Skip to content

Commit

Permalink
fix: switch from pod to defaultPodOptions
Browse files Browse the repository at this point in the history 
Signed-off-by: Devin Buhl <[email protected]>
  • Loading branch information
@onedr0p
onedr0p committed Apr 15, 2024
1 parent 9fe0687 commit c4b3537
Show file tree
Hide file tree
Showing 11 changed files with 117 additions and 107 deletions.
25 changes: 13 additions & 12 deletions kubernetes/main/apps/database/dragonfly/app/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,18 +67,19 @@ spec:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
pod:
securityContext:
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
seccompProfile: { type: RuntimeDefault }
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
service:
app:
controller: *app
Expand Down
7 changes: 4 additions & 3 deletions kubernetes/main/apps/default/cross-seed/app/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,10 +59,11 @@ spec:
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
fsGroup: 65534
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
supplementalGroups: [10000]
seccompProfile: { type: RuntimeDefault }
service:
app:
Expand Down
15 changes: 8 additions & 7 deletions kubernetes/main/apps/external-secrets/external-secrets/stores/onepassword/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,13 +106,14 @@ spec:
initialDelaySeconds: 15
securityContext: *securityContext
resources: *resources
pod:
securityContext:
runAsUser: 999
runAsGroup: 999
runAsNonRoot: true
fsGroup: 999
fsGroupChangePolicy: OnRootMismatch
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 999
runAsGroup: 999
fsGroup: 999
fsGroupChangePolicy: OnRootMismatch
seccompProfile: { type: RuntimeDefault }
service:
app:
controller: onepassword-connect
Expand Down
25 changes: 13 additions & 12 deletions kubernetes/main/apps/network/cloudflared/app/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,18 +72,19 @@ spec:
cpu: 10m
limits:
memory: 256Mi
pod:
securityContext:
runAsUser: 568
runAsGroup: 568
runAsNonRoot: true
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
seccompProfile: { type: RuntimeDefault }
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
service:
app:
controller: cloudflared
Expand Down
25 changes: 13 additions & 12 deletions kubernetes/main/apps/network/echo-server/app/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,18 +61,19 @@ spec:
cpu: 10m
limits:
memory: 64Mi
pod:
securityContext:
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
seccompProfile: { type: RuntimeDefault }
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
service:
app:
controller: echo-server
Expand Down
11 changes: 6 additions & 5 deletions kubernetes/main/apps/observability/alertmanager-silencer/app/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,9 @@ spec:
cpu: 25m
limits:
memory: 128Mi
pod:
securityContext:
runAsUser: 568
runAsGroup: 568
runAsNonRoot: true
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
seccompProfile: { type: RuntimeDefault }
21 changes: 11 additions & 10 deletions kubernetes/main/apps/observability/gatus/app/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,16 +82,17 @@ spec:
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
resources: *resources
pod:
dnsConfig:
options:
- { name: ndots, value: "1" }
securityContext:
runAsUser: 568
runAsGroup: 568
runAsNonRoot: true
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
defaultPodOptions:
dnsConfig:
options:
- { name: ndots, value: "1" }
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
fsGroup: 65534
fsGroupChangePolicy: OnRootMismatch
seccompProfile: { type: RuntimeDefault }
service:
app:
controller: gatus
Expand Down
25 changes: 13 additions & 12 deletions kubernetes/main/apps/observability/kromgo/app/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,18 +59,19 @@ spec:
cpu: 10m
limits:
memory: 64Mi
pod:
securityContext:
runAsUser: 568
runAsGroup: 568
runAsNonRoot: true
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
seccompProfile: { type: RuntimeDefault }
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
service:
app:
controller: kromgo
Expand Down
11 changes: 6 additions & 5 deletions kubernetes/main/apps/observability/unpoller/app/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,11 +55,12 @@ spec:
cpu: 10m
limits:
memory: 128Mi
pod:
securityContext:
runAsUser: 568
runAsGroup: 568
runAsNonRoot: true
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
seccompProfile: { type: RuntimeDefault }
service:
app:
controller: unpoller
Expand Down
16 changes: 8 additions & 8 deletions kubernetes/main/apps/observability/vector/app/aggregator/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,14 +53,14 @@ spec:
enabled: true
readiness:
enabled: true
pod:
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
defaultPodOptions:
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
service:
app:
controller: vector-aggregator
Expand Down
43 changes: 22 additions & 21 deletions kubernetes/main/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,27 +52,28 @@ spec:
capabilities: { drop: ["ALL"] }
seccompProfile:
type: RuntimeDefault
pod:
securityContext:
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: Exists
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
seccompProfile: { type: RuntimeDefault }
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: Exists
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
serviceAccount:
create: true
name: system-upgrade
Expand Down

0 comments on commit c4b3537

Please sign in to comment.