apiserver-webhook: Add container security context
This also adds the container security context to set readOnlyRootFilesystem flag to true Change-Id: If61b6f9189a36f069efa80ef1a31b35328a92f1a
This commit is contained in:
parent
146a9a5b8e
commit
1deee87b93
|
@ -130,6 +130,7 @@ spec:
|
|||
- name: apiserver
|
||||
image: {{ .Values.images.tags.apiserver }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.kubernetes_apiserver | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||
{{ dict "envAll" $envAll "application" "apiserver_webhook" "container" "apiserver" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
env:
|
||||
- name: POD_IP
|
||||
valueFrom:
|
||||
|
|
|
@ -202,6 +202,14 @@ network_policy:
|
|||
- {}
|
||||
|
||||
pod:
|
||||
security_context:
|
||||
apiserver_webhook:
|
||||
pod:
|
||||
runAsUser: 65534
|
||||
container:
|
||||
apiserver:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
mounts:
|
||||
kubernetes_apiserver:
|
||||
init_container: null
|
||||
|
@ -272,10 +280,6 @@ pod:
|
|||
kubernetes_keystone_webhook_tests:
|
||||
init_container: null
|
||||
kubernetes_keystone_webhook_tests: null
|
||||
security_context:
|
||||
apiserver_webhook:
|
||||
pod:
|
||||
runAsUser: 65534
|
||||
conf:
|
||||
paths:
|
||||
base: '/etc/webhook_apiserver/'
|
||||
|
|
Loading…
Reference in New Issue