Proxy: Add pod/container security context
This updates the proxy chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to false Change-Id: I4e6d2836aa9d548118937b6b176e06fbc4a8c7ee
This commit is contained in:
parent
fd1ff8444d
commit
d850c36afa
|
@ -39,6 +39,7 @@ spec:
|
|||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
scheduler.alpha.kubernetes.io/critical-pod: ''
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "proxy" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
hostNetwork: true
|
||||
shareProcessNamespace: true
|
||||
dnsPolicy: Default
|
||||
|
@ -63,8 +64,7 @@ spec:
|
|||
- --v={{ .Values.proxy.logging.log_level }}
|
||||
{{- end }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
|
||||
securityContext:
|
||||
privileged: true
|
||||
{{ dict "envAll" $envAll "application" "proxy" "container" "proxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
|
||||
env:
|
||||
- name: KUBERNETES_SERVICE_HOST
|
||||
value: {{ .Values.kube_service.host }}
|
||||
|
|
|
@ -18,6 +18,15 @@ manifests:
|
|||
rbac: true
|
||||
|
||||
pod:
|
||||
security_context:
|
||||
proxy:
|
||||
pod:
|
||||
runAsUser: 65534
|
||||
container:
|
||||
proxy:
|
||||
runAsUser: 0
|
||||
privileged: true
|
||||
readOnlyRootFilesystem: false
|
||||
lifecycle:
|
||||
upgrades:
|
||||
daemonsets:
|
||||
|
|
Loading…
Reference in New Issue