Merge "Postgresql: Fix security context"

2019-05-15 16:35:18 +00:00 · 2019-05-15 16:35:18 +00:00 · c8ea0fa9fe
parent d815b5af38 2ddb43f525
commit c8ea0fa9fe
2 changed files with 13 additions and 5 deletions
--- a/postgresql/templates/statefulset.yaml
+++ b/postgresql/templates/statefulset.yaml
@ -57,7 +57,7 @@ spec:
            - "/bin/chown"
            - {{ .Values.pod.security_context.server.pod.runAsUser | quote }}
            - {{ .Values.storage.mount.path | quote }}
-{{ dict "envAll" $envAll "application" "server" "container" "set-volume-perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "application" "server" "container" "set_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          volumeMounts:
            - name: pod-tmp
              mountPath: /tmp
@ -68,6 +68,7 @@ spec:
        - name: postgresql
 {{ tuple $envAll "postgresql" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "server" "container" "postgresql" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          ports:
            - containerPort: {{ tuple "postgresql" "internal" "postgresql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
          env:
@ -100,6 +101,8 @@ spec:
          volumeMounts:
            - name: pod-tmp
              mountPath: /tmp
+            - name: pg-run
+              mountPath: /var/run/postgresql
            - name: postgresql-bin
              mountPath: /tmp/start.sh
              subPath: start.sh
@ -114,6 +117,9 @@ spec:
      volumes:
        - name: pod-tmp
          emptyDir: {}
+        - name: pg-run
+          emptyDir:
+            medium: "Memory"
        - name: postgresql-bin
          configMap:
            name: postgresql-bin
--- a/postgresql/values.yaml
+++ b/postgresql/values.yaml
@ -28,13 +28,15 @@ pod:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
    server:
+      pod:
+        runAsUser: 999
      container:
-        set-volume-perms:
+        set_volume_perms:
          runAsUser: 0
          readOnlyRootFilesystem: true
-      pod:
-        allowPrivilegeEscalation: false
-        runAsUser: 999
+        postgresql:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
  affinity:
    anti:
      type: