airship
/
armada
Code Issues Proposed changes

Apply security context to tiller in Armada pod 

Allows container security context to be applied to the tiller container
inside the Armada API pod, and sets the following: run as nobody (uid
65534), read-only root filesystem, deny privilege escalation. Also sets
the rest of the armada pod to run as armada (uid 1000).

Change-Id: I38eb32f54ca4c0a20c1c63fca2f4927ced6e9e81
This commit is contained in:
Phil Sphicas 2020-02-21 16:44:23 -08:00
parent 4e74fa8ff2
commit 1810da025f
2 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
charts/armada/templates/deployment-api.yaml
View File

@ -160,6 +160,7 @@ spec:
- name: tiller
{{ tuple $envAll "tiller" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.tiller | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "armada" "container" "tiller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: TILLER_NAMESPACE
value: {{ .Values.conf.tiller.namespace | quote }}

16
charts/armada/values.yaml
View File

@ -263,7 +263,7 @@ pod:
security_context:
armada:
pod:
runAsUser: 65534
runAsUser: 1000
container:
armada_api_init:
readOnlyRootFilesystem: true
@ -271,6 +271,10 @@ pod:
armada_api:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
tiller:
runAsUser: 65534
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
env:
# NOTE(@drewwalters96): These configuration values change the Armada API's
# uWSGI configuration.
@ -304,8 +308,14 @@ pod:
volumes: []
volumeMounts: []
tiller:
volumes: []
volumeMounts: []
volumes:
- name: kubernetes-client-cache
emptyDir: {}
volumeMounts:
- name: kubernetes-client-cache
# Should be the `$HOME/.kube` of the `runAsUser` above
# as this is where tiller's kubernetes client roots its cache dir.
mountPath: /tmp/.kube
affinity:
anti:
type: