Skip to content

Commit

Permalink
TT-12054: add security context to init containers (#285)
Browse files Browse the repository at this point in the history
  • Loading branch information
@olamilekan000
olamilekan000 authored May 3, 2024
1 parent 5184028 commit dbb4558
Show file tree
Hide file tree
Showing 15 changed files with 117 additions and 28 deletions.
4 changes: 4 additions & 0 deletions components/tyk-bootstrap/templates/bootstrap-post-install.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,10 @@ spec:
image: {{ .Values.bootstrap.jobs.postInstall.image.repository }}:{{ .Values.bootstrap.jobs.postInstall.image.tag }}
command: [ './app/bin/bootstrap-app-post' ]
imagePullPolicy: IfNotPresent
{{- if .Values.bootstrap.containerSecurityContext }}
securityContext:
{{- toYaml .Values.bootstrap.containerSecurityContext | nindent 12 }}
{{- end }}
env:
- name: TYK_K8SBOOTSTRAP_TYK_ADMIN_FIRSTNAME
{{ if .Values.global.adminUser.useSecretName }}
Expand Down
4 changes: 4 additions & 0 deletions components/tyk-bootstrap/templates/bootstrap-pre-delete.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ spec:
image: {{ .Values.bootstrap.jobs.preDelete.image.repository }}:{{ .Values.bootstrap.jobs.preDelete.image.tag }}
command: [ './app/bin/bootstrap-app-pre-delete' ]
imagePullPolicy: IfNotPresent
{{- if .Values.bootstrap.containerSecurityContext }}
securityContext:
{{- toYaml .Values.bootstrap.containerSecurityContext | nindent 12 }}
{{- end }}
env:
- name: TYK_K8SBOOTSTRAP_OPERATORKUBERNETESSECRETNAME
value: {{ .Values.bootstrap.operatorSecret }}
Expand Down
6 changes: 5 additions & 1 deletion components/tyk-bootstrap/templates/bootstrap-pre-install.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,14 +27,18 @@ spec:
labels:
{{- with .Values.bootstrap.podLabels.preInstallPodLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
spec:
serviceAccountName: {{ default "k8s-bootstrap-role" .Values.bootstrap.serviceAccountName | quote }}
containers:
- name: bootstrap-tyk-pre-install
image: {{ .Values.bootstrap.jobs.preInstall.image.repository }}:{{ .Values.bootstrap.jobs.preInstall.image.tag }}
command: ['/app/bin/bootstrap-app-pre-install']
imagePullPolicy: IfNotPresent
{{- if .Values.bootstrap.containerSecurityContext }}
securityContext:
{{- toYaml .Values.bootstrap.containerSecurityContext | nindent 12 }}
{{- end }}
env:
- name: TYK_K8SBOOTSTRAP_TYK_DASHBOARDLICENSE
{{ if .Values.global.secrets.useSecretName }}
Expand Down
19 changes: 16 additions & 3 deletions components/tyk-bootstrap/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ bootstrap:
# repository specifies image repository of pre-install job.
repository: tykio/tyk-k8s-bootstrap-pre-install
# tag specifies image tag of pre-install job.
tag: v2.1.0
tag: v2.1.1

# extraEnvs is used to set extra environment variables to pre-install job.
# - name: TYK_K8SBOOTSTRAP_TYK_DASHBOARDLICENSE
Expand All @@ -95,7 +95,7 @@ bootstrap:
# repository specifies image repository of post-install job.
repository: tykio/tyk-k8s-bootstrap-post
# tag specifies image tag of post-install job.
tag: v2.1.0
tag: v2.1.1

# extraEnvs is used to set extra environment variables to post-install job.
# - name: TYK_K8SBOOTSTRAP_TYK_ADMIN_FIRSTNAME
Expand All @@ -109,7 +109,7 @@ bootstrap:
# repository specifies image repository of pre-delete job.
repository: tykio/tyk-k8s-bootstrap-pre-delete
# tag specifies image tag of pre-delete job.
tag: v2.1.0
tag: v2.1.1

# extraEnvs is used to set extra environment variables to pre-delete job.
# - name: TYK_K8SBOOTSTRAP_OPERATORKUBERNETESSECRETNAME
Expand Down Expand Up @@ -154,3 +154,16 @@ bootstrap:
postInstallPodLabels: {}
# preDeletePodLabels specifies labels to be added to Tyk Bootstrap pre-delete hook's job pods.
preDeletePodLabels: {}

