readOnlyRootFilesystem: true for Calico chart
Fix for adding readOnlyRootFilesystem flag at pod level Change-Id: I79fd55e582487ffe91a750a51c7a2c5bed13f777
This commit is contained in:
parent
e836707ad0
commit
7520f9b8e7
@ -50,6 +50,8 @@ spec:
|
||||
# a failure. This annotation works in tandem with the toleration below.
|
||||
scheduler.alpha.kubernetes.io/critical-pod: ''
|
||||
spec:
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
tolerations:
|
||||
# This taint is set by all kubelets running `--cloud-provider=external`
|
||||
|
@ -118,6 +118,8 @@ spec:
|
||||
{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
nodeSelector:
|
||||
beta.kubernetes.io/os: linux
|
||||
hostNetwork: true
|
||||
|
@ -92,6 +92,8 @@ spec:
|
||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
spec:
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
nodeSelector:
|
||||
beta.kubernetes.io/os: linux
|
||||
# The controllers must run in the host network namespace so that
|
||||
|
Loading…
Reference in New Issue
Block a user