fix security context settings for psp for several charts and bump ver…

…sions
dwgillies-bluescape · Apr 20, 2020 · 7f7f5a6 · 7f7f5a6
1 parent a503ea4
commit 7f7f5a6
Show file tree

Hide file tree

Showing 12 changed files with 43 additions and 29 deletions.
diff --git a/kubernetes-dashboard/Chart.yaml b/kubernetes-dashboard/Chart.yaml
@@ -1,5 +1,5 @@
 name: kubernetes-dashboard
-version: 0.9.1
+version: 0.9.2
 appVersion: 1.10.0
 description: General-purpose web UI for Kubernetes clusters
 keywords:

diff --git a/kubernetes-dashboard/templates/deployment.yaml b/kubernetes-dashboard/templates/deployment.yaml
@@ -40,6 +40,11 @@ spec:
     {{ toYaml .Values.labels | indent 4 }}
     {{- end }}
     spec:
+      {{- if and .Values.rbac.enabled .Values.rbac.psp.enabled }}
+      securityContext:
+        runAsUser: 65534
+        fsGroup: 65534
+      {{- end }}
       serviceAccountName: {{ template "kubernetes-dashboard.serviceAccountName" . }}
       containers:
       - name: {{ .Chart.Name }}
@@ -70,8 +75,6 @@ spec:
         securityContext:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
-          runAsUser: 65534
-          fsGroup: 65534          
         resources:
 {{ toYaml .Values.resources | indent 10 }}
     {{- if .Values.nodeSelector }}

diff --git a/nodepool-labels-operator/Chart.yaml b/nodepool-labels-operator/Chart.yaml
@@ -2,4 +2,4 @@ name: nodepool-labels-operator
 description: Banzai K8s Nodepool Labels Operator
 apiVersion: v1
 appVersion: 0.0.2
-version: 0.0.3
+version: 0.0.4
diff --git a/nodepool-labels-operator/templates/deployment.yaml b/nodepool-labels-operator/templates/deployment.yaml
@@ -28,6 +28,11 @@ spec:
       - name: config-volume
         configMap:
           name: {{ include "nodepool-labels-operator.fullname" . }}
+      {{- if and .Values.rbac.enabled .Values.rbac.psp.enabled }}
+      securityContext:
+        runAsUser: 65534
+        fsGroup: 65534
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -55,8 +60,6 @@ spec:
           securityContext:
             readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false
-            runAsUser: 65534
-            fsGroup: 65534
           resources:
 {{ toYaml .Values.resources | indent 12 }}
     {{- with .Values.nodeSelector }}

diff --git a/pvc-operator/Chart.yaml b/pvc-operator/Chart.yaml
@@ -1,5 +1,5 @@
 name: pvc-operator
-version: 0.0.10
+version: 0.0.11
 appVersion: 0.0.6
 description: A Helm chart for pvc-operator
 home: https://banzaicloud.com

diff --git a/pvc-operator/templates/crd.yaml b/pvc-operator/templates/crd.yaml
@@ -1,4 +1,4 @@
-apiVersion: apiextensions.k8s.io/v1
+apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: objectstores.banzaicloud.com
@@ -15,4 +15,7 @@ spec:
     plural: objectstores
     singular: objectstore
   scope: Namespaced
-  version: v1alpha1
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
diff --git a/pvc-operator/templates/deployment.yaml b/pvc-operator/templates/deployment.yaml
@@ -21,9 +21,14 @@ spec:
         heritage: {{ .Release.Service }}
         release: {{ .Release.Name }}
     spec:
-{{- if .Values.rbac.enabled }}
+      {{- if .Values.rbac.enabled }}
       serviceAccountName: {{ template "pvc-operator.fullname" . }}
-{{- end }}
+      {{- end }}
+      {{- if and .Values.rbac.enabled .Values.rbac.psp.enabled }}
+      securityContext:
+        runAsUser: 65534
+        fsGroup: 65534
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -46,17 +51,15 @@ spec:
           securityContext:
             readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false
-            runAsUser: 65534
-            fsGroup: 65534
-    {{- if .Values.nodeSelector }}
+      {{- if .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 8 }}
-    {{- end }}
-    {{- if .Values.tolerations }}
+      {{- end }}
+      {{- if .Values.tolerations }}
       tolerations:
 {{ toYaml .Values.tolerations | indent 8 }}
-    {{- end }}
-    {{- if .Values.affinity }}
+      {{- end }}
+      {{- if .Values.affinity }}
       affinity:
 {{ toYaml .Values.affinity | indent 8 }}
-    {{- end }}
+      {{- end }}
diff --git a/spot-config-webhook/Chart.yaml b/spot-config-webhook/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "0.1.3"
 description: A Helm chart that deploys a mutating admission webhook that configures an alternative scheduler for specific pods
 name: spot-config-webhook
-version: 0.1.5
+version: 0.1.6
 maintainers:
 - name: Banzai Cloud
   email: [email protected]
diff --git a/spot-config-webhook/templates/apiservice-webhook.yaml b/spot-config-webhook/templates/apiservice-webhook.yaml
@@ -11,7 +11,6 @@ items:
   kind: Secret
   metadata:
     name: {{ template "spot-config-webhook.fullname" . }}
-    type: kubernetes.io/tls
   data:
     servingCert: {{ b64enc $server.Cert }}
     servingKey: {{ b64enc $server.Key }}

diff --git a/spot-config-webhook/templates/webhook-deployment.yaml b/spot-config-webhook/templates/webhook-deployment.yaml
@@ -20,6 +20,11 @@ spec:
         app: {{ template "spot-config-webhook.name" . }}
         release: {{ .Release.Name }}
     spec:
+      {{- if and .Values.rbac.enabled .Values.rbac.psp.enabled }}
+      securityContext:
+        runAsUser: 65534
+        fsGroup: 65534
+      {{- end }}
       serviceAccountName: {{ template "spot-config-webhook.fullname" . }}
       volumes:
       - name: serving-cert
@@ -53,9 +58,6 @@ spec:
           - name: SPOT_SCHEDULER_NAME
             value: {{ .Values.webhook.schedulerName }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          securityContext:
-            runAsUser: 65534
-            allowPrivilegeEscalation: false
           ports:
             - containerPort: {{ .Values.service.internalPort }}
           readinessProbe:
@@ -71,8 +73,6 @@ spec:
           securityContext:
             readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false
-            runAsUser: 65534
-            fsGroup: 65534
           resources:
 {{ toYaml .Values.resources | indent 12 }}
     {{- if .Values.nodeSelector }}

diff --git a/spot-scheduler/Chart.yaml b/spot-scheduler/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "1.0"
 description: An extended Kubernetes scheduler that is able to schedule pods based on spot-instance related attributes
 name: spot-scheduler
-version: 0.1.1
+version: 0.1.2
 keywords:
  - scheduler
  - spot

diff --git a/spot-scheduler/templates/deployment.yaml b/spot-scheduler/templates/deployment.yaml
@@ -22,6 +22,11 @@ spec:
         release: {{ .Release.Name }}
         component: scheduler
     spec:
+      {{- if and .Values.rbac.enabled .Values.rbac.psp.enabled }}
+      securityContext:
+        runAsUser: 65534
+        fsGroup: 65534
+      {{- end }}
       serviceAccountName: {{ template "spot-scheduler.fullname" . }}
       containers:
       - name: {{ .Chart.Name }}
@@ -47,8 +52,6 @@ spec:
         securityContext:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
-          runAsUser: 65534
-          fsGroup: 65534
         resources:
 {{ toYaml .Values.resources | indent 12 }}
     {{- with .Values.nodeSelector }}