From d850c36afa1aa28a75b7f3899d64a6917e5087b8 Mon Sep 17 00:00:00 2001 From: "KHIYANI, RAHUL (rk0850)" Date: Thu, 31 Oct 2019 23:05:19 -0500 Subject: [PATCH] Proxy: Add pod/container security context This updates the proxy chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to false Change-Id: I4e6d2836aa9d548118937b6b176e06fbc4a8c7ee --- charts/proxy/templates/daemonset.yaml | 4 ++-- charts/proxy/values.yaml | 9 +++++++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/charts/proxy/templates/daemonset.yaml b/charts/proxy/templates/daemonset.yaml index 8105768b..1807f2a2 100644 --- a/charts/proxy/templates/daemonset.yaml +++ b/charts/proxy/templates/daemonset.yaml @@ -39,6 +39,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} scheduler.alpha.kubernetes.io/critical-pod: '' spec: +{{ dict "envAll" $envAll "application" "proxy" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} hostNetwork: true shareProcessNamespace: true dnsPolicy: Default @@ -63,8 +64,7 @@ spec: - --v={{ .Values.proxy.logging.log_level }} {{- end }} {{ tuple $envAll $envAll.Values.pod.resources.proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }} - securityContext: - privileged: true +{{ dict "envAll" $envAll "application" "proxy" "container" "proxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }} env: - name: KUBERNETES_SERVICE_HOST value: {{ .Values.kube_service.host }} diff --git a/charts/proxy/values.yaml b/charts/proxy/values.yaml index 3ab9347e..80c071b1 100644 --- a/charts/proxy/values.yaml +++ b/charts/proxy/values.yaml @@ -18,6 +18,15 @@ manifests: rbac: true pod: + security_context: + proxy: + pod: + runAsUser: 65534 + container: + proxy: + runAsUser: 0 + privileged: true + readOnlyRootFilesystem: false lifecycle: upgrades: daemonsets: