Skip to content

Commit

Permalink
Use restricted pod security standard
Browse files Browse the repository at this point in the history 
Signed-off-by: Tamal Saha <[email protected]>
  • Loading branch information
@tamalsaha
tamalsaha committed Jul 19, 2024
1 parent f1e7fe1 commit 5cc7fa6
Show file tree
Hide file tree
Showing 9 changed files with 46 additions and 46 deletions.
2 changes: 1 addition & 1 deletion charts/dbgate/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ The following table lists the configurable parameters of the `dbgate` chart and
| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | <code>""</code> |
| podAnnotations | | <code>{}</code> |
| podSecurityContext | | <code>{}</code> |
| securityContext | | <code>{}</code> |
| securityContext | | <code>{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}</code> |
| service.type | | <code>ClusterIP</code> |
| service.port | | <code>80</code> |
| resources | | <code>{}</code> |
Expand Down
18 changes: 9 additions & 9 deletions charts/dbgate/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,15 +42,15 @@ podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000

securityContext: {}
# allowPrivilegeEscalation: false
# capabilities:
# drop: ["ALL"]
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 65534
# # seccompProfile:
# # type: RuntimeDefault
securityContext: # +doc-gen:break
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault

service:
type: ClusterIP
Expand Down
2 changes: 1 addition & 1 deletion charts/mongo-ui/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ The following table lists the configurable parameters of the `mongo-ui` chart an
| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | <code>""</code> |
| podAnnotations | | <code>{}</code> |
| podSecurityContext | | <code>{}</code> |
| securityContext | | <code>{}</code> |
| securityContext | | <code>{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}</code> |
| service.type | | <code>ClusterIP</code> |
| service.port | | <code>80</code> |
| resources | | <code>{}</code> |
Expand Down
18 changes: 9 additions & 9 deletions charts/mongo-ui/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,15 +42,15 @@ podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000

securityContext: {}
# allowPrivilegeEscalation: false
# capabilities:
# drop: ["ALL"]
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 65534
# seccompProfile:
# type: RuntimeDefault
securityContext: # +doc-gen:break
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault

service:
type: ClusterIP
Expand Down
2 changes: 1 addition & 1 deletion charts/pgadmin/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ The following table lists the configurable parameters of the `pgadmin` chart and
| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | <code>""</code> |
| podAnnotations | | <code>{}</code> |
| podSecurityContext | | <code>{}</code> |
| securityContext | | <code>{}</code> |
| securityContext | | <code>{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}</code> |
| service.type | | <code>ClusterIP</code> |
| service.port | | <code>80</code> |
| resources | | <code>{}</code> |
Expand Down
18 changes: 9 additions & 9 deletions charts/pgadmin/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,15 +42,15 @@ podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000

securityContext: {}
# allowPrivilegeEscalation: false
# capabilities:
# drop: ["ALL"]
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 65534
# seccompProfile:
# type: RuntimeDefault
securityContext: # +doc-gen:break
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault

service:
type: ClusterIP
Expand Down
2 changes: 1 addition & 1 deletion charts/phpmyadmin/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ The following table lists the configurable parameters of the `phpmyadmin` chart
| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | <code>""</code> |
| podAnnotations | | <code>{}</code> |
| podSecurityContext | | <code>{}</code> |
| securityContext | | <code>{}</code> |
| securityContext | | <code>{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}</code> |
| service.type | | <code>ClusterIP</code> |
| service.port | | <code>80</code> |
| resources | | <code>{}</code> |
Expand Down
18 changes: 9 additions & 9 deletions charts/phpmyadmin/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,15 +42,15 @@ podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000

securityContext: {}
# allowPrivilegeEscalation: false
# capabilities:
# drop: ["ALL"]
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 65534
# seccompProfile:
# type: RuntimeDefault
securityContext: # +doc-gen:break
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault

service:
type: ClusterIP
Expand Down
12 changes: 6 additions & 6 deletions hack/scripts/ct.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,12 @@ for dir in charts/*/; do
echo $dir
if [ $num_files -le 1 ]; then
make ct CT_COMMAND=lint TEST_CHARTS=charts/$dir
elif [[ "$dir" = "dbgate" ]] ||
[[ "$dir" = "kafka-ui" ]] ||
[[ "$dir" = "mongo-ui" ]] ||
[[ "$dir" = "pgadmin" ]] ||
[[ "$dir" = "phpmyadmin" ]]; then
make ct TEST_CHARTS=charts/$dir || true
# elif [[ "$dir" = "dbgate" ]] ||
# [[ "$dir" = "kafka-ui" ]] ||
# [[ "$dir" = "mongo-ui" ]] ||
# [[ "$dir" = "pgadmin" ]] ||
# [[ "$dir" = "phpmyadmin" ]]; then
# make ct TEST_CHARTS=charts/$dir || true
else
ns=app-$(date +%s | head -c 6)
kubectl create ns $ns
Expand Down

0 comments on commit 5cc7fa6

Please sign in to comment.