Add seccompProfile field in securityContext instead of annotation

charts/envoy/README.md

@@ -21,8 +21,8 @@ Current chart version is `2.1.0`
 | image.version | string | `"1.3.0"` |  |
 | imagePullSecrets | list | `[]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. |
 | nodeSelector | object | `{}` | nodeSelector is form of node selection constraint |
-| podAnnotations | object | `{"seccomp.security.alpha.kubernetes.io/pod":"runtime/default"}` | Pod annotations for the envoy Deployment |
-| podSecurityContext | object | `{}` | PodSecurityContext holds pod-level security attributes and common container settings |
+| podAnnotations | object | `{}` | Pod annotations for the envoy Deployment |
+| podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | PodSecurityContext holds pod-level security attributes and common container settings |
 | podSecurityPolicy.enabled | bool | `true` | enable pod security policy |
 | prometheusRule.enabled | bool | `false` | enable rules for prometheus |
 | prometheusRule.namespace | string | `"monitoring"` | which namespace prometheus is located. by default monitoring |

charts/envoy/values.schema.json

@@ -48,16 +48,21 @@
             "type": "object"
         },
         "podAnnotations": {
+            "type": "object"
+        },
+        "podSecurityContext": {
             "type": "object",
             "properties": {
-                "seccomp.security.alpha.kubernetes.io/pod": {
-                    "type": "string"
+                "seccompProfile": {
+                    "type": "object",
+                    "properties": {
+                        "type": {
+                            "type": "string"
+                        }
+                    }
                 }
             }
         },
-        "podSecurityContext": {
-            "type": "object"
-        },
         "podSecurityPolicy": {
             "type": "object",
             "properties": {

charts/envoy/values.yaml

@@ -28,8 +28,9 @@ strategy:
   type: RollingUpdate
 
 # podSecurityContext -- PodSecurityContext holds pod-level security attributes and common container settings
-podSecurityContext: {}
-  # fsGroup: 2000
+podSecurityContext:
+  seccompProfile:
+    type: RuntimeDefault
 
 # securityContext -- Setting security context at the pod applies those settings to all containers in the pod
 securityContext:
@@ -45,8 +46,7 @@ securityContext:
   allowPrivilegeEscalation: false
 
 # podAnnotations -- Pod annotations for the envoy Deployment
-podAnnotations:
-  seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
+podAnnotations: {}
 
 service:
   # service.type -- service types in kubernetes

charts/scalardb/README.md

@@ -55,8 +55,8 @@ Current chart version is `2.3.0`
 | scalardb.image.tag | string | `"3.6.0"` | Docker tag of the image. |
 | scalardb.imagePullSecrets | list | `[]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. |
 | scalardb.nodeSelector | object | `{}` | nodeSelector is form of node selection constraint. |
-| scalardb.podAnnotations | object | `{"seccomp.security.alpha.kubernetes.io/pod":"runtime/default"}` | Pod annotations for the scalardb deployment |
-| scalardb.podSecurityContext | object | `{}` | PodSecurityContext holds pod-level security attributes and common container settings. |
+| scalardb.podAnnotations | object | `{}` | Pod annotations for the scalardb deployment |
+| scalardb.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | PodSecurityContext holds pod-level security attributes and common container settings. |
 | scalardb.podSecurityPolicy.enabled | bool | `true` | Enable pod security policy |
 | scalardb.prometheusRule.enabled | bool | `false` | Enable rules for prometheus. |
 | scalardb.prometheusRule.namespace | string | `"monitoring"` | Which namespace prometheus is located. by default monitoring. |

charts/scalardb/templates/scalardb/deployment.yaml

@@ -19,7 +19,9 @@ spec:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/scalardb/configmap.yaml") . | sha256sum }}
+        {{- if .Values.scalardb.podAnnotations }}
         {{- toYaml .Values.scalardb.podAnnotations | nindent 8 }}
+        {{- end }}
       labels:
         {{- include "scalardb.selectorLabels" . | nindent 8 }}
     spec:

charts/scalardb/values.schema.json

@@ -197,16 +197,21 @@
                     "type": "object"
                 },
                 "podAnnotations": {
+                    "type": "object"
+                },
+                "podSecurityContext": {
                     "type": "object",
                     "properties": {
-                        "seccomp.security.alpha.kubernetes.io/pod": {
-                            "type": "string"
+                        "seccompProfile": {
+                            "type": "object",
+                            "properties": {
+                                "type": {
+                                    "type": "string"
+                                }
+                            }
                         }
                     }
                 },
-                "podSecurityContext": {
-                    "type": "object"
-                },
                 "podSecurityPolicy": {
                     "type": "object",
                     "properties": {

charts/scalardb/values.yaml

@@ -211,8 +211,8 @@ scalardb:
 
