Add pod/container security context to promenade charts
This updates the coredns, haproxy and etcd chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag Change-Id: I9b5b0ea83acd4c5656577d8cbc684a5031ca0111
This commit is contained in:
parent
14febda1e3
commit
1e4b5e0d45
|
@ -28,6 +28,7 @@ metadata:
|
|||
labels:
|
||||
{{ tuple $envAll "coredns" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
|
||||
restartPolicy: Never
|
||||
nodeSelector:
|
||||
{{ .Values.labels.coredns.node_selector_key }}: {{ .Values.labels.coredns.node_selector_value }}
|
||||
|
@ -36,6 +37,7 @@ spec:
|
|||
image: {{ .Values.images.tags.test }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple . .Values.pod.resources.pod_test | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||
{{ dict "envAll" $envAll "application" "test" "container" "coredns_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
|
|
|
@ -52,6 +52,13 @@ pod:
|
|||
coredns:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: true
|
||||
test:
|
||||
pod:
|
||||
runAsUser: 65534
|
||||
container:
|
||||
coredns_test:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: true
|
||||
lifecycle:
|
||||
upgrades:
|
||||
# This is only meaningful when deploying as a DaemonSet
|
||||
|
|
|
@ -31,6 +31,7 @@ metadata:
|
|||
labels:
|
||||
{{ tuple $envAll $applicationName "etcd-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "etcd_test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
|
||||
nodeSelector:
|
||||
{{ .Values.labels.anchor.node_selector_key }}: {{ .Values.labels.anchor.node_selector_value }}
|
||||
restartPolicy: Never
|
||||
|
@ -74,6 +75,7 @@ spec:
|
|||
image: {{ .Values.images.tags.etcdctl }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple . .Values.pod.resources.test | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||
{{ dict "envAll" $envAll "application" "etcd_test" "container" "etcd_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
|
||||
command:
|
||||
- etcdctl
|
||||
- endpoint
|
||||
|
|
|
@ -120,6 +120,13 @@ pod:
|
|||
etcd:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: false
|
||||
etcd_test:
|
||||
pod:
|
||||
runAsUser: 65534
|
||||
container:
|
||||
etcd_test:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: false
|
||||
probes:
|
||||
etcd:
|
||||
etcd:
|
||||
|
|
|
@ -29,6 +29,7 @@ metadata:
|
|||
labels:
|
||||
{{ tuple $envAll "kubernetes" "haproxy-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "haproxy_test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
|
||||
restartPolicy: Never
|
||||
nodeSelector:
|
||||
{{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
|
||||
|
@ -44,6 +45,7 @@ spec:
|
|||
image: {{ .Values.images.tags.test }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple . .Values.pod.resources.test | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||
{{ dict "envAll" $envAll "application" "haproxy_test" "container" "haproxy_haproxy_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
|
|
|
@ -91,7 +91,6 @@ pod:
|
|||
container:
|
||||
anchor:
|
||||
runAsUser: 0
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
haproxy:
|
||||
pod:
|
||||
|
@ -99,7 +98,13 @@ pod:
|
|||
container:
|
||||
haproxy_perms:
|
||||
runAsUser: 0
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
haproxy_test:
|
||||
pod:
|
||||
runAsUser: 65534
|
||||
container:
|
||||
haproxy_haproxy_test:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: true
|
||||
lifecycle:
|
||||
upgrades:
|
||||
|
|
Loading…
Reference in New Issue