Rahul Khiyani 76daa2e7df Tiller: Add pod/container security context
This updates the tiller chart to include the pod
security context on the pod template

This also adds the container security context to set
allowPrivilegeEscalation to false

Change-Id: Ic0d87ba2e933444ebe8a6d59d7bb74aae81a051d
2019-04-16 15:22:22 +00:00

102 lines
2.3 KiB
YAML

# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for helm tiller
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
labels:
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
release_group: null
images:
tags:
tiller: gcr.io/kubernetes-helm/tiller:v2.13.0
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
image_repo_sync: docker.io/docker:17.07.0
pull_policy: IfNotPresent
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
pod:
security_context:
tiller:
pod:
runAsUser: 65534
container:
tiller:
allowPrivilegeEscalation: false
resources:
enabled: false
jobs:
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- tiller-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
tiller:
services: null
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
monitoring:
prometheus:
enabled: false
tiller:
scrape: true
port: 44135
manifests:
configmap_bin: true
deployment_tiller: true
job_image_repo_sync: true
service_tiller_deploy: true