Proxy: Add pod/container security context

This updates the proxy chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to false Change-Id: I4e6d2836aa9d548118937b6b176e06fbc4a8c7ee
2019-10-31 23:05:19 -05:00 · 2019-10-31 23:05:19 -05:00 · d850c36afa
parent fd1ff8444d
commit d850c36afa
2 changed files with 11 additions and 2 deletions
--- a/charts/proxy/templates/daemonset.yaml
+++ b/charts/proxy/templates/daemonset.yaml
@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
+{{ dict "envAll" $envAll "application" "proxy" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      hostNetwork: true
      shareProcessNamespace: true
      dnsPolicy: Default
@ -63,8 +64,7 @@ spec:
          - --v={{ .Values.proxy.logging.log_level }}
          {{- end }}
 {{ tuple $envAll $envAll.Values.pod.resources.proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
-        securityContext:
-          privileged: true
+{{ dict "envAll" $envAll "application" "proxy" "container" "proxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
        env:
          - name: KUBERNETES_SERVICE_HOST
            value: {{ .Values.kube_service.host }}
--- a/charts/proxy/values.yaml
+++ b/charts/proxy/values.yaml
@ -18,6 +18,15 @@ manifests:
  rbac: true

 pod:
+  security_context:
+    proxy:
+      pod:
+        runAsUser: 65534
+      container:
+        proxy:
+          runAsUser: 0
+          privileged: true
+          readOnlyRootFilesystem: false
  lifecycle:
    upgrades:
      daemonsets: