1e4b5e0d45
This updates the coredns, haproxy and etcd chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag Change-Id: I9b5b0ea83acd4c5656577d8cbc684a5031ca0111
106 lines
2.2 KiB
YAML
106 lines
2.2 KiB
YAML
conf:
|
|
coredns:
|
|
corefile: |
|
|
.:53 {
|
|
errors
|
|
health
|
|
autopath @kubernetes
|
|
kubernetes cluster.local 10.96.0.0/16 10.97.0.0/16 {
|
|
pods disabled
|
|
fallthrough in-addr.arpa ip6.arpa
|
|
upstream 8.8.8.8
|
|
upstream 8.8.4.4
|
|
}
|
|
prometheus :9253
|
|
forward . 8.8.8.8 8.8.4.4
|
|
cache 30
|
|
}
|
|
|
|
test:
|
|
coredns_check_port: 8080
|
|
ext_health_check_port: 8282
|
|
names_to_resolve:
|
|
- kubernetes.default.svc.cluster.local
|
|
|
|
images:
|
|
tags:
|
|
coredns: coredns/coredns:1.6.4
|
|
test: quay.io/airshipit/promenade:latest
|
|
pull_policy: "IfNotPresent"
|
|
|
|
labels:
|
|
coredns:
|
|
node_selector_key: coredns
|
|
node_selector_value: enabled
|
|
|
|
service:
|
|
name: coredns
|
|
ip: 10.96.0.10
|
|
|
|
pod:
|
|
mandatory_access_control:
|
|
type: apparmor
|
|
coredns:
|
|
coredns: runtime/default
|
|
coredns-health: runtime/default
|
|
coredns-test: runtime/default
|
|
security_context:
|
|
coredns:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
coredns:
|
|
runAsUser: 0
|
|
readOnlyRootFilesystem: true
|
|
test:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
coredns_test:
|
|
runAsUser: 0
|
|
readOnlyRootFilesystem: true
|
|
lifecycle:
|
|
upgrades:
|
|
# This is only meaningful when deploying as a DaemonSet
|
|
daemonsets:
|
|
pod_replacement_strategy: RollingUpdate
|
|
coredns:
|
|
enabled: true
|
|
min_ready_seconds: 0
|
|
max_unavailable: 30%
|
|
termination_grace_period:
|
|
coredns:
|
|
timeout: 30
|
|
resources:
|
|
enabled: false
|
|
coredns:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
pod_test:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
# This is only meaningful when deploying as a Deployment
|
|
replicas:
|
|
coredns: 3
|
|
|
|
monitoring:
|
|
prometheus:
|
|
enabled: false
|
|
coredns:
|
|
scrape: true
|
|
port: 9253
|
|
|
|
manifests:
|
|
# This chart can deploy CoreDNS as a Deployment, as a DaemonSet, or both
|
|
daemonset: false
|
|
deployment: true
|
|
pod_test: true
|