Add seccompProfile field in securityContext instead of annotation (…

…#118)
scalar-labs · Aug 4, 2022 · 6a5ee36 · 6a5ee36
1 parent ebff947
commit 6a5ee36
Show file tree

Hide file tree

Showing 13 changed files with 888 additions and 27 deletions.
diff --git a/charts/envoy/README.md b/charts/envoy/README.md
@@ -21,8 +21,8 @@ Current chart version is `2.1.0`
 | image.version | string | `"1.3.0"` |  |
 | imagePullSecrets | list | `[]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. |
 | nodeSelector | object | `{}` | nodeSelector is form of node selection constraint |
-| podAnnotations | object | `{"seccomp.security.alpha.kubernetes.io/pod":"runtime/default"}` | Pod annotations for the envoy Deployment |
-| podSecurityContext | object | `{}` | PodSecurityContext holds pod-level security attributes and common container settings |
+| podAnnotations | object | `{}` | Pod annotations for the envoy Deployment |
+| podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | PodSecurityContext holds pod-level security attributes and common container settings |
 | podSecurityPolicy.enabled | bool | `true` | enable pod security policy |
 | prometheusRule.enabled | bool | `false` | enable rules for prometheus |
 | prometheusRule.namespace | string | `"monitoring"` | which namespace prometheus is located. by default monitoring |

diff --git a/charts/envoy/values.schema.json b/charts/envoy/values.schema.json
@@ -48,16 +48,21 @@
             "type": "object"
         },
         "podAnnotations": {
+            "type": "object"
+        },
+        "podSecurityContext": {
             "type": "object",
             "properties": {
-                "seccomp.security.alpha.kubernetes.io/pod": {
-                    "type": "string"
+                "seccompProfile": {
+                    "type": "object",
+                    "properties": {
+                        "type": {
+                            "type": "string"
+                        }
+                    }
                 }
             }
         },
-        "podSecurityContext": {
-            "type": "object"
-        },
         "podSecurityPolicy": {
             "type": "object",
             "properties": {

diff --git a/charts/envoy/values.yaml b/charts/envoy/values.yaml
@@ -28,8 +28,9 @@ strategy:
   type: RollingUpdate
 
 # podSecurityContext -- PodSecurityContext holds pod-level security attributes and common container settings
-podSecurityContext: {}
-  # fsGroup: 2000
+podSecurityContext:
+  seccompProfile:
+    type: RuntimeDefault
 
 # securityContext -- Setting security context at the pod applies those settings to all containers in the pod
 securityContext:
@@ -43,8 +44,7 @@ securityContext:
   allowPrivilegeEscalation: false
 
 # podAnnotations -- Pod annotations for the envoy Deployment
-podAnnotations:
-  seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
+podAnnotations: {}
 
 service:
   # service.type -- service types in kubernetes

diff --git a/charts/scalardb/README.md b/charts/scalardb/README.md
@@ -54,7 +54,9 @@ Current chart version is `1.3.0`
 | scalardb.image.tag | string | `"3.4.0"` | Docker tag of the image. |
 | scalardb.imagePullSecrets | list | `[]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. |
 | scalardb.nodeSelector | object | `{}` | nodeSelector is form of node selection constraint. |
-| scalardb.podSecurityContext | object | `{}` | PodSecurityContext holds pod-level security attributes and common container settings. |
+| scalardb.podAnnotations | object | `{}` | Pod annotations for the scalardb deployment |
+| scalardb.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | PodSecurityContext holds pod-level security attributes and common container settings. |
+| scalardb.podSecurityPolicy.enabled | bool | `true` | Enable pod security policy |
 | scalardb.prometheusRule.enabled | bool | `false` | Enable rules for prometheus. |
 | scalardb.prometheusRule.namespace | string | `"monitoring"` | Which namespace prometheus is located. by default monitoring. |
 | scalardb.replicaCount | int | `3` | Default values for number of replicas. |

diff --git a/charts/scalardb/templates/scalardb/deployment.yaml b/charts/scalardb/templates/scalardb/deployment.yaml
@@ -17,6 +17,11 @@ spec:
   {{- end }}
   template:
     metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/scalardb/configmap.yaml") . | sha256sum }}
+        {{- if .Values.scalardb.podAnnotations }}
+        {{- toYaml .Values.scalardb.podAnnotations | nindent 8 }}
+        {{- end }}
       labels:
         {{- include "scalardb.selectorLabels" . | nindent 8 }}
     spec:

diff --git a/charts/scalardb/values.schema.json b/charts/scalardb/values.schema.json
@@ -197,16 +197,21 @@
                     "type": "object"
                 },
                 "podAnnotations": {
+                    "type": "object"
+                },
+                "podSecurityContext": {
                     "type": "object",
                     "properties": {
-                        "seccomp.security.alpha.kubernetes.io/pod": {
-                            "type": "string"
+                        "seccompProfile": {
+                            "type": "object",
+                            "properties": {
+                                "type": {
+                                    "type": "string"
+                                }
+                            }
                         }
                     }
                 },
-                "podSecurityContext": {
-                    "type": "object"
-                },
                 "podSecurityPolicy": {
                     "type": "object",
                     "properties": {

diff --git a/charts/scalardb/values.yaml b/charts/scalardb/values.yaml
@@ -177,8 +177,8 @@ scalardb:
 
   # -- PodSecurityContext holds pod-level security attributes and common container settings.
   podSecurityContext:
-    {}
-    # fsGroup: 2000
+    seccompProfile:
+      type: RuntimeDefault
 
   # -- Setting security context at the pod applies those settings to all containers in the pod.
   securityContext:
@@ -192,8 +192,7 @@ scalardb:
     allowPrivilegeEscalation: false
 
   # -- Pod annotations for the scalardb deployment
-  podAnnotations:
-    seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
+  podAnnotations: {}
 
   # -- Resources allowed to the pod.
   resources:

diff --git a/charts/scalardl-audit/README.md b/charts/scalardl-audit/README.md
@@ -22,7 +22,7 @@ Current chart version is `1.3.0`
 | auditor.image.version | string | `"3.3.0"` | Docker tag |
 | auditor.imagePullSecrets | list | `[{"name":"reg-docker-secrets"}]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. |
 | auditor.nodeSelector | object | `{}` | nodeSelector is form of node selection constraint |
-| auditor.podSecurityContext | object | `{}` | PodSecurityContext holds pod-level security attributes and common container settings |
+| auditor.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | PodSecurityContext holds pod-level security attributes and common container settings |
 | auditor.prometheusRule.enabled | bool | `false` | enable rules for prometheus |
 | auditor.prometheusRule.namespace | string | `"monitoring"` | which namespace prometheus is located. by default monitoring |
 | auditor.replicaCount | int | `3` | number of replicas to deploy |