# containerSecurityContext values for bootstrap containers
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
4 changes: 4 additions & 0 deletions components/tyk-dashboard/templates/deployment-dashboard.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,10 @@ spec:
- name: init-analytics-conf
image: busybox:1.32
args: ["sh", "-c", 'touch /etc/tyk-dashboard/tyk_analytics.conf && echo "{}" > /etc/tyk-dashboard/tyk_analytics.conf']
{{- if .Values.dashboard.containerSecurityContext }}
securityContext:
{{- toYaml .Values.dashboard.containerSecurityContext | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: /etc/tyk-dashboard
name: analytics-conf
Expand Down
5 changes: 4 additions & 1 deletion components/tyk-dashboard/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -334,12 +334,15 @@ dashboard:
# containerSecurityContext holds container-level security attributes for Tyk Dashboard container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# nodeSelector is a selector which must be true for Tyk Dashboard pod to fit on a specific node.
nodeSelector: {}
Expand Down
5 changes: 4 additions & 1 deletion components/tyk-dev-portal/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,12 +195,15 @@ securityContext:
# containerSecurityContext holds container-level security attributes for Tyk Developer Portal pod. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# nodeSelector is a selector which must be true for Tyk Developer Portal pod to fit on a specific node.
nodeSelector: {}
Expand Down
4 changes: 4 additions & 0 deletions components/tyk-gateway/templates/deployment-gw-repset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,10 @@ spec:
image: "{{ .Values.gateway.initContainers.setupDirectories.repository }}:{{ .Values.gateway.initContainers.setupDirectories.tag }}"
command: ['sh','-c','mkdir -p apps middleware policies && touch policies/policies.json']
workingDir: /mnt/tyk-gateway
{{- if .Values.gateway.containerSecurityContext }}
securityContext:
{{- toYaml .Values.gateway.containerSecurityContext | nindent 12 }}
{{- end }}
volumeMounts:
- name: tyk-scratch
mountPath: /mnt/tyk-gateway
Expand Down
5 changes: 4 additions & 1 deletion components/tyk-gateway/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -372,12 +372,15 @@ gateway:
# containerSecurityContext values for gateway container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# node labels for gateway pod assignment
nodeSelector: {}
Expand Down
12 changes: 8 additions & 4 deletions components/tyk-mdcb/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -252,12 +252,16 @@ mdcb:

# containerSecurityContext holds container-level security attributes for Tyk MDCB container. All fields from SecurityContext object can be added here.
containerSecurityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
# allowPrivilegeEscalation: false
# privileged: false
# readOnlyRootFilesystem: true
# seccompProfile:
# type: RuntimeDefault
# capabilities:
# drop:
# - ALL

service:
# type corresponds to the service type of Tyk MDCB Service.
Expand Down
5 changes: 4 additions & 1 deletion components/tyk-pump/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -316,12 +316,15 @@ pump:
# containerSecurityContext values for pump container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# node labels for pump pod assignment
nodeSelector: {}
Expand Down
32 changes: 24 additions & 8 deletions tyk-control-plane/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -415,12 +415,15 @@ tyk-gateway:
# containerSecurityContext values for gateway container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# node labels for gateway pod assignment
nodeSelector: {}
Expand Down Expand Up @@ -674,12 +677,15 @@ tyk-pump:
# containerSecurityContext values for pump container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# node labels for pump pod assignment
nodeSelector: {}
Expand Down Expand Up @@ -967,12 +973,15 @@ tyk-dashboard:
# containerSecurityContext holds container-level security attributes for Tyk Dashboard container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# nodeSelector is a selector which must be true for Tyk Dashboard pod to fit on a specific node.
nodeSelector: {}
Expand Down Expand Up @@ -1170,12 +1179,16 @@ tyk-mdcb:

# containerSecurityContext holds container-level security attributes for Tyk MDCB container. All fields from SecurityContext object can be added here.
containerSecurityContext: {}
# runAsNonRoot: true
# runAsUser: 1000
# allowPrivilegeEscalation: false
# privileged: false
# readOnlyRootFilesystem: true
# seccompProfile:
# type: RuntimeDefault
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
# - ALL

service:
# type corresponds to the service type of Tyk MDCB Service.
Expand Down Expand Up @@ -1397,12 +1410,15 @@ tyk-dev-portal:
# containerSecurityContext holds container-level security attributes for Tyk Developer Portal pod. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL
# nodeSelector is a selector which must be true for Tyk Developer Portal pod to fit on a specific node.
nodeSelector: {}
# tolerations specifies tolerations to be applied on Tyk Developer Portal pods.
Expand Down
10 changes: 8 additions & 2 deletions tyk-data-plane/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -362,12 +362,15 @@ tyk-gateway:
# containerSecurityContext values for gateway container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# node labels for gateway pod assignment
nodeSelector: {}
Expand Down Expand Up @@ -627,12 +630,15 @@ tyk-pump:
# containerSecurityContext values for pump container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# node labels for pump pod assignment
nodeSelector: {}
Expand Down
10 changes: 8 additions & 2 deletions tyk-oss/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -332,12 +332,15 @@ tyk-gateway:
# containerSecurityContext values for gateway container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# node labels for gateway pod assignment
nodeSelector: {}
Expand Down Expand Up @@ -576,12 +579,15 @@ tyk-pump:
# containerSecurityContext values for pump container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# node labels for pump pod assignment
nodeSelector: {}
Expand Down
Loading

0 comments on commit dbb4558

Please sign in to comment.