Add security context template for promenade charts
This changes adds security context template at pod level to set run as user value This also adds security context template at container level to set readOnly-fs flag Change-Id: Iba720e687218987cfefe7a9f08630fb11e8eac12
This commit is contained in:
parent
d44084664e
commit
880c6503c8
|
@ -50,12 +50,14 @@ metadata:
|
|||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
||||
{{- dict "envAll" $envAll "podName" "apiserver" "containerNames" (list "apiserver") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "apiserver" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
|
||||
hostNetwork: true
|
||||
shareProcessNamespace: true
|
||||
containers:
|
||||
- name: apiserver
|
||||
image: {{ .Values.images.tags.apiserver }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.kubernetes_apiserver | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||
{{ dict "envAll" $envAll "application" "apiserver" "container" "apiserver" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
|
||||
env:
|
||||
- name: POD_IP
|
||||
valueFrom:
|
||||
|
|
|
@ -287,6 +287,13 @@ pod:
|
|||
apiserver_key_rotate:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: false
|
||||
apiserver:
|
||||
pod:
|
||||
runAsUser: 65534
|
||||
container:
|
||||
apiserver:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: false
|
||||
mounts:
|
||||
kubernetes_apiserver:
|
||||
init_container: null
|
||||
|
|
|
@ -26,11 +26,13 @@ metadata:
|
|||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
||||
{{ dict "envAll" $envAll "podName" "controller-manager" "containerNames" (list "controller-manager") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "controller_manager" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
|
||||
hostNetwork: true
|
||||
containers:
|
||||
- name: controller-manager
|
||||
image: {{ .Values.images.tags.controller_manager }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.controller_manager | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||
{{ dict "envAll" $envAll "application" "controller_manager" "container" "controller_manager" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
|
||||
env:
|
||||
- name: POD_IP
|
||||
valueFrom:
|
||||
|
|
|
@ -98,6 +98,12 @@ pod:
|
|||
container:
|
||||
anchor:
|
||||
readOnlyRootFilesystem: true
|
||||
controller_manager:
|
||||
pod:
|
||||
runAsUser: 0
|
||||
container:
|
||||
controller_manager:
|
||||
readOnlyRootFilesystem: true
|
||||
mounts:
|
||||
controller_manager:
|
||||
init_container: null
|
||||
|
|
|
@ -27,12 +27,14 @@ metadata:
|
|||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
||||
{{ dict "envAll" $envAll "podName" "haproxy" "containerNames" (list "haproxy") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
|
||||
hostNetwork: true
|
||||
containers:
|
||||
- name: haproxy
|
||||
image: {{ .Values.images.tags.haproxy }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple . .Values.pod.resources.haproxy_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||
{{ dict "envAll" $envAll "application" "server" "container" "haproxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
|
||||
hostNetwork: true
|
||||
env:
|
||||
- name: HAPROXY_CONF
|
||||
|
|
|
@ -108,6 +108,13 @@ pod:
|
|||
haproxy_haproxy_test:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: true
|
||||
server:
|
||||
pod:
|
||||
runAsUser: 65534
|
||||
container:
|
||||
haproxy:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: false
|
||||
lifecycle:
|
||||
upgrades:
|
||||
daemonsets:
|
||||
|
|
|
@ -28,11 +28,13 @@ metadata:
|
|||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
||||
{{ dict "envAll" $envAll "podName" "scheduler" "containerNames" (list "scheduler") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
|
||||
hostNetwork: true
|
||||
containers:
|
||||
- name: scheduler
|
||||
image: {{ .Values.images.tags.scheduler }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.scheduler_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||
{{ dict "envAll" $envAll "application" "scheduler" "container" "scheduler" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
|
||||
env:
|
||||
- name: POD_IP
|
||||
valueFrom:
|
||||
|
|
|
@ -38,6 +38,9 @@ pod:
|
|||
anchor:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: true
|
||||
scheduler:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: false
|
||||
lifecycle:
|
||||
upgrades:
|
||||
daemonsets:
|
||||
|
|
Loading…
Reference in New Issue