mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
Code Activity

update pod security context and ports

Browse source
This commit is contained in:
Jim Bugwadia 2020-10-22 11:26:22 -07:00
parent 8577bed097
commit 022c227bce
6 changed files with 88 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
charts/kyverno/templates/deployment.yaml
View file

@ -41,6 +41,15 @@ spec:
- name: kyverno-pre
image: {{ .Values.initImage.repository }}:{{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }}
securityContext:
runAsUser: 1000
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- all
containers:
- name: kyverno
image: {{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}
@ -51,8 +60,17 @@ spec:
{{- with .Values.resources }}
resources: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
securityContext:
runAsUser: 1000
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- all
ports:
- containerPort: 443
- containerPort: 9443
name: https
protocol: TCP
env:

35
definitions/install.yaml
View file

@ -1043,7 +1043,7 @@ metadata:
spec:
ports:
- port: 443
targetPort: 9443
targetPort: https
selector:
app: kyverno
---
@ -1064,9 +1064,6 @@ spec:
labels:
app: kyverno
spec:
hostNetwork: false
hostPID: false
hostIPC: false
containers:
- args:
- --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]
@ -1080,13 +1077,13 @@ spec:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
image: nirmata/kyverno:v1.2.0-22-g704e1aad
imagePullPolicy: Never
image: nirmata/kyverno:v1.2.0
imagePullPolicy: Always
livenessProbe:
failureThreshold: 4
httpGet:
path: /health/liveness
port: 9443
port: 443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
@ -1095,11 +1092,13 @@ spec:
name: kyverno
ports:
- containerPort: 9443
name: https
protocol: TCP
readinessProbe:
failureThreshold: 4
httpGet:
path: /health/readiness
port: 9443
port: 443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
@ -1112,23 +1111,27 @@ spec:
cpu: 100m
memory: 50Mi
securityContext:
runAsUser: 1000
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
capabilities:
drop:
- all
- all
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
initContainers:
- image: nirmata/kyvernopre:v1.2.0
imagePullPolicy: Always
name: kyverno-pre
securityContext:
runAsUser: 1000
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
capabilities:
drop:
- all
- all
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
securityContext:
runAsNonRoot: true
serviceAccountName: kyverno-service-account

2
definitions/install_debug.yaml
View file

@ -1043,6 +1043,6 @@ metadata:
spec:
ports:
- port: 443
targetPort: 443
targetPort: https
selector:
app: kyverno

2
definitions/k8s-resource/rbac.yaml
View file

@ -14,7 +14,7 @@ metadata:
spec:
ports:
- port: 443
targetPort: 443
targetPort: https
selector:
app: kyverno
---

27
definitions/manifest/deployment.yaml
View file

@ -17,13 +17,24 @@ spec:
app: kyverno
spec:
serviceAccountName: kyverno-service-account
securityContext:
runAsNonRoot: true
initContainers:
- name: kyverno-pre
image: nirmata/kyvernopre:v1.1.9
imagePullPolicy: Always
securityContext:
runAsUser: 1000
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- all
containers:
- name: kyverno
image: nirmata/kyverno:v1.1.9
image: nirmata/kyverno:latest
imagePullPolicy: Always
args:
- "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
@ -33,7 +44,9 @@ spec:
# - "--profile"
- "-v=2"
ports:
- containerPort: 443
- containerPort: 9443
name: https
protocol: TCP
env:
- name: INIT_CONFIG
value: init-config
@ -43,6 +56,15 @@ spec:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
securityContext:
runAsUser: 1000
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- all
resources:
requests:
memory: "50Mi"
@ -69,4 +91,3 @@ spec:
timeoutSeconds: 5
failureThreshold: 4
successThreshold: 1

26
definitions/release/install.yaml
View file

@ -1043,7 +1043,7 @@ metadata:
spec:
ports:
- port: 443
targetPort: 443
targetPort: https
selector:
app: kyverno
---
@ -1091,7 +1091,9 @@ spec:
timeoutSeconds: 5
name: kyverno
ports:
- containerPort: 443
- containerPort: 9443
name: https
protocol: TCP
readinessProbe:
failureThreshold: 4
httpGet:
@ -1108,8 +1110,28 @@ spec:
requests:
cpu: 100m
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
initContainers:
- image: nirmata/kyvernopre:v1.2.0
imagePullPolicy: Always
name: kyverno-pre
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
securityContext:
runAsNonRoot: true
serviceAccountName: kyverno-service-account