1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-15 17:51:01 +00:00

feat(helm): use good securityContext by default (#2250)

* feat(helm): use good securityContext by default

Signed-off-by: Alexandre Desjardins <alexandre.bd@tutanota.com>

* update helm tests in line with default securityContext

Signed-off-by: Alexandre Desjardins <alexandre.bd@tutanota.com>

---------

Signed-off-by: Alexandre Desjardins <alexandre.bd@tutanota.com>
This commit is contained in:
Alexandre Desjardins 2023-04-24 14:34:43 -04:00 committed by GitHub
parent 0b9f33e5f7
commit 2cf9203142
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 66 additions and 24 deletions

View file

@ -64,7 +64,12 @@ The command removes all the Kubernetes components associated with the chart and
| certController.requeueInterval | string | `"5m"` | |
| certController.resources | object | `{}` | |
| certController.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
| certController.securityContext | object | `{}` | |
| certController.securityContext.allowPrivilegeEscalation | bool | `false` | |
| certController.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| certController.securityContext.readOnlyRootFilesystem | bool | `true` | |
| certController.securityContext.runAsNonRoot | bool | `true` | |
| certController.securityContext.runAsUser | int | `1000` | |
| certController.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| certController.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
| certController.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
@ -119,7 +124,12 @@ The command removes all the Kubernetes components associated with the chart and
| revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
| scopedNamespace | string | `""` | If set external secrets are only reconciled in the provided namespace |
| scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets |
| securityContext | object | `{}` | |
| securityContext.allowPrivilegeEscalation | bool | `false` | |
| securityContext.capabilities.drop[0] | string | `"ALL"` | |
| securityContext.readOnlyRootFilesystem | bool | `true` | |
| securityContext.runAsNonRoot | bool | `true` | |
| securityContext.runAsUser | int | `1000` | |
| securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
@ -172,7 +182,12 @@ The command removes all the Kubernetes components associated with the chart and
| webhook.resources | object | `{}` | |
| webhook.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
| webhook.secretAnnotations | object | `{}` | Annotations to add to Secret |
| webhook.securityContext | object | `{}` | |
| webhook.securityContext.allowPrivilegeEscalation | bool | `false` | |
| webhook.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| webhook.securityContext.readOnlyRootFilesystem | bool | `true` | |
| webhook.securityContext.runAsNonRoot | bool | `true` | |
| webhook.securityContext.runAsUser | int | `1000` | |
| webhook.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| webhook.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
| webhook.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |

View file

@ -35,4 +35,14 @@ should match snapshot of default values:
- containerPort: 8080
name: metrics
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: RELEASE-NAME-external-secrets

View file

@ -31,4 +31,12 @@ tests:
- equal:
path: spec.template.spec.containers[0].securityContext
value:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 3000
seccompProfile:
type: RuntimeDefault

View file

@ -106,13 +106,16 @@ podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
resources: {}
# requests:
@ -314,13 +317,16 @@ webhook:
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
resources: {}
# requests:
@ -430,13 +436,16 @@ certController:
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
resources: {}
# requests: