readOnlyRootFilesystem: true for Calico chart

Fix for adding readOnlyRootFilesystem flag at pod
level

Change-Id: I79fd55e582487ffe91a750a51c7a2c5bed13f777
This commit is contained in:
Rahul Khiyani 2019-03-07 00:30:52 -05:00
parent e836707ad0
commit 7520f9b8e7
3 changed files with 6 additions and 0 deletions

View File

@ -50,6 +50,8 @@ spec:
# a failure. This annotation works in tandem with the toleration below. # a failure. This annotation works in tandem with the toleration below.
scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/critical-pod: ''
spec: spec:
securityContext:
readOnlyRootFilesystem: true
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}
tolerations: tolerations:
# This taint is set by all kubelets running `--cloud-provider=external` # This taint is set by all kubelets running `--cloud-provider=external`

View File

@ -118,6 +118,8 @@ spec:
{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }} {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
{{- end }} {{- end }}
spec: spec:
securityContext:
readOnlyRootFilesystem: true
nodeSelector: nodeSelector:
beta.kubernetes.io/os: linux beta.kubernetes.io/os: linux
hostNetwork: true hostNetwork: true

View File

@ -92,6 +92,8 @@ spec:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
spec: spec:
securityContext:
readOnlyRootFilesystem: true
nodeSelector: nodeSelector:
beta.kubernetes.io/os: linux beta.kubernetes.io/os: linux
# The controllers must run in the host network namespace so that # The controllers must run in the host network namespace so that