Memcached securityContext

securityContext with readOnlyRootFilesystem is implemented at container
level and leveraged the helm-toolkit snippet

Change-Id: I8b16e9c17154a2bac162f31939b510fcd773126b
This commit is contained in:
Rahul Khiyani 2019-03-12 18:35:32 -04:00
parent 77b37ca520
commit 2b84120034
3 changed files with 14 additions and 8 deletions

View File

@ -59,6 +59,7 @@ spec:
- name: memcached
{{ tuple $envAll "memcached" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "server" "container" "memcached" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: MEMCACHED_PORT
value: {{ tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}

View File

@ -53,8 +53,7 @@ spec:
image: {{ .Values.images.tags.prometheus_memcached_exporter }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.prometheus_memcached_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
{{ dict "envAll" $envAll "application" "memcached_exporter" "container" "memcached_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/memcached-exporter.sh
- start

View File

@ -144,13 +144,19 @@ manifests:
service_exporter: true
pod:
user:
security_context:
memcached_exporter:
uid: 65534
server:
uid: 65534
securityContext:
pod:
runAsUser: 65534
container:
memcached_exporter:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
server:
pod:
runAsUser: 65534
container:
memcached:
readOnlyRootFilesystem: true
affinity:
anti: