Browse Source

Drydock: Add pod/container security context

This updates the drydock chart to include the pod
security context on the pod template. This changes the pod's
user from root to the nobody user instead

This also adds the container security context to set
allowPrivilegeEscalation to false and readOnlyRootFilesystem to true

Change-Id: I0882622e672e5918da82b58b76697b8974cf0b16
Rahul Khiyani 1 month ago
parent
commit
9b5c1d493e
2 changed files with 10 additions and 0 deletions
  1. 2
    0
      charts/drydock/templates/deployment.yaml
  2. 8
    0
      charts/drydock/values.yaml

+ 2
- 0
charts/drydock/templates/deployment.yaml View File

@@ -35,6 +35,7 @@ spec:
35 35
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
36 36
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
37 37
     spec:
38
+{{ dict "envAll" $envAll "application" "drydock" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
38 39
       nodeSelector:
39 40
         {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value | quote }}
40 41
       serviceAccountName: {{ $serviceAccountName }}
@@ -48,6 +49,7 @@ spec:
48 49
           image: {{ .Values.images.tags.drydock }}
49 50
           imagePullPolicy: {{ .Values.images.pull_policy }}
50 51
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
52
+{{ dict "envAll" $envAll "application" "drydock" "container" "drydock_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
51 53
           env:
52 54
             - name: 'MAAS_API_KEY'
53 55
               valueFrom:

+ 8
- 0
charts/drydock/values.yaml View File

@@ -55,6 +55,14 @@ network:
55 55
         nginx.ingress.kubernetes.io/rewrite-target: /
56 56
 
57 57
 pod:
58
+  security_context:
59
+    drydock:
60
+      pod:
61
+        runAsUser: 65534
62
+      container:
63
+        drydock_api:
64
+          allowPrivilegeEscalation: false
65
+          readOnlyRootFilesystem: true
58 66
   lifecycle:
59 67
     upgrades:
60 68
       deployments:

Loading…
Cancel
Save