From d801bca611524705ecac731d5ab1a73e0f313759 Mon Sep 17 00:00:00 2001 From: Johannes Edmeier Date: Fri, 6 Dec 2024 14:47:18 +0100 Subject: [PATCH] refa: avoid hard-coded uid in helm chart In order to improve installation on openshift, we need to avoid the hard-coded uid/gid in the helm chart --- .../steadybit-extension-newrelic/Chart.yaml | 2 +- .../templates/deployment.yaml | 11 +-- .../__snapshot__/deployment_test.yaml.snap | 69 +++++++++++-------- .../steadybit-extension-newrelic/values.yaml | 14 +++- 4 files changed, 55 insertions(+), 41 deletions(-) diff --git a/charts/steadybit-extension-newrelic/Chart.yaml b/charts/steadybit-extension-newrelic/Chart.yaml index 83fe5f3..62fb58d 100644 --- a/charts/steadybit-extension-newrelic/Chart.yaml +++ b/charts/steadybit-extension-newrelic/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: steadybit-extension-newrelic description: Steadybit newrelic extension Helm chart for Kubernetes. -version: 1.1.5 +version: 1.1.6 appVersion: v1.0.7 home: https://www.steadybit.com/ icon: https://steadybit-website-assets.s3.amazonaws.com/logo-symbol-transparent.png diff --git a/charts/steadybit-extension-newrelic/templates/deployment.yaml b/charts/steadybit-extension-newrelic/templates/deployment.yaml index 0606238..c87fef8 100644 --- a/charts/steadybit-extension-newrelic/templates/deployment.yaml +++ b/charts/steadybit-extension-newrelic/templates/deployment.yaml @@ -97,15 +97,10 @@ spec: httpGet: path: /health/readiness port: 8091 + {{- with .Values.containerSecurityContext }} securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 10000 - runAsGroup: 10000 - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL + {{- toYaml . | nindent 12 }} + {{- end }} volumes: {{- include "extensionlib.deployment.volumes" (list .) | nindent 8 }} serviceAccountName: {{ .Values.serviceAccount.name }} diff --git a/charts/steadybit-extension-newrelic/tests/__snapshot__/deployment_test.yaml.snap b/charts/steadybit-extension-newrelic/tests/__snapshot__/deployment_test.yaml.snap index e70281e..e3d184b 100644 --- a/charts/steadybit-extension-newrelic/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/steadybit-extension-newrelic/tests/__snapshot__/deployment_test.yaml.snap @@ -80,10 +80,11 @@ manifest should match snapshot using podAnnotations and Labels: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-newrelic volumes: null manifest should match snapshot with TLS: @@ -170,13 +171,14 @@ manifest should match snapshot with TLS: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /etc/extension/certificates/server-cert name: certificate-server-cert readOnly: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-newrelic volumes: - name: certificate-server-cert @@ -270,10 +272,11 @@ manifest should match snapshot with extra env vars: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-newrelic volumes: null manifest should match snapshot with extra labels: @@ -358,10 +361,11 @@ manifest should match snapshot with extra labels: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-newrelic volumes: null manifest should match snapshot with mutual TLS: @@ -450,9 +454,6 @@ manifest should match snapshot with mutual TLS: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /etc/extension/certificates/client-cert-a name: certificate-client-cert-a @@ -460,6 +461,10 @@ manifest should match snapshot with mutual TLS: - mountPath: /etc/extension/certificates/server-cert name: certificate-server-cert readOnly: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-newrelic volumes: - name: certificate-client-cert-a @@ -556,10 +561,11 @@ manifest should match snapshot with mutual TLS using containerPaths: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-newrelic volumes: null manifest should match snapshot with numeric account id: @@ -642,10 +648,11 @@ manifest should match snapshot with numeric account id: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-newrelic volumes: null manifest should match snapshot with podSecurityContext: @@ -728,12 +735,12 @@ manifest should match snapshot with podSecurityContext: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null securityContext: + runAsNonRoot: true runAsUser: 2222 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-newrelic volumes: null manifest should match snapshot with priority class: @@ -816,11 +823,12 @@ manifest should match snapshot with priority class: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null priorityClassName: my-priority-class + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-newrelic volumes: null manifest should match snapshot without TLS: @@ -903,9 +911,10 @@ manifest should match snapshot without TLS: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-newrelic volumes: null diff --git a/charts/steadybit-extension-newrelic/values.yaml b/charts/steadybit-extension-newrelic/values.yaml index 0b6bb48..41f8cbc 100644 --- a/charts/steadybit-extension-newrelic/values.yaml +++ b/charts/steadybit-extension-newrelic/values.yaml @@ -112,8 +112,18 @@ affinity: {} priorityClassName: null # podSecurityContext -- SecurityContext to apply to the pod. -podSecurityContext: {} - +podSecurityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + +# containerSecurityContext -- SecurityContext to apply to the container. +containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL # extraEnv -- Array with extra environment variables to add to the container # e.g: # extraEnv: