[FIX] override security context capabilities in values.yaml
Add missing helm-toolkit snippet for ingress-errors container Change-Id: I9c7ec6b71a1d026257c2a1f76e18a3e3be8e244d
This commit is contained in:
parent
20c6e525ea
commit
926dadfbf4
|
@ -50,6 +50,7 @@ spec:
|
|||
image: {{ .Values.images.tags.error_pages }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_errors | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "ingress_errors" "container" "maas_ingress_errors" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
args:
|
||||
- "-port"
|
||||
- {{ tuple "maas_ingress" "podport" "error_pages" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
|
||||
|
|
|
@ -65,6 +65,7 @@ spec:
|
|||
image: {{ .Values.images.tags.maas_rack }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
tty: true
|
||||
{{ dict "envAll" $envAll "application" "rack" "container" "maas_rack" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
env:
|
||||
- name: MAAS_ENDPOINT
|
||||
{{- if empty .Values.conf.maas.url.maas_url }}
|
||||
|
@ -83,18 +84,8 @@ spec:
|
|||
name: {{ .Values.conf.maas.credentials.secret.name }}
|
||||
key: 'token'
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.maas_rack | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "rack" "container" "maas_rack" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
command:
|
||||
- /tmp/start.sh
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- 'DAC_READ_SEARCH'
|
||||
- 'NET_ADMIN'
|
||||
- 'SYS_ADMIN'
|
||||
- 'SYS_PTRACE'
|
||||
- 'SYS_RESOURCE'
|
||||
- 'SYS_TIME'
|
||||
readinessProbe:
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 60
|
||||
|
|
|
@ -105,15 +105,6 @@ spec:
|
|||
readinessProbe:
|
||||
tcpSocket:
|
||||
port: {{ tuple "maas_region" "podport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- 'SYS_ADMIN'
|
||||
- 'NET_ADMIN'
|
||||
- 'SYS_PTRACE'
|
||||
- 'SYS_TIME'
|
||||
- 'SYS_RESOURCE'
|
||||
- 'DAC_READ_SEARCH'
|
||||
command:
|
||||
- /tmp/start.sh
|
||||
volumeMounts:
|
||||
|
|
|
@ -411,6 +411,14 @@ pod:
|
|||
container:
|
||||
maas_rack:
|
||||
readOnlyRootFilesystem: false
|
||||
capabilities:
|
||||
add:
|
||||
- 'DAC_READ_SEARCH'
|
||||
- 'NET_ADMIN'
|
||||
- 'SYS_ADMIN'
|
||||
- 'SYS_PTRACE'
|
||||
- 'SYS_RESOURCE'
|
||||
- 'SYS_TIME'
|
||||
region:
|
||||
pod:
|
||||
runAsUser: 0
|
||||
|
@ -419,6 +427,14 @@ pod:
|
|||
readOnlyRootFilesystem: false
|
||||
maas_region:
|
||||
readOnlyRootFilesystem: false
|
||||
capabilities:
|
||||
add:
|
||||
- 'SYS_ADMIN'
|
||||
- 'NET_ADMIN'
|
||||
- 'SYS_PTRACE'
|
||||
- 'SYS_TIME'
|
||||
- 'SYS_RESOURCE'
|
||||
- 'DAC_READ_SEARCH'
|
||||
api_test:
|
||||
pod:
|
||||
runAsUser: 0
|
||||
|
|
Loading…
Reference in New Issue