Haproxy: Add pod/container security context

This updates k8s chart to include the podsecurity context on the pod template This also adds the container security context to set readOnlyRootFilesystem to true Change-Id: Ic823232fbbb3b0967047d88de81f6a2ee83dcd3e
2019-04-10 10:06:37 -05:00 · 2019-04-10 10:06:37 -05:00 · da343eb212
parent fefd664cd8
commit da343eb212
2 changed files with 10 additions and 0 deletions
--- a/charts/haproxy/templates/daemonset.yaml
+++ b/charts/haproxy/templates/daemonset.yaml
@ -37,6 +37,7 @@ spec:
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
+{{ dict "envAll" $envAll "application" "haproxy_anchor" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
@ -48,6 +49,7 @@ spec:
        - name: anchor
          image: {{ .Values.images.tags.anchor }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ dict "envAll" $envAll "application" "haproxy_anchor" "container" "anchor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
            - name: HAPROXY_HEADER
              value: /tmp/etc/haproxy.cfg.header
--- a/charts/haproxy/values.yaml
+++ b/charts/haproxy/values.yaml
@ -72,6 +72,14 @@ endpoints:
    port: 6553

 pod:
+  security_context:
+    haproxy_anchor:
+      pod:
+        runAsUser: 65534
+      container:
+        anchor:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
  lifecycle:
    upgrades:
      daemonsets: