From 6079fa7755e0c2a9aad5c9f7fb1d27bd2dec6082 Mon Sep 17 00:00:00 2001 From: "KHIYANI, RAHUL (rk0850)" Date: Thu, 31 Oct 2019 23:13:07 -0500 Subject: [PATCH] Scheduler: Add pod/container security context This updates the scheduler chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true Change-Id: I11d8d8188cb94a39ca1891844e9c282dbbda56f9 --- charts/scheduler/templates/sched-anchor.yaml | 2 ++ charts/scheduler/values.yaml | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/charts/scheduler/templates/sched-anchor.yaml b/charts/scheduler/templates/sched-anchor.yaml index 467ba910..71f9b19c 100644 --- a/charts/scheduler/templates/sched-anchor.yaml +++ b/charts/scheduler/templates/sched-anchor.yaml @@ -40,6 +40,7 @@ spec: labels: {{ $labels | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} hostNetwork: true dnsPolicy: {{ .Values.anchor.dns_policy }} nodeSelector: @@ -55,6 +56,7 @@ spec: image: {{ .Values.images.tags.anchor }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.anchor_daemonset | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "scheduler" "container" "anchor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/bin/anchor lifecycle: diff --git a/charts/scheduler/values.yaml b/charts/scheduler/values.yaml index 61df491c..a1b0be06 100644 --- a/charts/scheduler/values.yaml +++ b/charts/scheduler/values.yaml @@ -25,6 +25,14 @@ labels: node_selector_value: enabled pod: + security_context: + scheduler: + pod: + runAsUser: 65534 + container: + anchor: + runAsUser: 0 + readOnlyRootFilesystem: true lifecycle: upgrades: daemonsets: