Apiserver: Add pod/container security context
This updates the apiserver chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to false Change-Id: I76d80c4cbf40d1e3e518a3d2969c86f4d5c8c3f4
This commit is contained in:
parent
fd1ff8444d
commit
154e0b5464
|
@ -45,6 +45,7 @@ spec:
|
||||||
scheduler.alpha.kubernetes.io/critical-pod: ''
|
scheduler.alpha.kubernetes.io/critical-pod: ''
|
||||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
spec:
|
spec:
|
||||||
|
{{ dict "envAll" $envAll "application" "kubernetes_apiserver_anchor" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.kubernetes_apiserver.node_selector_key }}: {{ .Values.labels.kubernetes_apiserver.node_selector_value }}
|
{{ .Values.labels.kubernetes_apiserver.node_selector_key }}: {{ .Values.labels.kubernetes_apiserver.node_selector_value }}
|
||||||
dnsPolicy: {{ .Values.anchor.dns_policy }}
|
dnsPolicy: {{ .Values.anchor.dns_policy }}
|
||||||
|
@ -60,6 +61,7 @@ spec:
|
||||||
image: {{ .Values.images.tags.anchor }}
|
image: {{ .Values.images.tags.anchor }}
|
||||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.anchor_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.anchor_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
{{ dict "envAll" $envAll "application" "kubernetes_apiserver_anchor" "container" "anchor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
env:
|
env:
|
||||||
- name: MANIFEST_PATH
|
- name: MANIFEST_PATH
|
||||||
value: /host{{ .Values.anchor.kubelet.manifest_path }}/{{ .Values.service.name }}.yaml
|
value: /host{{ .Values.anchor.kubelet.manifest_path }}/{{ .Values.service.name }}.yaml
|
||||||
|
|
|
@ -265,6 +265,14 @@ endpoints:
|
||||||
# key: null
|
# key: null
|
||||||
|
|
||||||
pod:
|
pod:
|
||||||
|
security_context:
|
||||||
|
kubernetes_apiserver_anchor:
|
||||||
|
pod:
|
||||||
|
runAsUser: 65534
|
||||||
|
container:
|
||||||
|
anchor:
|
||||||
|
runAsUser: 0
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
mounts:
|
mounts:
|
||||||
kubernetes_apiserver:
|
kubernetes_apiserver:
|
||||||
init_container: null
|
init_container: null
|
||||||
|
|
Loading…
Reference in New Issue