Skip to content

Commit

Permalink
Merge pull request #159 from pierluigilenoci/security_context_improve…
Browse files Browse the repository at this point in the history
…ments

Improved securityContext and timeout of the initContainer wait-for-redis
  • Loading branch information
pierluigilenoci authored Jul 15, 2023
2 parents 4ef43d1 + d50fdef commit 1f5d7a7
Show file tree
Hide file tree
Showing 4 changed files with 25 additions and 13 deletions.
8 changes: 4 additions & 4 deletions helm/oauth2-proxy/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: oauth2-proxy
version: 6.15.2
version: 6.16.0
apiVersion: v2
appVersion: 7.4.0
home: https://oauth2-proxy.github.io/oauth2-proxy/
Expand Down Expand Up @@ -34,8 +34,8 @@ maintainers:
kubeVersion: ">=1.9.0-0"
annotations:
artifacthub.io/changes: |
- kind: fixed
description: Drop capabilities of wait-for-redis container
- kind: added
description: securityContext and timeout of the initContainer wait-for-redis configurable via values.
links:
- name: Github PR
url: https://github.com/oauth2-proxy/manifests/pull/158
url: https://github.com/oauth2-proxy/manifests/pull/159
4 changes: 3 additions & 1 deletion helm/oauth2-proxy/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,9 @@ Parameter | Description | Default
`ingress.hosts` | Ingress accepted hostnames | `nil`
`ingress.tls` | Ingress TLS configuration | `nil`
`initContainers.waitForRedis.enabled` | if `redis.enabled` is true, use an init container to wait for the redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list and watch the redis master pod | `true`
`initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor`
`initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "")`
`initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true`
`initContainers.waitForRedis.timeout` | number of seconds | 180
`livenessProbe.enabled` | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true`
`livenessProbe.initialDelaySeconds` | number of seconds | 0
`livenessProbe.timeoutSeconds` | number of seconds | 1
Expand Down
13 changes: 5 additions & 8 deletions helm/oauth2-proxy/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -65,15 +65,12 @@ spec:
- wait
- pod/{{ include "oauth2-proxy.redis.fullname" . }}-master-0
- --for=condition=ready
- --timeout=180s
- --timeout={{ .Values.initContainers.waitForRedis.timeout }}s
{{- if .Values.initContainers.waitForRedis.securityContext.enabled }}
{{- $securityContext := unset .Values.initContainers.waitForRedis.securityContext "enabled" }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
capabilities:
drop:
- ALL
{{- toYaml $securityContext | nindent 10 }}
{{- end }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
Expand Down
13 changes: 13 additions & 0 deletions helm/oauth2-proxy/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -276,6 +276,19 @@ initContainers:
# uses the kubernetes version of the cluster
# the chart is deployed on, if not set
kubectlVersion: ""
securityContext:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
seccompProfile:
type: RuntimeDefault
timeout: 180

# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption.
# Alternatively supply an existing secret which contains the required information.
Expand Down

0 comments on commit 1f5d7a7

Please sign in to comment.