
+#    add:
+#      - SYS_CAP_PTRACE
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true

charts/physims/charts/nr-dlsim.offset/templates/deployment.yaml → charts/physims/charts/nr-dlsim.offset/templates/job.yaml

-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
   name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-nr-dlsim-offset.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-nr-dlsim-offset.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
   template:
-    metadata:
-      labels:
-        {{- include "oai-nr-dlsim-offset.selectorLabels" . | nindent 8 }}
     spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -28,8 +17,6 @@ spec:
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
         env:
         - name: OPENAIR_DIR
           value: /opt/oai-physim
@@ -37,9 +24,9 @@ spec:
         args:
         - >
           cmake_targets/autotests/run_exec_autotests.bash -g "nr_dlsim.offset" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
       dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
       schedulerName: default-scheduler
       serviceAccountName: {{ .Values.global.serviceAccountName }}
       terminationGracePeriodSeconds: 30

charts/physims/charts/nr-dlsim.offset/values.yaml

@@ -27,10 +27,10 @@ podSecurityContext:
   runAsGroup: 0
 
 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+#  capabilities:
+#    add:
+#      - SYS_CAP_PTRACE
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true

charts/physims/charts/nr-pbchsim.106rb/templates/deployment.yaml → charts/physims/charts/nr-pbchsim.106rb/templates/job.yaml

-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
   name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-nr-pbchsim-106rb.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-nr-pbchsim-106rb.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
   template:
     metadata:
       labels:
@@ -28,8 +20,6 @@ spec:
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
         env:
         - name: OPENAIR_DIR
           value: /opt/oai-physim
@@ -37,9 +27,9 @@ spec:
         args:
         - >
           cmake_targets/autotests/run_exec_autotests.bash -g "nr_pbchsim.106rb" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
       dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
       schedulerName: default-scheduler
       serviceAccountName: {{ .Values.global.serviceAccountName }}
       terminationGracePeriodSeconds: 30

charts/physims/charts/nr-pbchsim.106rb/values.yaml

@@ -27,10 +27,10 @@ podSecurityContext:
   runAsGroup: 0
 
 securityContext:
-  privileged: true
-  capabilities:
-    add:
-      - SYS_CAP_PTRACE
+  privileged: false
+#  capabilities:
+#    add:
+#      - SYS_CAP_PTRACE
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true

charts/physims/charts/nr-pbchsim.217rb/templates/deployment.yaml → charts/physims/charts/nr-pbchsim.217rb/templates/job.yaml

-apiVersion: apps/v1
-kind: Deployment
+apiVersion: batch/v1
+kind: Job
 metadata:
   name: {{ .Chart.Name }}
-  labels:
-    {{- include "oai-nr-pbchsim-217rb.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "oai-nr-pbchsim-217rb.selectorLabels" . | nindent 6 }}
-  strategy:
-    type: Recreate
   template:
-    metadata:
-      labels:
-        {{- include "oai-nr-pbchsim-217rb.selectorLabels" . | nindent 8 }}
     spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -28,8 +17,6 @@ spec:
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        - containerPort: 80
         env:
         - name: OPENAIR_DIR
           value: /opt/oai-physim
@@ -37,9 +24,9 @@ spec:
         args:
         - >
           cmake_targets/autotests/run_exec_autotests.bash -g "nr_pbchsim.217rb" -d bin/ &&
-          echo "FINISHED" && sleep infinity
+          echo "FINISHED"
       dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      restartPolicy: Never
       schedulerName: default-scheduler
       serviceAccountName: {{ .Values.global.serviceAccountName }}
       terminationGracePeriodSeconds: 30