From 635923315261a6d1d357c036e5273d64d2e5403d Mon Sep 17 00:00:00 2001 From: kota2and3kan <47254383+kota2and3kan@users.noreply.github.com> Date: Fri, 22 Jul 2022 16:49:36 +0900 Subject: [PATCH] Add `seccompProfile` field in `securityContext` instead of annotation (#118) --- charts/envoy/README.md | 4 ++-- charts/envoy/values.schema.json | 15 ++++++++++----- charts/envoy/values.yaml | 8 ++++---- charts/scalardb/README.md | 4 ++-- .../scalardb/templates/scalardb/deployment.yaml | 4 +++- charts/scalardb/values.schema.json | 15 ++++++++++----- charts/scalardb/values.yaml | 7 +++---- charts/scalardl-audit/README.md | 2 +- charts/scalardl-audit/values.schema.json | 12 +++++++++++- charts/scalardl-audit/values.yaml | 5 +++-- charts/scalardl/README.md | 2 +- charts/scalardl/values.schema.json | 12 +++++++++++- charts/scalardl/values.yaml | 5 +++-- 13 files changed, 64 insertions(+), 31 deletions(-) diff --git a/charts/envoy/README.md b/charts/envoy/README.md index 64445ff3..68f68692 100644 --- a/charts/envoy/README.md +++ b/charts/envoy/README.md @@ -21,8 +21,8 @@ Current chart version is `2.0.0` | image.version | string | `"1.2.0"` | | | imagePullSecrets | list | `[]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. | | nodeSelector | object | `{}` | nodeSelector is form of node selection constraint | -| podAnnotations | object | `{"seccomp.security.alpha.kubernetes.io/pod":"runtime/default"}` | Pod annotations for the envoy Deployment | -| podSecurityContext | object | `{}` | PodSecurityContext holds pod-level security attributes and common container settings | +| podAnnotations | object | `{}` | Pod annotations for the envoy Deployment | +| podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | PodSecurityContext holds pod-level security attributes and common container settings | | podSecurityPolicy.enabled | bool | `true` | enable pod security policy | | prometheusRule.enabled | bool | `false` | enable rules for prometheus | | prometheusRule.namespace | string | `"monitoring"` | which namespace prometheus is located. by default monitoring | diff --git a/charts/envoy/values.schema.json b/charts/envoy/values.schema.json index 0580d015..73ccf9dd 100644 --- a/charts/envoy/values.schema.json +++ b/charts/envoy/values.schema.json @@ -48,16 +48,21 @@ "type": "object" }, "podAnnotations": { + "type": "object" + }, + "podSecurityContext": { "type": "object", "properties": { - "seccomp.security.alpha.kubernetes.io/pod": { - "type": "string" + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } } } }, - "podSecurityContext": { - "type": "object" - }, "podSecurityPolicy": { "type": "object", "properties": { diff --git a/charts/envoy/values.yaml b/charts/envoy/values.yaml index e747ca5d..7443a771 100644 --- a/charts/envoy/values.yaml +++ b/charts/envoy/values.yaml @@ -28,8 +28,9 @@ strategy: type: RollingUpdate # podSecurityContext -- PodSecurityContext holds pod-level security attributes and common container settings -podSecurityContext: {} - # fsGroup: 2000 +podSecurityContext: + seccompProfile: + type: RuntimeDefault # securityContext -- Setting security context at the pod applies those settings to all containers in the pod securityContext: @@ -45,8 +46,7 @@ securityContext: allowPrivilegeEscalation: false # podAnnotations -- Pod annotations for the envoy Deployment -podAnnotations: - seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' +podAnnotations: {} service: # service.type -- service types in kubernetes diff --git a/charts/scalardb/README.md b/charts/scalardb/README.md index 854ecd77..6c819763 100644 --- a/charts/scalardb/README.md +++ b/charts/scalardb/README.md @@ -54,8 +54,8 @@ Current chart version is `2.1.0` | scalardb.image.tag | string | `"3.4.1"` | Docker tag of the image. | | scalardb.imagePullSecrets | list | `[]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. | | scalardb.nodeSelector | object | `{}` | nodeSelector is form of node selection constraint. | -| scalardb.podAnnotations | object | `{"seccomp.security.alpha.kubernetes.io/pod":"runtime/default"}` | Pod annotations for the scalardb deployment | -| scalardb.podSecurityContext | object | `{}` | PodSecurityContext holds pod-level security attributes and common container settings. | +| scalardb.podAnnotations | object | `{}` | Pod annotations for the scalardb deployment | +| scalardb.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | PodSecurityContext holds pod-level security attributes and common container settings. | | scalardb.podSecurityPolicy.enabled | bool | `true` | Enable pod security policy | | scalardb.prometheusRule.enabled | bool | `false` | Enable rules for prometheus. | | scalardb.prometheusRule.namespace | string | `"monitoring"` | Which namespace prometheus is located. by default monitoring. | diff --git a/charts/scalardb/templates/scalardb/deployment.yaml b/charts/scalardb/templates/scalardb/deployment.yaml index e3b8b0aa..51f16f8b 100644 --- a/charts/scalardb/templates/scalardb/deployment.yaml +++ b/charts/scalardb/templates/scalardb/deployment.yaml @@ -19,8 +19,10 @@ spec: metadata: {{- if .Values.scalardb.podAnnotations }} annotations: + checksum/config: {{ include (print $.Template.BasePath "/scalardb/configmap.yaml") . | sha256sum }} + {{- if .Values.scalardb.podAnnotations }} {{- toYaml .Values.scalardb.podAnnotations | nindent 8 }} - {{- end }} + {{- end }} labels: {{- include "scalardb.selectorLabels" . | nindent 