From 085610523fb1422a46b0f3c79d53694b5380bd14 Mon Sep 17 00:00:00 2001 From: Rahul Khiyani Date: Fri, 26 Oct 2018 20:23:53 -0500 Subject: [PATCH] Keystone podSecurityContext securitycontext with non-root user is implemented at pod level and leveraged the helm-toolkit snippet Fix for adding allowPrivilegeEscalation flag as a blanket policy on the pod in the keyston chart Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda Change-Id: I15333df4707948e50deb935ffc1ee599588e4788 --- keystone/templates/deployment-api.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml index c985cad132..23bdc72c1a 100644 --- a/keystone/templates/deployment-api.yaml +++ b/keystone/templates/deployment-api.yaml @@ -45,6 +45,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: +{{ dict "envAll" $envAll "application" "keystone" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} @@ -58,7 +59,7 @@ spec: {{ tuple $envAll "keystone_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} securityContext: - runAsUser: {{ .Values.pod.user.keystone.uid }} + allowPrivilegeEscalation: false command: - /tmp/keystone-api.sh - start