From 28d5f7f9c0674d42b10ab08d209321b4ac1286ae Mon Sep 17 00:00:00 2001 From: ajanikow Date: Thu, 26 Sep 2019 13:35:19 +0000 Subject: [PATCH] improvement/drop_security_context --- chart/kube-arangodb/templates/NOTES.txt | 7 +++++++ chart/kube-arangodb/templates/deployment.yaml | 12 +++++++++--- manifests/arango-deployment-replication.yaml | 12 +++++++++--- manifests/arango-deployment.yaml | 12 +++++++++--- manifests/arango-storage.yaml | 12 +++++++++--- 5 files changed, 43 insertions(+), 12 deletions(-) create mode 100644 chart/kube-arangodb/templates/NOTES.txt diff --git a/chart/kube-arangodb/templates/NOTES.txt b/chart/kube-arangodb/templates/NOTES.txt new file mode 100644 index 000000000..f45cab92e --- /dev/null +++ b/chart/kube-arangodb/templates/NOTES.txt @@ -0,0 +1,7 @@ +You have installed Kubernetes ArangoDB Operator in version {{ .Chart.Version }} + +To access ArangoDeployments you can use: + +kubectl --namespace "{{ .Release.Namespace }}" get arangodeployments + +More details can be found on https://github.com/arangodb/kube-arangodb/tree/{{ .Chart.Version }}/docs \ No newline at end of file diff --git a/chart/kube-arangodb/templates/deployment.yaml b/chart/kube-arangodb/templates/deployment.yaml index f0aba941c..02e6547b2 100644 --- a/chart/kube-arangodb/templates/deployment.yaml +++ b/chart/kube-arangodb/templates/deployment.yaml @@ -46,6 +46,9 @@ spec: operator: In values: - amd64 + hostNetwork: false + hostPID: false + hostIPC: false containers: - name: operator imagePullPolicy: {{ .Values.operator.imagePullPolicy }} @@ -78,9 +81,12 @@ spec: - name: metrics containerPort: 8528 securityContext: - capabilities: - drop: - - 'ALL' + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - 'ALL' {{- if .Values.operator.resources }} resources: {{ toYaml .Values.operator.resources | indent 22 }} diff --git a/manifests/arango-deployment-replication.yaml b/manifests/arango-deployment-replication.yaml index c24d2ff43..745a12d96 100644 --- a/manifests/arango-deployment-replication.yaml +++ b/manifests/arango-deployment-replication.yaml @@ -168,6 +168,9 @@ spec: operator: In values: - amd64 + hostNetwork: false + hostPID: false + hostIPC: false containers: - name: operator imagePullPolicy: Always @@ -192,9 +195,12 @@ spec: - name: metrics containerPort: 8528 securityContext: - capabilities: - drop: - - 'ALL' + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - 'ALL' livenessProbe: httpGet: path: /health diff --git a/manifests/arango-deployment.yaml b/manifests/arango-deployment.yaml index 68b4eff44..e8104f59c 100644 --- a/manifests/arango-deployment.yaml +++ b/manifests/arango-deployment.yaml @@ -212,6 +212,9 @@ spec: operator: In values: - amd64 + hostNetwork: false + hostPID: false + hostIPC: false containers: - name: operator imagePullPolicy: Always @@ -236,9 +239,12 @@ spec: - name: metrics containerPort: 8528 securityContext: - capabilities: - drop: - - 'ALL' + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - 'ALL' livenessProbe: httpGet: path: /health diff --git a/manifests/arango-storage.yaml b/manifests/arango-storage.yaml index 0aaee7029..f5ed6fb0b 100644 --- a/manifests/arango-storage.yaml +++ b/manifests/arango-storage.yaml @@ -200,6 +200,9 @@ spec: operator: In values: - amd64 + hostNetwork: false + hostPID: false + hostIPC: false containers: - name: operator imagePullPolicy: Always @@ -224,9 +227,12 @@ spec: - name: metrics containerPort: 8528 securityContext: - capabilities: - drop: - - 'ALL' + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - 'ALL' livenessProbe: httpGet: path: /health