apiserver-webhook: Add container security context

This also adds the container security context to set readOnlyRootFilesystem flag to true Change-Id: If61b6f9189a36f069efa80ef1a31b35328a92f1a
2020-02-14 11:45:14 -06:00 · 2020-02-14 11:45:14 -06:00 · 1deee87b93
parent 146a9a5b8e
commit 1deee87b93
2 changed files with 9 additions and 4 deletions
--- a/charts/apiserver-webhook/templates/deployment.yaml
+++ b/charts/apiserver-webhook/templates/deployment.yaml
@ -130,6 +130,7 @@ spec:
        - name: apiserver
          image: {{ .Values.images.tags.apiserver }}
 {{ tuple $envAll $envAll.Values.pod.resources.kubernetes_apiserver | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "apiserver_webhook" "container" "apiserver" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
            - name: POD_IP
              valueFrom:
--- a/charts/apiserver-webhook/values.yaml
+++ b/charts/apiserver-webhook/values.yaml
@ -202,6 +202,14 @@ network_policy:
      - {}

 pod:
+  security_context:
+    apiserver_webhook:
+      pod:
+        runAsUser: 65534
+      container:
+        apiserver:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
  mounts:
    kubernetes_apiserver:
      init_container: null
@ -272,10 +280,6 @@ pod:
    kubernetes_keystone_webhook_tests:
      init_container: null
      kubernetes_keystone_webhook_tests: null
-  security_context:
-    apiserver_webhook:
-      pod:
-        runAsUser: 65534
 conf:
  paths:
    base: '/etc/webhook_apiserver/'