airship
/
promenade
Code Issues Proposed changes

Add pod/container security context to promenade charts 

This updates the coredns, haproxy and etcd chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag

Change-Id: I9b5b0ea83acd4c5656577d8cbc684a5031ca0111
This commit is contained in:
KHIYANI, RAHUL (rk0850) 2020-06-29 11:59:56 -05:00
parent 14febda1e3
commit 1e4b5e0d45
6 changed files with 27 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/coredns/templates/pod-test.yaml
View File

@ -28,6 +28,7 @@ metadata:
labels:
{{ tuple $envAll "coredns" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
restartPolicy: Never
nodeSelector:
{{ .Values.labels.coredns.node_selector_key }}: {{ .Values.labels.coredns.node_selector_value }}
@ -36,6 +37,7 @@ spec:
image: {{ .Values.images.tags.test }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple . .Values.pod.resources.pod_test | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
{{ dict "envAll" $envAll "application" "test" "container" "coredns_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
command:
- /bin/sh
- -c

7
charts/coredns/values.yaml
View File

@ -52,6 +52,13 @@ pod:
coredns:
runAsUser: 0
readOnlyRootFilesystem: true
test:
pod:
runAsUser: 65534
container:
coredns_test:
runAsUser: 0
readOnlyRootFilesystem: true
lifecycle:
upgrades:
# This is only meaningful when deploying as a DaemonSet

2
charts/etcd/templates/tests/test-etcd-health.yaml
View File

@ -31,6 +31,7 @@ metadata:
labels:
{{ tuple $envAll $applicationName "etcd-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
{{ dict "envAll" $envAll "application" "etcd_test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
nodeSelector:
{{ .Values.labels.anchor.node_selector_key }}: {{ .Values.labels.anchor.node_selector_value }}
restartPolicy: Never
@ -74,6 +75,7 @@ spec:
image: {{ .Values.images.tags.etcdctl }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple . .Values.pod.resources.test | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
{{ dict "envAll" $envAll "application" "etcd_test" "container" "etcd_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
command:
- etcdctl
- endpoint

7
charts/etcd/values.yaml
View File

@ -120,6 +120,13 @@ pod:
etcd:
runAsUser: 0
readOnlyRootFilesystem: false
etcd_test:
pod:
runAsUser: 65534
container:
etcd_test:
runAsUser: 0
readOnlyRootFilesystem: false
probes:
etcd:
etcd:

2
charts/haproxy/templates/tests/test-haproxy-health.yaml
View File

@ -29,6 +29,7 @@ metadata:
labels:
{{ tuple $envAll "kubernetes" "haproxy-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
{{ dict "envAll" $envAll "application" "haproxy_test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
restartPolicy: Never
nodeSelector:
{{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
@ -44,6 +45,7 @@ spec:
image: {{ .Values.images.tags.test }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple . .Values.pod.resources.test | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
{{ dict "envAll" $envAll "application" "haproxy_test" "container" "haproxy_haproxy_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
command:
- /bin/bash
- -c

9
charts/haproxy/values.yaml
View File

@ -91,7 +91,6 @@ pod:
container:
anchor:
runAsUser: 0
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
haproxy:
pod:
@ -99,7 +98,13 @@ pod:
container:
haproxy_perms:
runAsUser: 0
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
haproxy_test:
pod:
runAsUser: 65534
container:
haproxy_haproxy_test:
runAsUser: 0
readOnlyRootFilesystem: true
lifecycle:
upgrades: