Merge "Run apiserver-webhook containers with the 'nobody' user"

2019-07-16 21:58:45 +00:00 · 2019-07-16 21:58:45 +00:00 · b417f422e9
parent da4bdf535a 6fcdde451b
commit b417f422e9
2 changed files with 5 additions and 0 deletions
--- a/charts/apiserver-webhook/templates/deployment.yaml
+++ b/charts/apiserver-webhook/templates/deployment.yaml
@ -120,6 +120,7 @@ spec:
      affinity:
 {{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
      dnsPolicy: ClusterFirst
+{{ dict "envAll" $envAll "application" "apiserver_webhook" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      containers:
        - name: apiserver
          image: {{ .Values.images.tags.apiserver }}
--- a/charts/apiserver-webhook/values.yaml
+++ b/charts/apiserver-webhook/values.yaml
@ -253,6 +253,10 @@ pod:
    kubernetes_keystone_webhook_tests:
      init_container: null
      kubernetes_keystone_webhook_tests: null
+  security_context:
+    apiserver_webhook:
+      pod:
+        runAsUser: 65534
 conf:
  paths:
    base: '/etc/webhook_apiserver/'