Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security context additions to khchecks #423

Merged
merged 9 commits into from
Apr 28, 2020
Merged

Security context additions to khchecks #423

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
f587de9
securityContext adjustments khcheck specs
2infinitee Apr 8, 2020
75a317a
adding incomplete tag to khcheck
2infinitee Apr 8, 2020
dc93703
adding security context for khchecks podSpec and ContainerSpecs
2infinitee Apr 13, 2020
1a3463f
fixes where security context were in wrong places and if statement to…
2infinitee Apr 21, 2020
94f1574
Update deploy/helm/kuberhealthy/templates/khcheck-deployment.yaml
2infinitee Apr 22, 2020
d9ffe47
Update deploy/helm/kuberhealthy/templates/khcheck-deployment.yaml
2infinitee Apr 22, 2020
79fcee3
Update deploy/helm/kuberhealthy/values.yaml
2infinitee Apr 22, 2020
bbac72c
Update deploy/helm/kuberhealthy/values.yaml
2infinitee Apr 22, 2020
919daf0
added if statement to the rest of the khchecks
2infinitee Apr 23, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
11 changes: 10 additions & 1 deletion deploy/helm/kuberhealthy/templates/khcheck-daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,11 @@ spec:
runInterval: 15m
timeout: 12m
podSpec:
{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- end}}
containers:
- env:
- name: POD_NAMESPACE
Expand All @@ -28,6 +33,11 @@ spec:
requests:
cpu: 10m
memory: 50Mi
{{- if .Values.securityContext.enabled }}
securityContext:
allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation }}
readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }}
{{- end}}
{{- if .Values.check.daemonset.nodeSelector }}
nodeSelector:
{{- toYaml .Values.check.daemonset.nodeSelector | nindent 6 }}
Expand Down Expand Up @@ -76,4 +86,3 @@ metadata:
name: daemonset-khcheck
namespace: {{ .Release.Namespace }}
{{- end }}

11 changes: 10 additions & 1 deletion deploy/helm/kuberhealthy/templates/khcheck-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,11 @@ spec:
runInterval: 10m
timeout: &deployment_check_timeout 15m
podSpec:
{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- end}}
containers:
- name: deployment
image: {{ .Values.check.deployment.image.repository }}:{{ .Values.check.deployment.image.tag }}
Expand All @@ -26,6 +31,11 @@ spec:
memory: 15Mi
limits:
cpu: 40m
{{- if .Values.securityContext.enabled }}
securityContext:
2infinitee marked this conversation as resolved.
Show resolved Hide resolved
allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation }}
readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }}
2infinitee marked this conversation as resolved.
Show resolved Hide resolved
{{- end}}
2infinitee marked this conversation as resolved.
Show resolved Hide resolved
restartPolicy: Never
{{- if .Values.check.deployment.nodeSelector }}
nodeSelector:
Expand Down Expand Up @@ -92,4 +102,3 @@ metadata:
name: deployment-sa
namespace: {{ .Release.Namespace }}
{{- end }}

10 changes: 10 additions & 0 deletions deploy/helm/kuberhealthy/templates/khcheck-dns.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,11 @@ spec:
runInterval: 2m
timeout: 15m
podSpec:
{{- if .Values.securityContext.enabled }}
securityContext:
2infinitee marked this conversation as resolved.
Show resolved Hide resolved
runAsUser: {{ .Values.securityContext.runAsUser }}
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- end}}
containers:
- env:
- name: CHECK_POD_TIMEOUT
Expand All @@ -24,6 +29,11 @@ spec:
requests:
cpu: 10m
memory: 50Mi
{{- if .Values.securityContext.enabled }}
securityContext:
allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation }}
readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }}
{{- end }}
{{- if .Values.check.dnsInternal.nodeSelector }}
nodeSelector:
{{- toYaml .Values.check.dnsInternal.nodeSelector | nindent 6 }}
Expand Down
10 changes: 10 additions & 0 deletions deploy/helm/kuberhealthy/templates/khcheck-pod-restarts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ spec:
runInterval: 5m
timeout: 10m
podSpec:
{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- end}}
containers:
- env:
- name: POD_NAMESPACE
Expand All @@ -27,6 +32,11 @@ spec:
requests:
cpu: 10m
memory: 50Mi
{{- if .Values.securityContext.enabled }}
securityContext:
allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation }}
readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }}
{{- end }}
{{- if .Values.check.podRestarts.nodeSelector }}
nodeSelector:
{{- toYaml .Values.check.podRestarts.nodeSelector | nindent 6 }}
Expand Down
10 changes: 10 additions & 0 deletions deploy/helm/kuberhealthy/templates/khcheck-pod-status.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ spec:
runInterval: 5m
timeout: 15m
podSpec:
{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- end}}
containers:
- env:
- name: SKIP_DURATION
Expand All @@ -27,6 +32,11 @@ spec:
requests:
cpu: 10m
memory: 50Mi
{{- if .Values.securityContext.enabled }}
securityContext:
allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation }}
readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }}
{{- end }}
{{- if .Values.check.podStatus.nodeSelector }}
nodeSelector:
{{- toYaml .Values.check.podStatus.nodeSelector | nindent 6 }}
Expand Down
5 changes: 5 additions & 0 deletions deploy/helm/kuberhealthy/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,15 @@ deployment:
- /app/kuberhealthy
# args:

# When enabled equals to true, runAsUser and fsGroup will be
# included to all khchecks as specified below.
securityContext:
enabled: true # if enabled is set to false, securityContext settings will not be applied at all in checker pod custom resources
runAsNonRoot: true
runAsUser: 999
fsGroup: 999
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true

# Please remember that changing the service type to LoadBalancer
# will expose Kuberhealthy to the internet, which could cause
Expand Down