Add missing security context to Sonobuoy pods/containers

This updates the sonobuoy chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true Depends-On: https://review.opendev.org/740119/ Change-Id: I0964c9809402635c9a7049b61fb954a4ebf01bb1
2020-07-08 14:55:24 -05:00 · 2020-07-08 14:55:24 -05:00 · 44f2de10b1
parent 6dc8ecaa2d
commit 44f2de10b1
2 changed files with 10 additions and 0 deletions
--- a/sonobuoy/templates/pod-api.yaml
+++ b/sonobuoy/templates/pod-api.yaml
@ -63,6 +63,7 @@ metadata:
 spec:
  nodeSelector:
    {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value}}
+{{ dict "envAll" $envAll "application" "sonobuoy" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
  initContainers:
 {{ tuple $envAll "sonobuoy" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
  containers:
@ -73,6 +74,7 @@ spec:
        fieldRef:
          fieldPath: status.podIP
 {{ tuple $envAll "sonobuoy_api" | include "helm-toolkit.snippets.image" | indent 4 }}
+{{ dict "envAll" $envAll "application" "sonobuoy" "container" "kube_sonobuoy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 4 }}
    command:
      - /run_master.sh
    volumeMounts:
--- a/sonobuoy/values.yaml
+++ b/sonobuoy/values.yaml
@ -39,6 +39,14 @@ dependencies:
      - sonobuoy-ks-user

 pod:
+  security_context:
+    sonobuoy:
+      pod:
+        runAsUser: 1000
+      container:
+        kube_sonobuoy:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
  resources:
    enabled: false
    jobs: