This changes adds security context template at pod level to
set run as user value
This also adds security context template at container level to
set readOnly-fs flag
Change-Id: Iba720e687218987cfefe7a9f08630fb11e8eac12
- Some reported cases that the haproxy config was corrupted during
node reboots. Attempt to add additional safeguards of coordination
between the anchor and the service pod.
- Support nulling out a default entry in the service list
- Add additional log statements in the anchor
Change-Id: Ie673c50e1037d5dff2b9f67b14032e188183a5d9
To be able to run with the nobody user, an init container
is used in the haproxy-anchor pod to change the ownership and
permissions of '/host/etc/promenade/haproxy'. Security conext
was included in 'etc/kubernetes/manifests/haproxy.yaml' and
'promenade/schemas/Genesis.yaml' schema was updated to included
run_as_user property for haproxy pod.
Change-Id: Id248face0be43c417284ceb781997634a9c4dd5e
- When the anchor provides a new haproxy config file
to the running haproxy, add a reasonable check that
the new config is valid:
- Is it a valid config file per haproxy
- Does it contain the expected number of frontends
- Update helm version for linting to 2.14.1
Change-Id: I7a49deb372831c44f05c7baa870735c515519cb2
This version fixes manifest validation [0], so a couple invalid
manifests are fixed in this patchset as well.
[0]: 32d7f1a3fc
Change-Id: I0cbdf21cf016271bef2d8a541687ce3ab28081ce
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. This can be used, for example, to force an
artificial manifest change in CICD scenarios, for upgradability
testing purposes.
Change-Id: I8d0ffac306258f940c63799e86e7e26b5c2c5add
- Update Makefile to more closely match UCP standards
- Add resource limits to any Pods missing them
Change-Id: Ia791a6b207c2baca7dd3141be71aef513c916661
This removes the reliance on coredns for APIserver discovery, allowing
a simpler configuration that is compatible with corednx 1.0.x
Change-Id: Ia3b7b5627c16ec47af6b0d6d5e8dee2674e9b1ee