Scheduler: Add pod/container security context

This updates the scheduler chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true Change-Id: I11d8d8188cb94a39ca1891844e9c282dbbda56f9
2019-10-31 23:13:07 -05:00 · 2019-10-31 23:13:07 -05:00 · 6079fa7755
parent fd1ff8444d
commit 6079fa7755
2 changed files with 10 additions and 0 deletions
--- a/charts/scheduler/templates/sched-anchor.yaml
+++ b/charts/scheduler/templates/sched-anchor.yaml
@ -40,6 +40,7 @@ spec:
      labels:
 {{ $labels | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      hostNetwork: true
      dnsPolicy: {{ .Values.anchor.dns_policy }}
      nodeSelector:
@ -55,6 +56,7 @@ spec:
          image: {{ .Values.images.tags.anchor }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.anchor_daemonset | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "scheduler" "container" "anchor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/bin/anchor
          lifecycle:
--- a/charts/scheduler/values.yaml
+++ b/charts/scheduler/values.yaml
@ -25,6 +25,14 @@ labels:
    node_selector_value: enabled

 pod:
+  security_context:
+    scheduler:
+      pod:
+        runAsUser: 65534
+      container:
+        anchor:
+          runAsUser: 0
+          readOnlyRootFilesystem: true
  lifecycle:
    upgrades:
      daemonsets: