From fbaa07a66c9bf55790e8aa90a0a6ad48fc3407ea Mon Sep 17 00:00:00 2001 From: "KHIYANI, RAHUL (rk0850)" Date: Wed, 1 Jul 2020 15:02:29 -0500 Subject: [PATCH] Implement helm-toolkit snippet to apiserver and webhook pods/containers This updates the promenade chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem Change-Id: I0be613a2617fcc83a8750ece7aae121fae0be839 --- charts/apiserver-webhook/templates/deployment.yaml | 1 + charts/apiserver-webhook/values.yaml | 3 +++ charts/apiserver/templates/job-key-rotate.yaml | 2 ++ charts/apiserver/values.yaml | 7 +++++++ 4 files changed, 13 insertions(+) diff --git a/charts/apiserver-webhook/templates/deployment.yaml b/charts/apiserver-webhook/templates/deployment.yaml index f945c911..1689ac7c 100644 --- a/charts/apiserver-webhook/templates/deployment.yaml +++ b/charts/apiserver-webhook/templates/deployment.yaml @@ -214,6 +214,7 @@ spec: - name: webhook {{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "apiserver_webhook" "container" "webhook" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/webhook_start.sh env: diff --git a/charts/apiserver-webhook/values.yaml b/charts/apiserver-webhook/values.yaml index 3753ac26..c1ab32bb 100644 --- a/charts/apiserver-webhook/values.yaml +++ b/charts/apiserver-webhook/values.yaml @@ -215,6 +215,9 @@ pod: apiserver: allowPrivilegeEscalation: false readOnlyRootFilesystem: true + webhook: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true mounts: kubernetes_apiserver: init_container: null diff --git a/charts/apiserver/templates/job-key-rotate.yaml b/charts/apiserver/templates/job-key-rotate.yaml index dfa3c950..dffa30d1 100644 --- a/charts/apiserver/templates/job-key-rotate.yaml +++ b/charts/apiserver/templates/job-key-rotate.yaml @@ -95,6 +95,7 @@ spec: labels: {{ tuple $envAll "kube-apiserver" "key-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "key_rotate" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: @@ -106,6 +107,7 @@ spec: image: {{ .Values.images.tags.key_rotate | quote }} imagePullPolicy: {{ .Values.images.pull_policy | quote }} {{ tuple $envAll $envAll.Values.pod.resources.key_rotate | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "key_rotate" "container" "apiserver_key_rotate" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: "ANNOTATION_NAME" value: {{ .Values.const.encryption_annotation | quote }} diff --git a/charts/apiserver/values.yaml b/charts/apiserver/values.yaml index 811070f0..bff5f2f7 100644 --- a/charts/apiserver/values.yaml +++ b/charts/apiserver/values.yaml @@ -278,6 +278,13 @@ pod: anchor: runAsUser: 0 readOnlyRootFilesystem: false + key_rotate: + pod: + runAsUser: 65534 + container: + apiserver_key_rotate: + runAsUser: 0 + readOnlyRootFilesystem: false mounts: kubernetes_apiserver: init_container: null