Implement helm-toolkit snippet to apiserver and webhook pods/containers
This updates the promenade chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem Change-Id: I0be613a2617fcc83a8750ece7aae121fae0be839
This commit is contained in:
parent
c6c7a3accd
commit
fbaa07a66c
|
@ -214,6 +214,7 @@ spec:
|
||||||
- name: webhook
|
- name: webhook
|
||||||
{{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
{{ dict "envAll" $envAll "application" "apiserver_webhook" "container" "webhook" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
command:
|
command:
|
||||||
- /tmp/webhook_start.sh
|
- /tmp/webhook_start.sh
|
||||||
env:
|
env:
|
||||||
|
|
|
@ -215,6 +215,9 @@ pod:
|
||||||
apiserver:
|
apiserver:
|
||||||
allowPrivilegeEscalation: false
|
allowPrivilegeEscalation: false
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
|
webhook:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
mounts:
|
mounts:
|
||||||
kubernetes_apiserver:
|
kubernetes_apiserver:
|
||||||
init_container: null
|
init_container: null
|
||||||
|
|
|
@ -95,6 +95,7 @@ spec:
|
||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "kube-apiserver" "key-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "kube-apiserver" "key-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
{{ dict "envAll" $envAll "application" "key_rotate" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||||
serviceAccountName: {{ $serviceAccountName }}
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
|
@ -106,6 +107,7 @@ spec:
|
||||||
image: {{ .Values.images.tags.key_rotate | quote }}
|
image: {{ .Values.images.tags.key_rotate | quote }}
|
||||||
imagePullPolicy: {{ .Values.images.pull_policy | quote }}
|
imagePullPolicy: {{ .Values.images.pull_policy | quote }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.key_rotate | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.key_rotate | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
{{ dict "envAll" $envAll "application" "key_rotate" "container" "apiserver_key_rotate" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
env:
|
env:
|
||||||
- name: "ANNOTATION_NAME"
|
- name: "ANNOTATION_NAME"
|
||||||
value: {{ .Values.const.encryption_annotation | quote }}
|
value: {{ .Values.const.encryption_annotation | quote }}
|
||||||
|
|
|
@ -278,6 +278,13 @@ pod:
|
||||||
anchor:
|
anchor:
|
||||||
runAsUser: 0
|
runAsUser: 0
|
||||||
readOnlyRootFilesystem: false
|
readOnlyRootFilesystem: false
|
||||||
|
key_rotate:
|
||||||
|
pod:
|
||||||
|
runAsUser: 65534
|
||||||
|
container:
|
||||||
|
apiserver_key_rotate:
|
||||||
|
runAsUser: 0
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
mounts:
|
mounts:
|
||||||
kubernetes_apiserver:
|
kubernetes_apiserver:
|
||||||
init_container: null
|
init_container: null
|
||||||
|
|
Loading…
Reference in New Issue