Merge "apiserver-webhook: Add container security context"

2020-02-19 19:35:04 +00:00 · 2020-02-19 19:35:04 +00:00 · 08039c2eda
parent c83f7b8a3e 1deee87b93
commit 08039c2eda
2 changed files with 9 additions and 4 deletions
--- a/charts/apiserver-webhook/templates/deployment.yaml
+++ b/charts/apiserver-webhook/templates/deployment.yaml
@ -130,6 +130,7 @@ spec:
        - name: apiserver
          image: {{ .Values.images.tags.apiserver }}
 {{ tuple $envAll $envAll.Values.pod.resources.kubernetes_apiserver | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "apiserver_webhook" "container" "apiserver" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
            - name: POD_IP
              valueFrom:
--- a/charts/apiserver-webhook/values.yaml
+++ b/charts/apiserver-webhook/values.yaml
@ -202,6 +202,14 @@ network_policy:
      - {}

 pod:
+  security_context:
+    apiserver_webhook:
+      pod:
+        runAsUser: 65534
+      container:
+        apiserver:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
  mounts:
    kubernetes_apiserver:
      init_container: null
@ -272,10 +280,6 @@ pod:
    kubernetes_keystone_webhook_tests:
      init_container: null
      kubernetes_keystone_webhook_tests: null
-  security_context:
-    apiserver_webhook:
-      pod:
-        runAsUser: 65534
 conf:
  paths:
    base: '/etc/webhook_apiserver/'