Shipyard: Add pod/container security context
- deployment-shipyard This updates the shipyard chart to include the pod security context on the pod template. This also adds the container security context to set allowPrivilegeEscalation to false and readOnlyRootFilesystem to true Change-Id: Idb1b848847eaec2b6e24389c063b7ece2973c4dc
This commit is contained in:
parent
8cfc2b228d
commit
25defd8ca7
@ -40,6 +40,7 @@ spec:
|
|||||||
airflow-configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
airflow-configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
airflow-configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
airflow-configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
spec:
|
spec:
|
||||||
|
{{ dict "envAll" $envAll "application" "shipyard" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||||
serviceAccountName: {{ $serviceAccountName }}
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.shipyard.node_selector_key }}: {{ .Values.labels.shipyard.node_selector_value }}
|
{{ .Values.labels.shipyard.node_selector_key }}: {{ .Values.labels.shipyard.node_selector_value }}
|
||||||
@ -57,6 +58,7 @@ spec:
|
|||||||
image: {{ .Values.images.tags.shipyard }}
|
image: {{ .Values.images.tags.shipyard }}
|
||||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.shipyard_api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.shipyard_api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
{{ dict "envAll" $envAll "application" "shipyard" "container" "shipyard_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
ports:
|
ports:
|
||||||
- containerPort: {{ tuple "shipyard" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
- containerPort: {{ tuple "shipyard" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
@ -95,6 +97,7 @@ spec:
|
|||||||
image: {{ .Values.images.tags.airflow }}
|
image: {{ .Values.images.tags.airflow }}
|
||||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.airflow.web | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.airflow.web | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
{{ dict "envAll" $envAll "application" "shipyard" "container" "airflow_web" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
env:
|
env:
|
||||||
- name: AIRFLOW_CONN_AIRFLOWS_OWN_DB
|
- name: AIRFLOW_CONN_AIRFLOWS_OWN_DB
|
||||||
valueFrom:
|
valueFrom:
|
||||||
|
@ -678,6 +678,16 @@ conf:
|
|||||||
#Shipyard is not using this
|
#Shipyard is not using this
|
||||||
# End of Airflow config options
|
# End of Airflow config options
|
||||||
pod:
|
pod:
|
||||||
|
security_context:
|
||||||
|
shipyard:
|
||||||
|
pod:
|
||||||
|
runAsUser: 1000
|
||||||
|
container:
|
||||||
|
shipyard_api:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
airflow_web:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
mounts:
|
mounts:
|
||||||
airflow_scheduler:
|
airflow_scheduler:
|
||||||
# TODO: This is only used if the standalone scheduler is enabled.
|
# TODO: This is only used if the standalone scheduler is enabled.
|
||||||
|
Loading…
Reference in New Issue
Block a user