airship
/
shipyard
Code Issues Proposed changes
Browse Source

Shipyard: Add pod/container security context 

- deployment-shipyard

This updates the shipyard chart to include the pod
security context on the pod template.

This also adds the container security context to set
allowPrivilegeEscalation to false and readOnlyRootFilesystem to true

Change-Id: Idb1b848847eaec2b6e24389c063b7ece2973c4dc
changes/95/639195/15
Rahul Khiyani 2 years ago
parent
8cfc2b228d
commit
25defd8ca7
2 changed files with 13 additions and 0 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +3
    -0
      charts/shipyard/templates/deployment-shipyard.yaml
  2. +10
    -0
      charts/shipyard/values.yaml

+ 3
- 0
charts/shipyard/templates/deployment-shipyard.yaml View File

@ -40,6 +40,7 @@ spec:
airflow-configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }}
airflow-configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
{{ dict "envAll" $envAll "application" "shipyard" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
nodeSelector:
{{ .Values.labels.shipyard.node_selector_key }}: {{ .Values.labels.shipyard.node_selector_value }}
@ -57,6 +58,7 @@ spec:
image: {{ .Values.images.tags.shipyard }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.shipyard_api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "shipyard" "container" "shipyard_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
ports:
- containerPort: {{ tuple "shipyard" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
livenessProbe:
@ -95,6 +97,7 @@ spec:
image: {{ .Values.images.tags.airflow }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.airflow.web | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "shipyard" "container" "airflow_web" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: AIRFLOW_CONN_AIRFLOWS_OWN_DB
valueFrom:


+ 10
- 0
charts/shipyard/values.yaml View File

@ -678,6 +678,16 @@ conf:
#Shipyard is not using this
# End of Airflow config options
pod:
security_context:
shipyard:
pod:
runAsUser: 1000
container:
shipyard_api:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
airflow_web:
allowPrivilegeEscalation: false
mounts:
airflow_scheduler:
# TODO: This is only used if the standalone scheduler is enabled.


Write Preview
Loading…
Cancel
Save