From da0f6e61ba9e8d40e96db616c0fafb0fdbcb9417 Mon Sep 17 00:00:00 2001 From: "KHIYANI, RAHUL (rk0850)" Date: Wed, 22 Jan 2020 16:07:08 -0600 Subject: [PATCH] Tiller-deploy: Add pod/container security context This updates the tiller chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true Change-Id: I08694e58d057c04f7ba30ded5dca1207ceaac5e2 --- charts/tiller/templates/deployment-tiller.yaml | 2 ++ charts/tiller/values.yaml | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/charts/tiller/templates/deployment-tiller.yaml b/charts/tiller/templates/deployment-tiller.yaml index 68dd5dca..97fccec9 100644 --- a/charts/tiller/templates/deployment-tiller.yaml +++ b/charts/tiller/templates/deployment-tiller.yaml @@ -75,6 +75,7 @@ spec: annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "tiller" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} @@ -82,6 +83,7 @@ spec: - name: tiller {{ tuple $envAll "tiller" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.tiller | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "tiller" "container" "tiller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: TILLER_NAMESPACE value: {{ .Values.Name }} diff --git a/charts/tiller/values.yaml b/charts/tiller/values.yaml index c29d7f5c..b17fbb02 100644 --- a/charts/tiller/values.yaml +++ b/charts/tiller/values.yaml @@ -51,6 +51,14 @@ conf: prestop_sleep: 30 pod: + security_context: + tiller: + pod: + runAsUser: 65534 + container: + tiller: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true probes: tiller: tiller: