Scheduler: Add pod/container security context
This updates the scheduler chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true Change-Id: I11d8d8188cb94a39ca1891844e9c282dbbda56f9
This commit is contained in:
parent
fd1ff8444d
commit
6079fa7755
|
@ -40,6 +40,7 @@ spec:
|
|||
labels:
|
||||
{{ $labels | indent 8 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
hostNetwork: true
|
||||
dnsPolicy: {{ .Values.anchor.dns_policy }}
|
||||
nodeSelector:
|
||||
|
@ -55,6 +56,7 @@ spec:
|
|||
image: {{ .Values.images.tags.anchor }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.anchor_daemonset | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "scheduler" "container" "anchor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
command:
|
||||
- /tmp/bin/anchor
|
||||
lifecycle:
|
||||
|
|
|
@ -25,6 +25,14 @@ labels:
|
|||
node_selector_value: enabled
|
||||
|
||||
pod:
|
||||
security_context:
|
||||
scheduler:
|
||||
pod:
|
||||
runAsUser: 65534
|
||||
container:
|
||||
anchor:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: true
|
||||
lifecycle:
|
||||
upgrades:
|
||||
daemonsets:
|
||||
|
|
Loading…
Reference in New Issue