Implement helm-toolkit snippet to deckhand pods/containers
This updates the deckhand chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true Change-Id: I9bfd889b163e280cf17c4e7b49974a077e889f2f
This commit is contained in:
KHIYANI, RAHUL (rk0850)
parent
13fd8bfd1f
commit
2f9e0d7601
|
|
@ -36,6 +36,7 @@ spec:
|
|||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "podName" "deckhand-db-init" "containerNames" (list "init" "deckhand-db-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "db_init" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
|
|
@ -47,6 +48,7 @@ spec:
|
|||
image: {{ .Values.images.tags.db_init | quote }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy | quote }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "db_init" "container" "deckhand_db_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
env:
|
||||
- name: USER_DB_NAME
|
||||
valueFrom:
|
||||
|
|
|
|||
|
|
@ -36,6 +36,7 @@ spec:
|
|||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
{{ dict "envAll" $envAll "podName" "deckhand-db-sync" "containerNames" (list "init" "deckhand-db-sync") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "db_sync" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
|
|
@ -47,6 +48,7 @@ spec:
|
|||
image: {{ .Values.images.tags.db_sync | quote }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy | quote }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "db_sync" "container" "deckhand_db_sync" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
env:
|
||||
- name: DECKHAND_DB_URL
|
||||
valueFrom:
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@ metadata:
|
|||
labels:
|
||||
{{ tuple $envAll "deckhand" "api-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "api_test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
|
||||
restartPolicy: Never
|
||||
nodeSelector:
|
||||
{{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
|
||||
|
|
@ -41,6 +42,7 @@ spec:
|
|||
image: {{ .Values.images.tags.deckhand }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple . .Values.pod.resources.test.deckhand | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||
{{ dict "envAll" $envAll "application" "api_test" "container" "deckhand_api_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
|
||||
command: ["/bin/bash", "-c", "curl -v -X GET --fail ${DECKHAND_URL}/api/v1.0/health; exit $?"]
|
||||
...
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -346,6 +346,27 @@ pod:
|
|||
deckhand_api:
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
db_init:
|
||||
pod:
|
||||
runAsUser: 65534
|
||||
container:
|
||||
deckhand_db_init:
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
db_sync:
|
||||
pod:
|
||||
runAsUser: 65534
|
||||
container:
|
||||
deckhand_db_sync:
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
api_test:
|
||||
pod:
|
||||
runAsUser: 65534
|
||||
container:
|
||||
deckhand_api_test:
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
mounts:
|
||||
deckhand_db_init:
|
||||
init_container: null
|
||||
|
|
|
|||
Loading…
Reference in New Issue