Apply security context to tiller in Armada pod
Allows container security context to be applied to the tiller container inside the Armada API pod, and sets the following: run as nobody (uid 65534), read-only root filesystem, deny privilege escalation. Also sets the rest of the armada pod to run as armada (uid 1000). Change-Id: I38eb32f54ca4c0a20c1c63fca2f4927ced6e9e81
This commit is contained in:
parent
4e74fa8ff2
commit
1810da025f
|
@ -160,6 +160,7 @@ spec:
|
||||||
- name: tiller
|
- name: tiller
|
||||||
{{ tuple $envAll "tiller" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "tiller" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.tiller | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.tiller | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
{{ dict "envAll" $envAll "application" "armada" "container" "tiller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
env:
|
env:
|
||||||
- name: TILLER_NAMESPACE
|
- name: TILLER_NAMESPACE
|
||||||
value: {{ .Values.conf.tiller.namespace | quote }}
|
value: {{ .Values.conf.tiller.namespace | quote }}
|
||||||
|
|
|
@ -263,7 +263,7 @@ pod:
|
||||||
security_context:
|
security_context:
|
||||||
armada:
|
armada:
|
||||||
pod:
|
pod:
|
||||||
runAsUser: 65534
|
runAsUser: 1000
|
||||||
container:
|
container:
|
||||||
armada_api_init:
|
armada_api_init:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
|
@ -271,6 +271,10 @@ pod:
|
||||||
armada_api:
|
armada_api:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
allowPrivilegeEscalation: false
|
allowPrivilegeEscalation: false
|
||||||
|
tiller:
|
||||||
|
runAsUser: 65534
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
env:
|
env:
|
||||||
# NOTE(@drewwalters96): These configuration values change the Armada API's
|
# NOTE(@drewwalters96): These configuration values change the Armada API's
|
||||||
# uWSGI configuration.
|
# uWSGI configuration.
|
||||||
|
@ -304,8 +308,14 @@ pod:
|
||||||
volumes: []
|
volumes: []
|
||||||
volumeMounts: []
|
volumeMounts: []
|
||||||
tiller:
|
tiller:
|
||||||
volumes: []
|
volumes:
|
||||||
volumeMounts: []
|
- name: kubernetes-client-cache
|
||||||
|
emptyDir: {}
|
||||||
|
volumeMounts:
|
||||||
|
- name: kubernetes-client-cache
|
||||||
|
# Should be the `$HOME/.kube` of the `runAsUser` above
|
||||||
|
# as this is where tiller's kubernetes client roots its cache dir.
|
||||||
|
mountPath: /tmp/.kube
|
||||||
affinity:
|
affinity:
|
||||||
anti:
|
anti:
|
||||||
type:
|
type:
|
||||||
|
|
Loading…
Reference in New Issue