Tiller-deploy: Add pod/container security context

This updates the tiller chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true Change-Id: I08694e58d057c04f7ba30ded5dca1207ceaac5e2
2020-01-22 16:07:08 -06:00 · 2020-01-22 16:07:08 -06:00 · da0f6e61ba
parent 50384e47c7
commit da0f6e61ba
2 changed files with 10 additions and 0 deletions
--- a/charts/tiller/templates/deployment-tiller.yaml
+++ b/charts/tiller/templates/deployment-tiller.yaml
@ -75,6 +75,7 @@ spec:
      annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "tiller" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
@ -82,6 +83,7 @@ spec:
        - name: tiller
 {{ tuple $envAll "tiller" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.tiller | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "tiller" "container" "tiller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
            - name: TILLER_NAMESPACE
              value: {{ .Values.Name }}
--- a/charts/tiller/values.yaml
+++ b/charts/tiller/values.yaml
@ -51,6 +51,14 @@ conf:
    prestop_sleep: 30

 pod:
+  security_context:
+    tiller:
+      pod:
+        runAsUser: 65534
+      container:
+        tiller:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
  probes:
    tiller:
      tiller: