From 1deee87b938d5c97d767e942d38705f9d221852f Mon Sep 17 00:00:00 2001 From: "KHIYANI, RAHUL (rk0850)" Date: Fri, 14 Feb 2020 11:45:14 -0600 Subject: [PATCH] apiserver-webhook: Add container security context This also adds the container security context to set readOnlyRootFilesystem flag to true Change-Id: If61b6f9189a36f069efa80ef1a31b35328a92f1a --- charts/apiserver-webhook/templates/deployment.yaml | 1 + charts/apiserver-webhook/values.yaml | 12 ++++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/charts/apiserver-webhook/templates/deployment.yaml b/charts/apiserver-webhook/templates/deployment.yaml index 07a76428..628e56bd 100644 --- a/charts/apiserver-webhook/templates/deployment.yaml +++ b/charts/apiserver-webhook/templates/deployment.yaml @@ -130,6 +130,7 @@ spec: - name: apiserver image: {{ .Values.images.tags.apiserver }} {{ tuple $envAll $envAll.Values.pod.resources.kubernetes_apiserver | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} +{{ dict "envAll" $envAll "application" "apiserver_webhook" "container" "apiserver" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: POD_IP valueFrom: diff --git a/charts/apiserver-webhook/values.yaml b/charts/apiserver-webhook/values.yaml index 5c49b64b..d3b89e64 100644 --- a/charts/apiserver-webhook/values.yaml +++ b/charts/apiserver-webhook/values.yaml @@ -202,6 +202,14 @@ network_policy: - {} pod: + security_context: + apiserver_webhook: + pod: + runAsUser: 65534 + container: + apiserver: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true mounts: kubernetes_apiserver: init_container: null @@ -272,10 +280,6 @@ pod: kubernetes_keystone_webhook_tests: init_container: null kubernetes_keystone_webhook_tests: null - security_context: - apiserver_webhook: - pod: - runAsUser: 65534 conf: paths: base: '/etc/webhook_apiserver/'