Add missing security context to Sonobuoy pods/containers
This updates the sonobuoy chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true Depends-On: https://review.opendev.org/740119/ Change-Id: I0964c9809402635c9a7049b61fb954a4ebf01bb1
This commit is contained in:
parent
6dc8ecaa2d
commit
44f2de10b1
|
@ -63,6 +63,7 @@ metadata:
|
|||
spec:
|
||||
nodeSelector:
|
||||
{{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value}}
|
||||
{{ dict "envAll" $envAll "application" "sonobuoy" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
|
||||
initContainers:
|
||||
{{ tuple $envAll "sonobuoy" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
|
||||
containers:
|
||||
|
@ -73,6 +74,7 @@ spec:
|
|||
fieldRef:
|
||||
fieldPath: status.podIP
|
||||
{{ tuple $envAll "sonobuoy_api" | include "helm-toolkit.snippets.image" | indent 4 }}
|
||||
{{ dict "envAll" $envAll "application" "sonobuoy" "container" "kube_sonobuoy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 4 }}
|
||||
command:
|
||||
- /run_master.sh
|
||||
volumeMounts:
|
||||
|
|
|
@ -39,6 +39,14 @@ dependencies:
|
|||
- sonobuoy-ks-user
|
||||
|
||||
pod:
|
||||
security_context:
|
||||
sonobuoy:
|
||||
pod:
|
||||
runAsUser: 1000
|
||||
container:
|
||||
kube_sonobuoy:
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
resources:
|
||||
enabled: false
|
||||
jobs:
|
||||
|
|
Loading…
Reference in New Issue