[FIX] override security context capabilities in values.yaml
Add missing helm-toolkit snippet for ingress-errors container Change-Id: I9c7ec6b71a1d026257c2a1f76e18a3e3be8e244d
This commit is contained in:
parent
20c6e525ea
commit
926dadfbf4
|
@ -50,6 +50,7 @@ spec:
|
||||||
image: {{ .Values.images.tags.error_pages }}
|
image: {{ .Values.images.tags.error_pages }}
|
||||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_errors | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_errors | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
{{ dict "envAll" $envAll "application" "ingress_errors" "container" "maas_ingress_errors" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
args:
|
args:
|
||||||
- "-port"
|
- "-port"
|
||||||
- {{ tuple "maas_ingress" "podport" "error_pages" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
|
- {{ tuple "maas_ingress" "podport" "error_pages" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
|
||||||
|
|
|
@ -65,6 +65,7 @@ spec:
|
||||||
image: {{ .Values.images.tags.maas_rack }}
|
image: {{ .Values.images.tags.maas_rack }}
|
||||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||||
tty: true
|
tty: true
|
||||||
|
{{ dict "envAll" $envAll "application" "rack" "container" "maas_rack" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
env:
|
env:
|
||||||
- name: MAAS_ENDPOINT
|
- name: MAAS_ENDPOINT
|
||||||
{{- if empty .Values.conf.maas.url.maas_url }}
|
{{- if empty .Values.conf.maas.url.maas_url }}
|
||||||
|
@ -83,18 +84,8 @@ spec:
|
||||||
name: {{ .Values.conf.maas.credentials.secret.name }}
|
name: {{ .Values.conf.maas.credentials.secret.name }}
|
||||||
key: 'token'
|
key: 'token'
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.maas_rack | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.maas_rack | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
{{ dict "envAll" $envAll "application" "rack" "container" "maas_rack" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
|
||||||
command:
|
command:
|
||||||
- /tmp/start.sh
|
- /tmp/start.sh
|
||||||
securityContext:
|
|
||||||
capabilities:
|
|
||||||
add:
|
|
||||||
- 'DAC_READ_SEARCH'
|
|
||||||
- 'NET_ADMIN'
|
|
||||||
- 'SYS_ADMIN'
|
|
||||||
- 'SYS_PTRACE'
|
|
||||||
- 'SYS_RESOURCE'
|
|
||||||
- 'SYS_TIME'
|
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
initialDelaySeconds: 60
|
initialDelaySeconds: 60
|
||||||
periodSeconds: 60
|
periodSeconds: 60
|
||||||
|
|
|
@ -105,15 +105,6 @@ spec:
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
tcpSocket:
|
tcpSocket:
|
||||||
port: {{ tuple "maas_region" "podport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
port: {{ tuple "maas_region" "podport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
securityContext:
|
|
||||||
capabilities:
|
|
||||||
add:
|
|
||||||
- 'SYS_ADMIN'
|
|
||||||
- 'NET_ADMIN'
|
|
||||||
- 'SYS_PTRACE'
|
|
||||||
- 'SYS_TIME'
|
|
||||||
- 'SYS_RESOURCE'
|
|
||||||
- 'DAC_READ_SEARCH'
|
|
||||||
command:
|
command:
|
||||||
- /tmp/start.sh
|
- /tmp/start.sh
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
|
|
|
@ -411,6 +411,14 @@ pod:
|
||||||
container:
|
container:
|
||||||
maas_rack:
|
maas_rack:
|
||||||
readOnlyRootFilesystem: false
|
readOnlyRootFilesystem: false
|
||||||
|
capabilities:
|
||||||
|
add:
|
||||||
|
- 'DAC_READ_SEARCH'
|
||||||
|
- 'NET_ADMIN'
|
||||||
|
- 'SYS_ADMIN'
|
||||||
|
- 'SYS_PTRACE'
|
||||||
|
- 'SYS_RESOURCE'
|
||||||
|
- 'SYS_TIME'
|
||||||
region:
|
region:
|
||||||
pod:
|
pod:
|
||||||
runAsUser: 0
|
runAsUser: 0
|
||||||
|
@ -419,6 +427,14 @@ pod:
|
||||||
readOnlyRootFilesystem: false
|
readOnlyRootFilesystem: false
|
||||||
maas_region:
|
maas_region:
|
||||||
readOnlyRootFilesystem: false
|
readOnlyRootFilesystem: false
|
||||||
|
capabilities:
|
||||||
|
add:
|
||||||
|
- 'SYS_ADMIN'
|
||||||
|
- 'NET_ADMIN'
|
||||||
|
- 'SYS_PTRACE'
|
||||||
|
- 'SYS_TIME'
|
||||||
|
- 'SYS_RESOURCE'
|
||||||
|
- 'DAC_READ_SEARCH'
|
||||||
api_test:
|
api_test:
|
||||||
pod:
|
pod:
|
||||||
runAsUser: 0
|
runAsUser: 0
|
||||||
|
|
Loading…
Reference in New Issue