ETCD: Add pod/container security context
This updates the etcd chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to false Change-Id: I34a8ab3e850779192491b9b127a82b82f05fa00b
This commit is contained in:
parent
fefd664cd8
commit
f50a0c8d78
|
@ -43,6 +43,7 @@ spec:
|
||||||
labels:
|
labels:
|
||||||
{{ $labels | indent 8 }}
|
{{ $labels | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
{{ dict "envAll" $envAll "application" "anchor" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
{{- if .Values.anchor.dns_policy }}
|
{{- if .Values.anchor.dns_policy }}
|
||||||
dnsPolicy: {{ .Values.anchor.dns_policy }}
|
dnsPolicy: {{ .Values.anchor.dns_policy }}
|
||||||
|
@ -63,6 +64,7 @@ spec:
|
||||||
image: {{ .Values.images.tags.etcdctl }}
|
image: {{ .Values.images.tags.etcdctl }}
|
||||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.daemonset_anchor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.daemonset_anchor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
{{ dict "envAll" $envAll "application" "anchor" "container" "etcdctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
command:
|
command:
|
||||||
- /tmp/bin/etcdctl_anchor
|
- /tmp/bin/etcdctl_anchor
|
||||||
env:
|
env:
|
||||||
|
|
|
@ -32,12 +32,14 @@ metadata:
|
||||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
||||||
{{- dict "envAll" $envAll "podName" .Values.service.name "containerNames" (list "etcd") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
|
{{- dict "envAll" $envAll "podName" .Values.service.name "containerNames" (list "etcd") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
|
{{ dict "envAll" $envAll "application" "etcd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
containers:
|
containers:
|
||||||
- name: etcd
|
- name: etcd
|
||||||
image: {{ .Values.images.tags.etcd }}
|
image: {{ .Values.images.tags.etcd }}
|
||||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.etcd_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.etcd_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||||
|
{{ dict "envAll" $envAll "application" "etcd" "container" "etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
|
||||||
env:
|
env:
|
||||||
- name: ETCD_NAME
|
- name: ETCD_NAME
|
||||||
valueFrom:
|
valueFrom:
|
||||||
|
|
|
@ -97,6 +97,21 @@ dependencies:
|
||||||
jobs:
|
jobs:
|
||||||
- etcd_backup_job
|
- etcd_backup_job
|
||||||
pod:
|
pod:
|
||||||
|
security_context:
|
||||||
|
anchor:
|
||||||
|
pod:
|
||||||
|
runAsUser: 65534
|
||||||
|
container:
|
||||||
|
etcdctl:
|
||||||
|
runAsUser: 0
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
etcd:
|
||||||
|
pod:
|
||||||
|
runAsUser: 65534
|
||||||
|
container:
|
||||||
|
etcd:
|
||||||
|
runAsUser: 0
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
mounts:
|
mounts:
|
||||||
daemonset_anchor:
|
daemonset_anchor:
|
||||||
daemonset_anchor:
|
daemonset_anchor:
|
||||||
|
|
Loading…
Reference in New Issue