Apply security context to tiller in Armada pod
Allows container security context to be applied to the tiller container inside the Armada API pod, and sets the following: run as nobody (uid 65534), read-only root filesystem, deny privilege escalation. Also sets the rest of the armada pod to run as armada (uid 1000). Change-Id: I38eb32f54ca4c0a20c1c63fca2f4927ced6e9e81
This commit is contained in:
parent
4e74fa8ff2
commit
1810da025f
|
@ -160,6 +160,7 @@ spec:
|
|||
- name: tiller
|
||||
{{ tuple $envAll "tiller" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.tiller | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "armada" "container" "tiller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
env:
|
||||
- name: TILLER_NAMESPACE
|
||||
value: {{ .Values.conf.tiller.namespace | quote }}
|
||||
|
|
|
@ -263,7 +263,7 @@ pod:
|
|||
security_context:
|
||||
armada:
|
||||
pod:
|
||||
runAsUser: 65534
|
||||
runAsUser: 1000
|
||||
container:
|
||||
armada_api_init:
|
||||
readOnlyRootFilesystem: true
|
||||
|
@ -271,6 +271,10 @@ pod:
|
|||
armada_api:
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
tiller:
|
||||
runAsUser: 65534
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
env:
|
||||
# NOTE(@drewwalters96): These configuration values change the Armada API's
|
||||
# uWSGI configuration.
|
||||
|
@ -304,8 +308,14 @@ pod:
|
|||
volumes: []
|
||||
volumeMounts: []
|
||||
tiller:
|
||||
volumes: []
|
||||
volumeMounts: []
|
||||
volumes:
|
||||
- name: kubernetes-client-cache
|
||||
emptyDir: {}
|
||||
volumeMounts:
|
||||
- name: kubernetes-client-cache
|
||||
# Should be the `$HOME/.kube` of the `runAsUser` above
|
||||
# as this is where tiller's kubernetes client roots its cache dir.
|
||||
mountPath: /tmp/.kube
|
||||
affinity:
|
||||
anti:
|
||||
type:
|
||||
|
|
Loading…
Reference in New Issue