Coredns: Add pod/container security context

This updates coredns chart to include the podsecurity context on the pod template This also adds the container security context to set readOnlyRootFilesystem to true Change-Id: Ib44e7b9e5d0ccc642ee095062f3aefcfef2a98f8
2019-06-11 13:47:37 -05:00 · 2019-06-11 13:47:37 -05:00 · 42cc2a67a7
commit 42cc2a67a7
parent fefd664cd8
2 changed files with 10 additions and 0 deletions
--- a/charts/coredns/templates/deployment.yaml
+++ b/charts/coredns/templates/deployment.yaml
@ -57,6 +57,7 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" $envAll | include "helm-toolkit.utils.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" $envAll | include "helm-toolkit.utils.hash" }}
    spec:
+{{ dict "envAll" $envAll "application" "coredns" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: coredns
      shareProcessNamespace: true
      tolerations:
@ -84,6 +85,7 @@ spec:
        image: {{ $envAll.Values.images.tags.coredns | quote }}
        imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
 {{ tuple $envAll $envAll.Values.pod.resources.coredns | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
+{{ dict "envAll" $envAll "application" "coredns" "container" "coredns" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
        args: [ "-conf", "/etc/coredns/Corefile" ]
        volumeMounts:
        - name: config-volume
--- a/charts/coredns/values.yaml
+++ b/charts/coredns/values.yaml
@ -36,6 +36,14 @@ service:
  ip: 10.96.0.10

 pod:
+  security_context:
+    coredns:
+      pod:
+        runAsUser: 65534
+      container:
+        coredns:
+          runAsUser: 0
+          readOnlyRootFilesystem: true
  lifecycle:
    upgrades:
      # This is only meaningful when deploying as a DaemonSet