mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-15 17:51:01 +00:00
feat(helm): use good securityContext by default (#2250)
* feat(helm): use good securityContext by default Signed-off-by: Alexandre Desjardins <alexandre.bd@tutanota.com> * update helm tests in line with default securityContext Signed-off-by: Alexandre Desjardins <alexandre.bd@tutanota.com> --------- Signed-off-by: Alexandre Desjardins <alexandre.bd@tutanota.com>
This commit is contained in:
parent
0b9f33e5f7
commit
2cf9203142
4 changed files with 66 additions and 24 deletions
|
@ -64,7 +64,12 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| certController.requeueInterval | string | `"5m"` | |
|
||||
| certController.resources | object | `{}` | |
|
||||
| certController.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
|
||||
| certController.securityContext | object | `{}` | |
|
||||
| certController.securityContext.allowPrivilegeEscalation | bool | `false` | |
|
||||
| certController.securityContext.capabilities.drop[0] | string | `"ALL"` | |
|
||||
| certController.securityContext.readOnlyRootFilesystem | bool | `true` | |
|
||||
| certController.securityContext.runAsNonRoot | bool | `true` | |
|
||||
| certController.securityContext.runAsUser | int | `1000` | |
|
||||
| certController.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||
| certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
|
||||
| certController.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
|
||||
| certController.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
|
||||
|
@ -119,7 +124,12 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
|
||||
| scopedNamespace | string | `""` | If set external secrets are only reconciled in the provided namespace |
|
||||
| scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets |
|
||||
| securityContext | object | `{}` | |
|
||||
| securityContext.allowPrivilegeEscalation | bool | `false` | |
|
||||
| securityContext.capabilities.drop[0] | string | `"ALL"` | |
|
||||
| securityContext.readOnlyRootFilesystem | bool | `true` | |
|
||||
| securityContext.runAsNonRoot | bool | `true` | |
|
||||
| securityContext.runAsUser | int | `1000` | |
|
||||
| securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
|
||||
| serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
|
||||
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
|
||||
|
@ -172,7 +182,12 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| webhook.resources | object | `{}` | |
|
||||
| webhook.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
|
||||
| webhook.secretAnnotations | object | `{}` | Annotations to add to Secret |
|
||||
| webhook.securityContext | object | `{}` | |
|
||||
| webhook.securityContext.allowPrivilegeEscalation | bool | `false` | |
|
||||
| webhook.securityContext.capabilities.drop[0] | string | `"ALL"` | |
|
||||
| webhook.securityContext.readOnlyRootFilesystem | bool | `true` | |
|
||||
| webhook.securityContext.runAsNonRoot | bool | `true` | |
|
||||
| webhook.securityContext.runAsUser | int | `1000` | |
|
||||
| webhook.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||
| webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
|
||||
| webhook.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
|
||||
| webhook.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
|
||||
|
|
|
@ -35,4 +35,14 @@ should match snapshot of default values:
|
|||
- containerPort: 8080
|
||||
name: metrics
|
||||
protocol: TCP
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: RELEASE-NAME-external-secrets
|
||||
|
|
|
@ -31,4 +31,12 @@ tests:
|
|||
- equal:
|
||||
path: spec.template.spec.containers[0].securityContext
|
||||
value:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 3000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
|
|
@ -106,13 +106,16 @@ podLabels: {}
|
|||
podSecurityContext: {}
|
||||
# fsGroup: 2000
|
||||
|
||||
securityContext: {}
|
||||
# capabilities:
|
||||
# drop:
|
||||
# - ALL
|
||||
# readOnlyRootFilesystem: true
|
||||
# runAsNonRoot: true
|
||||
# runAsUser: 1000
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
resources: {}
|
||||
# requests:
|
||||
|
@ -314,13 +317,16 @@ webhook:
|
|||
podSecurityContext: {}
|
||||
# fsGroup: 2000
|
||||
|
||||
securityContext: {}
|
||||
# capabilities:
|
||||
# drop:
|
||||
# - ALL
|
||||
# readOnlyRootFilesystem: true
|
||||
# runAsNonRoot: true
|
||||
# runAsUser: 1000
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
resources: {}
|
||||
# requests:
|
||||
|
@ -430,13 +436,16 @@ certController:
|
|||
podSecurityContext: {}
|
||||
# fsGroup: 2000
|
||||
|
||||
securityContext: {}
|
||||
# capabilities:
|
||||
# drop:
|
||||
# - ALL
|
||||
# readOnlyRootFilesystem: true
|
||||
# runAsNonRoot: true
|
||||
# runAsUser: 1000
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
resources: {}
|
||||
# requests:
|
||||
|
|
Loading…
Reference in a new issue