From da343eb2122cd511ffa8b21061e9aefc17ca91f3 Mon Sep 17 00:00:00 2001 From: pd2839 Date: Wed, 10 Apr 2019 10:06:37 -0500 Subject: [PATCH] Haproxy: Add pod/container security context This updates k8s chart to include the podsecurity context on the pod template This also adds the container security context to set readOnlyRootFilesystem to true Change-Id: Ic823232fbbb3b0967047d88de81f6a2ee83dcd3e --- charts/haproxy/templates/daemonset.yaml | 2 ++ charts/haproxy/values.yaml | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/charts/haproxy/templates/daemonset.yaml b/charts/haproxy/templates/daemonset.yaml index 5118cbe4..aaa2a28f 100644 --- a/charts/haproxy/templates/daemonset.yaml +++ b/charts/haproxy/templates/daemonset.yaml @@ -37,6 +37,7 @@ spec: annotations: scheduler.alpha.kubernetes.io/critical-pod: '' spec: +{{ dict "envAll" $envAll "application" "haproxy_anchor" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule @@ -48,6 +49,7 @@ spec: - name: anchor image: {{ .Values.images.tags.anchor }} imagePullPolicy: {{ .Values.images.pull_policy }} +{{ dict "envAll" $envAll "application" "haproxy_anchor" "container" "anchor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: HAPROXY_HEADER value: /tmp/etc/haproxy.cfg.header diff --git a/charts/haproxy/values.yaml b/charts/haproxy/values.yaml index 373bf6af..de9d60ae 100644 --- a/charts/haproxy/values.yaml +++ b/charts/haproxy/values.yaml @@ -72,6 +72,14 @@ endpoints: port: 6553 pod: + security_context: + haproxy_anchor: + pod: + runAsUser: 65534 + container: + anchor: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true lifecycle: upgrades: daemonsets: