Openstack-utility: Add pod/container security context

This updates the openstack-utility chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to false

Change-Id: Ie9ce49bfa69b7e835b113340d908f96429039d94
This commit is contained in:
Rahul Khiyani 2019-11-25 10:38:17 -06:00
parent 19e2fa9721
commit 5442e7f7d9
2 changed files with 10 additions and 2 deletions

View File

@ -68,8 +68,7 @@ spec:
labels:
{{ tuple $envAll "openstack" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
securityContext:
runAsUser: 65534
{{ dict "envAll" $envAll "application" "openstack" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
affinity:
{{ tuple $envAll "openstack" "utility" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
@ -79,6 +78,7 @@ spec:
- name: {{ printf "%s" $envAll.Release.Name }}
{{ tuple $envAll "openstack_utility" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.openstack_utility | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "openstack" "container" "openstack_utility" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: OS_AUTH_URL
value: {{ .Values.conf.keystone_auth.auth_url }}

View File

@ -26,6 +26,14 @@ labels:
node_selector_value: primary
pod:
security_context:
openstack:
pod:
runAsUser: 65534
container:
openstack_utility:
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
dns_policy: "ClusterFirstWithHostNet"
replicas:
utility: 1