From 44f2de10b187e48b5ff4a0608dd2fc79f4aa6075 Mon Sep 17 00:00:00 2001 From: "DODDA, PRATEEK REDDY" Date: Wed, 8 Jul 2020 14:55:24 -0500 Subject: [PATCH] Add missing security context to Sonobuoy pods/containers This updates the sonobuoy chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true Depends-On: https://review.opendev.org/740119/ Change-Id: I0964c9809402635c9a7049b61fb954a4ebf01bb1 --- sonobuoy/templates/pod-api.yaml | 2 ++ sonobuoy/values.yaml | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/sonobuoy/templates/pod-api.yaml b/sonobuoy/templates/pod-api.yaml index 28b399e4..be0d11cf 100644 --- a/sonobuoy/templates/pod-api.yaml +++ b/sonobuoy/templates/pod-api.yaml @@ -63,6 +63,7 @@ metadata: spec: nodeSelector: {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value}} +{{ dict "envAll" $envAll "application" "sonobuoy" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }} initContainers: {{ tuple $envAll "sonobuoy" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }} containers: @@ -73,6 +74,7 @@ spec: fieldRef: fieldPath: status.podIP {{ tuple $envAll "sonobuoy_api" | include "helm-toolkit.snippets.image" | indent 4 }} +{{ dict "envAll" $envAll "application" "sonobuoy" "container" "kube_sonobuoy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 4 }} command: - /run_master.sh volumeMounts: diff --git a/sonobuoy/values.yaml b/sonobuoy/values.yaml index 82680058..67fd8e3c 100644 --- a/sonobuoy/values.yaml +++ b/sonobuoy/values.yaml @@ -39,6 +39,14 @@ dependencies: - sonobuoy-ks-user pod: + security_context: + sonobuoy: + pod: + runAsUser: 1000 + container: + kube_sonobuoy: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false resources: enabled: false jobs: