Add security context for etcd-ondemand pod/container

This changes implements runAsUser flag at pod level and readOnly-fs at container level Change-Id: I4e54ae4b13c4275f8313efbb733f938ec3580138
2020-08-31 11:19:32 -05:00 · 2020-08-31 11:19:32 -05:00 · e1b2c6ed47
commit e1b2c6ed47
parent e73bd895e2
2 changed files with 9 additions and 0 deletions
--- a/charts/etcdctl-utility/templates/bin/utility/_etcd_ondemand_job.sh.tpl
+++ b/charts/etcdctl-utility/templates/bin/utility/_etcd_ondemand_job.sh.tpl
@ -45,6 +45,7 @@ spec:
      labels:
 {{ tuple $envAll "etcd-ondemand" "ondemand" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "etcd_ondemand" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      restartPolicy: OnFailure
      serviceAccountName: kubernetes-etcd-etcd-backup
      nodeName: ${NODE}
@ -52,6 +53,7 @@ spec:
        - name: etcd-ondemand
          image: ${ETCD_IMAGE_NAME}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.etcd_ondemand | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "etcd_ondemand" "container" "etcd_ondemand" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /bin/sleep
            - "1000000"
--- a/charts/etcdctl-utility/values.yaml
+++ b/charts/etcdctl-utility/values.yaml
@ -46,6 +46,13 @@ pod:
        etcdctl_utility:
          allowPrivilegeEscalation: true
          readOnlyRootFilesystem: false
+    etcd_ondemand:
+      pod:
+        runAsUser: 65534
+      container:
+        etcd_ondemand:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
  mandatory_access_control:
    type: apparmor
    etcdctl-utility: