airship
/
promenade
Code Issues Proposed changes

Add security context template for promenade charts 

This changes adds security context template at pod level to
set run as user value

This also adds security context template at container level to
set readOnly-fs flag

Change-Id: Iba720e687218987cfefe7a9f08630fb11e8eac12
This commit is contained in:
KHIYANI, RAHUL (rk0850) 2020-07-21 12:38:38 -05:00 committed by Rahul Khiyani
parent d44084664e
commit 880c6503c8
8 changed files with 31 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
View File

@ -50,12 +50,14 @@ metadata:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
{{- dict "envAll" $envAll "podName" "apiserver" "containerNames" (list "apiserver") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
spec:
{{ dict "envAll" $envAll "application" "apiserver" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
hostNetwork: true
shareProcessNamespace: true
containers:
- name: apiserver
image: {{ .Values.images.tags.apiserver }}
{{ tuple $envAll $envAll.Values.pod.resources.kubernetes_apiserver | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
{{ dict "envAll" $envAll "application" "apiserver" "container" "apiserver" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
env:
- name: POD_IP
valueFrom:

7
charts/apiserver/values.yaml
View File

@ -287,6 +287,13 @@ pod:
apiserver_key_rotate:
runAsUser: 0
readOnlyRootFilesystem: false
apiserver:
pod:
runAsUser: 65534
container:
apiserver:
runAsUser: 0
readOnlyRootFilesystem: false
mounts:
kubernetes_apiserver:
init_container: null

2
charts/controller_manager/templates/etc/_kubernetes-controller-manager.yaml.tpl
View File

@ -26,11 +26,13 @@ metadata:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
{{ dict "envAll" $envAll "podName" "controller-manager" "containerNames" (list "controller-manager") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
spec:
{{ dict "envAll" $envAll "application" "controller_manager" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
hostNetwork: true
containers:
- name: controller-manager
image: {{ .Values.images.tags.controller_manager }}
{{ tuple $envAll $envAll.Values.pod.resources.controller_manager | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
{{ dict "envAll" $envAll "application" "controller_manager" "container" "controller_manager" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
env:
- name: POD_IP
valueFrom:

6
charts/controller_manager/values.yaml
View File

@ -98,6 +98,12 @@ pod:
container:
anchor:
readOnlyRootFilesystem: true
controller_manager:
pod:
runAsUser: 0
container:
controller_manager:
readOnlyRootFilesystem: true
mounts:
controller_manager:
init_container: null

2
charts/haproxy/templates/etc/_haproxy.yaml.tpl
View File

@ -27,12 +27,14 @@ metadata:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
{{ dict "envAll" $envAll "podName" "haproxy" "containerNames" (list "haproxy") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
spec:
{{ dict "envAll" $envAll "application" "server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
hostNetwork: true
containers:
- name: haproxy
image: {{ .Values.images.tags.haproxy }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple . .Values.pod.resources.haproxy_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
{{ dict "envAll" $envAll "application" "server" "container" "haproxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
hostNetwork: true
env:
- name: HAPROXY_CONF

7
charts/haproxy/values.yaml
View File

@ -108,6 +108,13 @@ pod:
haproxy_haproxy_test:
runAsUser: 0
readOnlyRootFilesystem: true
server:
pod:
runAsUser: 65534
container:
haproxy:
runAsUser: 0
readOnlyRootFilesystem: false
lifecycle:
upgrades:
daemonsets:

2
charts/scheduler/templates/etc/_kubernetes-scheduler.yaml.tpl
View File

@ -28,11 +28,13 @@ metadata:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
{{ dict "envAll" $envAll "podName" "scheduler" "containerNames" (list "scheduler") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
spec:
{{ dict "envAll" $envAll "application" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
hostNetwork: true
containers:
- name: scheduler
image: {{ .Values.images.tags.scheduler }}
{{ tuple $envAll $envAll.Values.pod.resources.scheduler_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
{{ dict "envAll" $envAll "application" "scheduler" "container" "scheduler" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
env:
- name: POD_IP
valueFrom:

3
charts/scheduler/values.yaml
View File

@ -38,6 +38,9 @@ pod:
anchor:
runAsUser: 0
readOnlyRootFilesystem: true
scheduler:
runAsUser: 0
readOnlyRootFilesystem: false
lifecycle:
upgrades:
daemonsets: