ETCD: Add pod/container security context

This updates the etcd chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to false Change-Id: I34a8ab3e850779192491b9b127a82b82f05fa00b
2019-05-30 16:19:39 -05:00 · 2019-05-30 16:19:39 -05:00 · f50a0c8d78
parent fefd664cd8
commit f50a0c8d78
3 changed files with 19 additions and 0 deletions
--- a/charts/etcd/templates/daemonset-anchor.yaml
+++ b/charts/etcd/templates/daemonset-anchor.yaml
@ -43,6 +43,7 @@ spec:
      labels:
 {{ $labels | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "anchor" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      hostNetwork: true
      {{- if .Values.anchor.dns_policy }}
      dnsPolicy: {{ .Values.anchor.dns_policy }}
@ -63,6 +64,7 @@ spec:
          image: {{ .Values.images.tags.etcdctl }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.daemonset_anchor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "anchor" "container" "etcdctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/bin/etcdctl_anchor
          env:
--- a/charts/etcd/templates/etc/_kubernetes-etcd.yaml.tpl
+++ b/charts/etcd/templates/etc/_kubernetes-etcd.yaml.tpl
@ -32,12 +32,14 @@ metadata:
    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
 {{- dict "envAll" $envAll "podName" .Values.service.name "containerNames" (list "etcd") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
+{{ dict "envAll" $envAll "application" "etcd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
  hostNetwork: true
  containers:
    - name: etcd
      image: {{ .Values.images.tags.etcd }}
      imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.etcd_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "etcd" "container" "etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
      env:
        - name: ETCD_NAME
          valueFrom:
--- a/charts/etcd/values.yaml
+++ b/charts/etcd/values.yaml
@ -97,6 +97,21 @@ dependencies:
       jobs:
         - etcd_backup_job
 pod:
+  security_context:
+    anchor:
+      pod:
+        runAsUser: 65534
+      container:
+        etcdctl:
+          runAsUser: 0
+          readOnlyRootFilesystem: false
+    etcd:
+      pod:
+        runAsUser: 65534
+      container:
+        etcd:
+          runAsUser: 0
+          readOnlyRootFilesystem: false
  mounts:
    daemonset_anchor:
      daemonset_anchor: