Merge "Apiserver: Add pod/container security context"

2019-11-07 20:15:22 +00:00 · 2019-11-07 20:15:22 +00:00 · 18e80654ff
parent 546929476a 154e0b5464
commit 18e80654ff
2 changed files with 10 additions and 0 deletions
--- a/charts/apiserver/templates/daemonset.yaml
+++ b/charts/apiserver/templates/daemonset.yaml
@ -45,6 +45,7 @@ spec:
        scheduler.alpha.kubernetes.io/critical-pod: ''
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
+{{ dict "envAll" $envAll "application" "kubernetes_apiserver_anchor" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      nodeSelector:
        {{ .Values.labels.kubernetes_apiserver.node_selector_key }}: {{ .Values.labels.kubernetes_apiserver.node_selector_value }}
      dnsPolicy: {{ .Values.anchor.dns_policy }}
@ -60,6 +61,7 @@ spec:
          image: {{ .Values.images.tags.anchor }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.anchor_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "kubernetes_apiserver_anchor" "container" "anchor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
          - name: MANIFEST_PATH
            value: /host{{ .Values.anchor.kubelet.manifest_path }}/{{ .Values.service.name }}.yaml
--- a/charts/apiserver/values.yaml
+++ b/charts/apiserver/values.yaml
@ -265,6 +265,14 @@ endpoints:
      #     key: null

 pod:
+  security_context:
+    kubernetes_apiserver_anchor:
+      pod:
+        runAsUser: 65534
+      container:
+        anchor:
+          runAsUser: 0
+          readOnlyRootFilesystem: false
  mounts:
    kubernetes_apiserver:
      init_container: null