From b5063695b0a79d78f108d0496a777eff5c072b3c Mon Sep 17 00:00:00 2001 From: pd2839 Date: Mon, 18 Mar 2019 14:44:23 -0500 Subject: [PATCH] Implement Security Context for Horizon Implement container security context for the following Horizon resources: - Horizon server deployment Change-Id: I8202cd011f4c4f73d778c5f0ad2648440e259e5d --- horizon/templates/deployment.yaml | 3 +-- horizon/values.yaml | 9 +++++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml index 466ff4ea6e..d0531c4fa6 100644 --- a/horizon/templates/deployment.yaml +++ b/horizon/templates/deployment.yaml @@ -46,8 +46,6 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: - securityContext: - readOnlyRootFilesystem: true serviceAccountName: {{ $serviceAccountName }} {{ dict "envAll" $envAll "application" "horizon" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} affinity: @@ -61,6 +59,7 @@ spec: - name: horizon {{ tuple $envAll "horizon" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "horizon" "container" "horizon" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} securityContext: runAsUser: 0 command: diff --git a/horizon/values.yaml b/horizon/values.yaml index aaa14b0150..31ace979ca 100644 --- a/horizon/values.yaml +++ b/horizon/values.yaml @@ -1978,9 +1978,14 @@ dependencies: service: local_image_registry pod: - user: + security_context: horizon: - uid: 42424 + pod: + runAsUser: 42424 + container: + horizon: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false affinity: anti: type: