openstack/openstack-helm-infra
Code Issues Proposed changes

Kube-State-Metrics: Add pod/container security context

Browse Source 
This updates the kube-state-metrics chart to include the pod
security context on the pod template. This changes the pod's
user from root to the nobody user instead

This also adds the container security context to explicitly set
allowPrivilegeEscalation to false

Change-Id: I17748b299a6e7a394cae63a0e713c49fbf68b4eb
This commit is contained in:
Steve Wilkerson 2019-01-03 12:49:41 -06:00
parent 8dba8cb648
commit 4d50e6fa7a
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
prometheus-kube-state-metrics/templates/deployment.yaml
View File

@ -108,6 +108,7 @@ spec:
labels:
{{ tuple $envAll "kube-state-metrics" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "kube_state_metrics" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
nodeSelector:
{{ .Values.labels.kube_state_metrics.node_selector_key }}: {{ .Values.labels.kube_state_metrics.node_selector_value | quote }}
@ -118,6 +119,8 @@ spec:
- name: kube-state-metrics
{{ tuple $envAll "kube_state_metrics" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.kube_state_metrics | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/kube-state-metrics.sh
ports:

3
prometheus-kube-state-metrics/values.yaml
View File

@ -37,6 +37,9 @@ labels:
node_selector_value: enabled
pod:
user:
kube_state_metrics:
uid: 65534
affinity:
anti:
type: