From b1d0fd369955477cde46dcc5afd5684a19aa450e Mon Sep 17 00:00:00 2001 From: "Gupta, Sangeet (sg774j)" Date: Thu, 21 Feb 2019 15:58:51 -0600 Subject: [PATCH] Kubernetes-keystone-webhook: Add security context This adds the security context to the kubernetes-keystone-webhook. This changes the default user from root to the nobody user. This also adds the container security context to explicitly set allowPrivilegeEscalation to false Change-Id: I54621e94f2866a4b4301baa6b570472c5fcda291 --- kubernetes-keystone-webhook/templates/deployment.yaml | 3 +++ kubernetes-keystone-webhook/values.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/kubernetes-keystone-webhook/templates/deployment.yaml b/kubernetes-keystone-webhook/templates/deployment.yaml index 7a6ae2a44..a3e6eedca 100644 --- a/kubernetes-keystone-webhook/templates/deployment.yaml +++ b/kubernetes-keystone-webhook/templates/deployment.yaml @@ -38,10 +38,13 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: +{{ dict "envAll" $envAll "application" "kubernetes-keystone-webhook" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} containers: - name: kubernetes-keystone-webhook {{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/start.sh readinessProbe: diff --git a/kubernetes-keystone-webhook/values.yaml b/kubernetes-keystone-webhook/values.yaml index b30a7af56..35da523c0 100644 --- a/kubernetes-keystone-webhook/values.yaml +++ b/kubernetes-keystone-webhook/values.yaml @@ -49,6 +49,9 @@ network: port: 30601 pod: + user: + kubernetes-keystone-webhook: + uid: 65534 affinity: anti: type: