Steve Wilkerson 4d50e6fa7a Kube-State-Metrics: Add pod/container security context
This updates the kube-state-metrics chart to include the pod
security context on the pod template. This changes the pod's
user from root to the nobody user instead

This also adds the container security context to explicitly set
allowPrivilegeEscalation to false

Change-Id: I17748b299a6e7a394cae63a0e713c49fbf68b4eb
2019-01-03 16:08:22 -06:00

162 lines
3.6 KiB
YAML

# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for kube-state-metrics.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
images:
tags:
kube_state_metrics: docker.io/bitnami/kube-state-metrics:1.3.1
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
image_repo_sync: docker.io/docker:17.07.0
pull_policy: IfNotPresent
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
labels:
kube_state_metrics:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
pod:
user:
kube_state_metrics:
uid: 65534
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
mounts:
kube_state_metrics:
kube_state_metrics:
init_container: null
replicas:
kube_state_metrics: 1
lifecycle:
upgrades:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
termination_grace_period:
kube_state_metrics:
timeout: 30
resources:
enabled: false
kube_state_metrics:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- kube-metrics-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
kube_state_metrics:
services: null
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
kube_state_metrics:
namespace: null
hosts:
default: kube-state-metrics
host_fqdn_override:
default: null
path:
default: null
scheme:
default: 'http'
port:
http:
default: 8080
kube_scheduler:
scheme:
default: 'http'
path:
default: /metrics
port:
metrics:
default: 10251
kube_controller_manager:
scheme:
default: 'http'
path:
default: /metrics
port:
metrics:
default: 10252
monitoring:
prometheus:
enabled: true
kube_state_metrics:
scrape: true
kube_scheduler:
scrape: true
kube_controller_manager:
scrape: true
manifests:
configmap_bin: true
deployment: true
job_image_repo_sync: true
service_kube_state_metrics: true
service_controller_manager: true
service_scheduler: true
serviceaccount: true