   # -- PodSecurityContext holds pod-level security attributes and common container settings.
   podSecurityContext:
-    {}
-    # fsGroup: 2000
+    seccompProfile:
+      type: RuntimeDefault
 
   # -- Setting security context at the pod applies those settings to all containers in the pod.
   securityContext:
@@ -228,8 +228,7 @@ scalardb:
     allowPrivilegeEscalation: false
 
   # -- Pod annotations for the scalardb deployment
-  podAnnotations:
-    seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
+  podAnnotations: {}
 
   # -- Resources allowed to the pod.
   resources:

charts/scalardl-audit/README.md

@@ -25,7 +25,7 @@ Current chart version is `2.2.2`
 | auditor.image.version | string | `"3.4.1"` | Docker tag |
 | auditor.imagePullSecrets | list | `[{"name":"reg-docker-secrets"}]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. |
 | auditor.nodeSelector | object | `{}` | nodeSelector is form of node selection constraint |
-| auditor.podSecurityContext | object | `{}` | PodSecurityContext holds pod-level security attributes and common container settings |
+| auditor.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | PodSecurityContext holds pod-level security attributes and common container settings |
 | auditor.prometheusRule.enabled | bool | `false` | enable rules for prometheus |
 | auditor.prometheusRule.namespace | string | `"monitoring"` | which namespace prometheus is located. by default monitoring |
 | auditor.replicaCount | int | `3` | number of replicas to deploy |

charts/scalardl-audit/values.schema.json

@@ -60,7 +60,17 @@
                     "type": "object"
                 },
                 "podSecurityContext": {
-                    "type": "object"
+                    "type": "object",
+                    "properties": {
+                        "seccompProfile": {
+                            "type": "object",
+                            "properties": {
+                                "type": {
+                                    "type": "string"
+                                }
+                            }
+                        }
+                    }
                 },
                 "prometheusRule": {
                     "type": "object",

charts/scalardl-audit/values.yaml

@@ -229,8 +229,9 @@ auditor:
     type: RollingUpdate
 
   # -- PodSecurityContext holds pod-level security attributes and common container settings
-  podSecurityContext: {}
-    # fsGroup: 2000
+  podSecurityContext:
+    seccompProfile:
+      type: RuntimeDefault
 
   # -- Setting security context at the pod applies those settings to all containers in the pod
   securityContext: {}

charts/scalardl/README.md

@@ -59,7 +59,7 @@ Current chart version is `4.2.2`
 | ledger.imagePullSecrets | list | `[{"name":"reg-docker-secrets"}]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. |
 | ledger.ledgerProperties | string | The default minimum necessary values of ledger.properties are set. You can overwrite it with your own ledger.properties. | The ledger.properties is created based on the values of ledger.scalarLedgerConfiguration by default. If you want to customize ledger.properties, you can override this value with your ledger.properties. |
 | ledger.nodeSelector | object | `{}` | nodeSelector is form of node selection constraint |
-| ledger.podSecurityContext | object | `{}` | PodSecurityContext holds pod-level security attributes and common container settings |
+| ledger.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | PodSecurityContext holds pod-level security attributes and common container settings |
 | ledger.prometheusRule.enabled | bool | `false` | enable rules for prometheus |
 | ledger.prometheusRule.namespace | string | `"monitoring"` | which namespace prometheus is located. by default monitoring |
 | ledger.replicaCount | int | `3` | number of replicas to deploy |

charts/scalardl/values.schema.json

@@ -222,7 +222,17 @@
                     "type": "object"
                 },
                 "podSecurityContext": {
-                    "type": "object"
+                    "type": "object",
+                    "properties": {
+                        "seccompProfile": {
+                            "type": "object",
+                            "properties": {
+                                "type": {
+                                    "type": "string"
+                                }
+                            }
+                        }
+                    }
                 },
                 "prometheusRule": {
                     "type": "object",

charts/scalardl/values.yaml

@@ -198,8 +198,9 @@ ledger:
     type: RollingUpdate
 
   # -- PodSecurityContext holds pod-level security attributes and common container settings
-  podSecurityContext: {}
-    # fsGroup: 2000
+  podSecurityContext:
+    seccompProfile:
+      type: RuntimeDefault
 
   # -- Setting security context at the pod applies those settings to all containers in the pod
   securityContext: {}