8 }} spec: diff --git a/charts/scalardb/values.schema.json b/charts/scalardb/values.schema.json index 0bd36ce6..d4757ee8 100644 --- a/charts/scalardb/values.schema.json +++ b/charts/scalardb/values.schema.json @@ -194,16 +194,21 @@ "type": "object" }, "podAnnotations": { + "type": "object" + }, + "podSecurityContext": { "type": "object", "properties": { - "seccomp.security.alpha.kubernetes.io/pod": { - "type": "string" + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } } } }, - "podSecurityContext": { - "type": "object" - }, "podSecurityPolicy": { "type": "object", "properties": { diff --git a/charts/scalardb/values.yaml b/charts/scalardb/values.yaml index ce7f34bd..60b349e4 100644 --- a/charts/scalardb/values.yaml +++ b/charts/scalardb/values.yaml @@ -187,8 +187,8 @@ scalardb: # -- PodSecurityContext holds pod-level security attributes and common container settings. podSecurityContext: - {} - # fsGroup: 2000 + seccompProfile: + type: RuntimeDefault # -- Setting security context at the pod applies those settings to all containers in the pod. securityContext: @@ -204,8 +204,7 @@ scalardb: allowPrivilegeEscalation: false # -- Pod annotations for the scalardb deployment - podAnnotations: - seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' + podAnnotations: {} # -- Resources allowed to the pod. resources: diff --git a/charts/scalardl-audit/README.md b/charts/scalardl-audit/README.md index b251db22..71508e8b 100644 --- a/charts/scalardl-audit/README.md +++ b/charts/scalardl-audit/README.md @@ -25,7 +25,7 @@ Current chart version is `2.2.2` | auditor.image.version | string | `"3.4.1"` | Docker tag | | auditor.imagePullSecrets | list | `[{"name":"reg-docker-secrets"}]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. | | auditor.nodeSelector | object | `{}` | nodeSelector is form of node selection constraint | -| auditor.podSecurityContext | object | `{}` | PodSecurityContext holds pod-level security attributes and common container settings | +| auditor.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | PodSecurityContext holds pod-level security attributes and common container settings | | auditor.prometheusRule.enabled | bool | `false` | enable rules for prometheus | | auditor.prometheusRule.namespace | string | `"monitoring"` | which namespace prometheus is located. by default monitoring | | auditor.replicaCount | int | `3` | number of replicas to deploy | diff --git a/charts/scalardl-audit/values.schema.json b/charts/scalardl-audit/values.schema.json index 7609fad9..9da6deba 100644 --- a/charts/scalardl-audit/values.schema.json +++ b/charts/scalardl-audit/values.schema.json @@ -60,7 +60,17 @@ "type": "object" }, "podSecurityContext": { - "type": "object" + "type": "object", + "properties": { + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } + } + } }, "prometheusRule": { "type": "object", diff --git a/charts/scalardl-audit/values.yaml b/charts/scalardl-audit/values.yaml index 34bfe7df..d6f24c28 100644 --- a/charts/scalardl-audit/values.yaml +++ b/charts/scalardl-audit/values.yaml @@ -229,8 +229,9 @@ auditor: type: RollingUpdate # -- PodSecurityContext holds pod-level security attributes and common container settings - podSecurityContext: {} - # fsGroup: 2000 + podSecurityContext: + seccompProfile: + type: RuntimeDefault # -- Setting security context at the pod applies those settings to all containers in the pod securityContext: diff --git a/charts/scalardl/README.md b/charts/scalardl/README.md index 7fb2a933..3916a8da 100644 --- a/charts/scalardl/README.md +++ b/charts/scalardl/README.md @@ -56,7 +56,7 @@ Current chart version is `4.1.0` | ledger.image.version | string | `"3.3.1"` | Docker tag | | ledger.imagePullSecrets | list | `[{"name":"reg-docker-secrets"}]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. | | ledger.nodeSelector | object | `{}` | nodeSelector is form of node selection constraint | -| ledger.podSecurityContext | object | `{}` | PodSecurityContext holds pod-level security attributes and common container settings | +| ledger.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | PodSecurityContext holds pod-level security attributes and common container settings | | ledger.prometheusRule.enabled | bool | `false` | enable rules for prometheus | | ledger.prometheusRule.namespace | string | `"monitoring"` | which namespace prometheus is located. by default monitoring | | ledger.replicaCount | int | `3` | number of replicas to deploy | diff --git a/charts/scalardl/values.schema.json b/charts/scalardl/values.schema.json index 71b2a5a7..4833c05d 100644 --- a/charts/scalardl/values.schema.json +++ b/charts/scalardl/values.schema.json @@ -213,7 +213,17 @@ "type": "object" }, "podSecurityContext": { - "type": "object" + "type": "object", + "properties": { + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } + } + } }, "prometheusRule": { "type": "object", diff --git a/charts/scalardl/values.yaml b/charts/scalardl/values.yaml index da99c91b..6fdb9d86 100644 --- a/charts/scalardl/values.yaml +++ b/charts/scalardl/values.yaml @@ -161,8 +161,9 @@ ledger: type: RollingUpdate # -- PodSecurityContext holds pod-level security attributes and common container settings - podSecurityContext: {} - # fsGroup: 2000 + podSecurityContext: + seccompProfile: + type: RuntimeDefault # -- Setting security context at the pod applies those settings to all containers in the pod securityContext: