From 76daa2e7df01f4736cfc44677ddfb7a0f7bcb715 Mon Sep 17 00:00:00 2001 From: Rahul Khiyani Date: Fri, 22 Mar 2019 16:49:55 -0400 Subject: [PATCH] Tiller: Add pod/container security context This updates the tiller chart to include the pod security context on the pod template This also adds the container security context to set allowPrivilegeEscalation to false Change-Id: Ic0d87ba2e933444ebe8a6d59d7bb74aae81a051d --- tiller/templates/deployment-tiller.yaml | 2 ++ tiller/values.yaml | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/tiller/templates/deployment-tiller.yaml b/tiller/templates/deployment-tiller.yaml index 885618bc6..fedf65115 100644 --- a/tiller/templates/deployment-tiller.yaml +++ b/tiller/templates/deployment-tiller.yaml @@ -62,6 +62,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} spec: +{{ dict "envAll" $envAll "application" "tiller" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} initContainers: {{ tuple $envAll "tiller" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: @@ -82,6 +83,7 @@ spec: successThreshold: 1 timeoutSeconds: 1 name: tiller +{{ dict "envAll" $envAll "application" "tiller" "container" "tiller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }} ports: - containerPort: 44134 name: tiller diff --git a/tiller/values.yaml b/tiller/values.yaml index d17996fd2..b1ba1447d 100644 --- a/tiller/values.yaml +++ b/tiller/values.yaml @@ -37,6 +37,13 @@ images: - image_repo_sync pod: + security_context: + tiller: + pod: + runAsUser: 65534 + container: + tiller: + allowPrivilegeEscalation: false resources: enabled: false jobs: