Add seccompProfile field in securityContext instead of annotation (…

…#118)
scalar-labs · Aug 4, 2022 · 6359233 · 6359233
1 parent 524b49b
commit 6359233
Show file tree

Hide file tree

Showing 13 changed files with 64 additions and 31 deletions.
diff --git a/charts/envoy/README.md b/charts/envoy/README.md
@@ -21,8 +21,8 @@ Current chart version is `2.0.0`
 | image.version | string | `"1.2.0"` |  |
 | imagePullSecrets | list | `[]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. |
 | nodeSelector | object | `{}` | nodeSelector is form of node selection constraint |
-| podAnnotations | object | `{"seccomp.security.alpha.kubernetes.io/pod":"runtime/default"}` | Pod annotations for the envoy Deployment |
-| podSecurityContext | object | `{}` | PodSecurityContext holds pod-level security attributes and common container settings |
+| podAnnotations | object | `{}` | Pod annotations for the envoy Deployment |
+| podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | PodSecurityContext holds pod-level security attributes and common container settings |
 | podSecurityPolicy.enabled | bool | `true` | enable pod security policy |
 | prometheusRule.enabled | bool | `false` | enable rules for prometheus |
 | prometheusRule.namespace | string | `"monitoring"` | which namespace prometheus is located. by default monitoring |

diff --git a/charts/envoy/values.schema.json b/charts/envoy/values.schema.json
@@ -48,16 +48,21 @@
             "type": "object"
         },
         "podAnnotations": {
+            "type": "object"
+        },
+        "podSecurityContext": {
             "type": "object",
             "properties": {
-                "seccomp.security.alpha.kubernetes.io/pod": {
-                    "type": "string"
+                "seccompProfile": {
+                    "type": "object",
+                    "properties": {
+                        "type": {
+                            "type": "string"
+                        }
+                    }
                 }
             }
         },
-        "podSecurityContext": {
-            "type": "object"
-        },
         "podSecurityPolicy": {
             "type": "object",
             "properties": {

diff --git a/charts/envoy/values.yaml b/charts/envoy/values.yaml
@@ -28,8 +28,9 @@ strategy:
   type: RollingUpdate
 
 # podSecurityContext -- PodSecurityContext holds pod-level security attributes and common container settings
-podSecurityContext: {}
-  # fsGroup: 2000
+podSecurityContext:
+  seccompProfile:
+    type: RuntimeDefault
 
 # securityContext -- Setting security context at the pod applies those settings to all containers in the pod
 securityContext:
@@ -45,8 +46,7 @@ securityContext:
   allowPrivilegeEscalation: false
 
 # podAnnotations -- Pod annotations for the envoy Deployment
-podAnnotations:
-  seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
+podAnnotations: {}
 
 service:
   # service.type -- service types in kubernetes

diff --git a/charts/scalardb/README.md b/charts/scalardb/README.md
@@ -54,8 +54,8 @@ Current chart version is `2.1.0`
 | scalardb.image.tag | string | `"3.4.1"` | Docker tag of the image. |
 | scalardb.imagePullSecrets | list | `[]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. |
 | scalardb.nodeSelector | object | `{}` | nodeSelector is form of node selection constraint. |
-| scalardb.podAnnotations | object | `{"seccomp.security.alpha.kubernetes.io/pod":"runtime/default"}` | Pod annotations for the scalardb deployment |
-| scalardb.podSecurityContext | object | `{}` | PodSecurityContext holds pod-level security attributes and common container settings. |
+| scalardb.podAnnotations | object | `{}` | Pod annotations for the scalardb deployment |
+| scalardb.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | PodSecurityContext holds pod-level security attributes and common container settings. |
 | scalardb.podSecurityPolicy.enabled | bool | `true` | Enable pod security policy |
 | scalardb.prometheusRule.enabled | bool | `false` | Enable rules for prometheus. |
 | scalardb.prometheusRule.namespace | string | `"monitoring"` | Which namespace prometheus is located. by default monitoring. |

diff --git a/charts/scalardb/templates/scalardb/deployment.yaml b/charts/scalardb/templates/scalardb/deployment.yaml
@@ -19,8 +19,10 @@ spec:
     metadata:
     {{- if .Values.scalardb.podAnnotations }}
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/scalardb/configmap.yaml") . | sha256sum }}
+        {{- if .Values.scalardb.podAnnotations }}
         {{- toYaml .Values.scalardb.podAnnotations | nindent 8 }}
-    {{- end }}
+        {{- end }}
       labels:
         {{- include "scalardb.selectorLabels" . | nindent 8 }}
     spec:

diff --git a/charts/scalardb/values.schema.json b/charts/scalardb/values.schema.json
@@ -194,16 +194,21 @@
                     "type": "object"
                 },
                 "podAnnotations": {
+                    "type": "object"
+                },
+                "podSecurityContext": {
                     "type": "object",
                     "properties": {
-                        "seccomp.security.alpha.kubernetes.io/pod": {
-                            "type": "string"
+                        "seccompProfile": {
+                            "type": "object",
+                            "properties": {
+                                "type": {
+                                    "type": "string"
+                                }
+                            }
                         }
                     }
                 },
-                "podSecurityContext": {
-                    "type": "object"
-                },
                 "podSecurityPolicy": {
                     "type": "object",
                     "properties": {

diff --git a/charts/scalardb/values.yaml b/charts/scalardb/values.yaml
@@ -187,8 +187,8 @@ scalardb:
 
   # -- PodSecurityContext holds pod-level security attributes and common container settings.
   podSecurityContext:
-    {}
-    # fsGroup: 2000
+    seccompProfile:
+      type: RuntimeDefault
 
   # -- Setting security context at the pod applies those settings to all containers in the pod.
   securityContext:
@@ -204,8 +204,7 @@ scalardb:
     allowPrivilegeEscalation: false
 
   # -- Pod annotations for the scalardb deployment
-  podAnnotations:
-    seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
+  podAnnotations: {}
 
   # -- Resources allowed to the pod.
   resources:

diff --git a/charts/scalardl-audit/README.md b/charts/scalardl-audit/README.md
@@ -25,7 +25,7 @@ Current chart version is `2.2.2`
 | auditor.image.version | string | `"3.4.1"` | Docker tag |
 | auditor.imagePullSecrets | list | `[{"name":"reg-docker-secrets"}]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. |
 | auditor.nodeSelector | object | `{}` | nodeSelector is form of node selection constraint |
-| auditor.podSecurityContext | object | `{}` | PodSecurityContext holds pod-level security attributes and common container settings |
+| auditor.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | PodSecurityContext holds pod-level security attributes and common container settings |
 | auditor.prometheusRule.enabled | bool | `false` | enable rules for prometheus |
 | auditor.prometheusRule.namespace | string | `"monitoring"` | which namespace prometheus is located. by default monitoring |
 | auditor.replicaCount | int | `3` | number of replicas to deploy |

diff --git a/charts/scalardl-audit/values.schema.json b/charts/scalardl-audit/values.schema.json
@@ -60,7 +60,17 @@
                     "type": "object"
                 },
                 "podSecurityContext": {
-                    "type": "object"
+                    "type": "object",
+                    "properties": {
+                        "seccompProfile": {
+                            "type": "object",
+                            "properties": {
+                                "type": {
+                                    "type": "string"
+                                }
+                            }
+                        }
+                    }
                 },
                 "prometheusRule": {
                     "type": "object",

diff --git a/charts/scalardl-audit/values.yaml b/charts/scalardl-audit/values.yaml
@@ -229,8 +229,9 @@ auditor:
     type: RollingUpdate
 
   # -- PodSecurityContext holds pod-level security attributes and common container settings
-  podSecurityContext: {}
-    # fsGroup: 2000
+  podSecurityContext:
+    seccompProfile:
+      type: RuntimeDefault
 
   # -- Setting security context at the pod applies those settings to all containers in the pod
   securityContext:

diff --git a/charts/scalardl/README.md b/charts/scalardl/README.md
@@ -56,7 +56,7 @@ Current chart version is `4.1.0`
 | ledger.image.version | string | `"3.3.1"` | Docker tag |
 | ledger.imagePullSecrets | list | `[{"name":"reg-docker-secrets"}]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. |
 | ledger.nodeSelector | object | `{}` | nodeSelector is form of node selection constraint |
-| ledger.podSecurityContext | object | `{}` | PodSecurityContext holds pod-level security attributes and common container settings |
+| ledger.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | PodSecurityContext holds pod-level security attributes and common container settings |
 | ledger.prometheusRule.enabled | bool | `false` | enable rules for prometheus |
 | ledger.prometheusRule.namespace | string | `"monitoring"` | which namespace prometheus is located. by default monitoring |
 | ledger.replicaCount | int | `3` | number of replicas to deploy |

diff --git a/charts/scalardl/values.schema.json b/charts/scalardl/values.schema.json
@@ -213,7 +213,17 @@
                     "type": "object"
                 },
                 "podSecurityContext": {
-                    "type": "object"
+                    "type": "object",
+                    "properties": {
+                        "seccompProfile": {
+                            "type": "object",
+                            "properties": {
+                                "type": {
+                                    "type": "string"
+                                }
+                            }
+                        }
+                    }
                 },
                 "prometheusRule": {
                     "type": "object",

diff --git a/charts/scalardl/values.yaml b/charts/scalardl/values.yaml
@@ -161,8 +161,9 @@ ledger:
     type: RollingUpdate
 
   # -- PodSecurityContext holds pod-level security attributes and common container settings
-  podSecurityContext: {}
-    # fsGroup: 2000
+  podSecurityContext:
+    seccompProfile:
+      type: RuntimeDefault
 
   # -- Setting security context at the pod applies those settings to all containers in the pod
   securityContext: