Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TT-12054: add security context to init containers #285

Merged
merged 1 commit into from
May 3, 2024
Merged

TT-12054: add security context to init containers #285

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions components/tyk-bootstrap/templates/bootstrap-post-install.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,10 @@ spec:
image: {{ .Values.bootstrap.jobs.postInstall.image.repository }}:{{ .Values.bootstrap.jobs.postInstall.image.tag }}
command: [ './app/bin/bootstrap-app-post' ]
imagePullPolicy: IfNotPresent
{{- if .Values.bootstrap.containerSecurityContext }}
securityContext:
{{- toYaml .Values.bootstrap.containerSecurityContext | nindent 12 }}
{{- end }}
env:
- name: TYK_K8SBOOTSTRAP_TYK_ADMIN_FIRSTNAME
{{ if .Values.global.adminUser.useSecretName }}
Expand Down
4 changes: 4 additions & 0 deletions components/tyk-bootstrap/templates/bootstrap-pre-delete.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ spec:
image: {{ .Values.bootstrap.jobs.preDelete.image.repository }}:{{ .Values.bootstrap.jobs.preDelete.image.tag }}
command: [ './app/bin/bootstrap-app-pre-delete' ]
imagePullPolicy: IfNotPresent
{{- if .Values.bootstrap.containerSecurityContext }}
securityContext:
{{- toYaml .Values.bootstrap.containerSecurityContext | nindent 12 }}
{{- end }}
env:
- name: TYK_K8SBOOTSTRAP_OPERATORKUBERNETESSECRETNAME
value: {{ .Values.bootstrap.operatorSecret }}
Expand Down
6 changes: 5 additions & 1 deletion components/tyk-bootstrap/templates/bootstrap-pre-install.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,14 +27,18 @@ spec:
labels:
{{- with .Values.bootstrap.podLabels.preInstallPodLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
spec:
serviceAccountName: {{ default "k8s-bootstrap-role" .Values.bootstrap.serviceAccountName | quote }}
containers:
- name: bootstrap-tyk-pre-install
image: {{ .Values.bootstrap.jobs.preInstall.image.repository }}:{{ .Values.bootstrap.jobs.preInstall.image.tag }}
command: ['/app/bin/bootstrap-app-pre-install']
imagePullPolicy: IfNotPresent
{{- if .Values.bootstrap.containerSecurityContext }}
securityContext:
{{- toYaml .Values.bootstrap.containerSecurityContext | nindent 12 }}
{{- end }}
env:
- name: TYK_K8SBOOTSTRAP_TYK_DASHBOARDLICENSE
{{ if .Values.global.secrets.useSecretName }}
Expand Down
19 changes: 16 additions & 3 deletions components/tyk-bootstrap/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ bootstrap:
# repository specifies image repository of pre-install job.
repository: tykio/tyk-k8s-bootstrap-pre-install
# tag specifies image tag of pre-install job.
tag: v2.1.0
tag: v2.1.1

# extraEnvs is used to set extra environment variables to pre-install job.
# - name: TYK_K8SBOOTSTRAP_TYK_DASHBOARDLICENSE
Expand All @@ -95,7 +95,7 @@ bootstrap:
# repository specifies image repository of post-install job.
repository: tykio/tyk-k8s-bootstrap-post
# tag specifies image tag of post-install job.
tag: v2.1.0
tag: v2.1.1

# extraEnvs is used to set extra environment variables to post-install job.
# - name: TYK_K8SBOOTSTRAP_TYK_ADMIN_FIRSTNAME
Expand All @@ -109,7 +109,7 @@ bootstrap:
# repository specifies image repository of pre-delete job.
repository: tykio/tyk-k8s-bootstrap-pre-delete
# tag specifies image tag of pre-delete job.
tag: v2.1.0
tag: v2.1.1

# extraEnvs is used to set extra environment variables to pre-delete job.
# - name: TYK_K8SBOOTSTRAP_OPERATORKUBERNETESSECRETNAME
Expand Down Expand Up @@ -154,3 +154,16 @@ bootstrap:
postInstallPodLabels: {}
# preDeletePodLabels specifies labels to be added to Tyk Bootstrap pre-delete hook's job pods.
preDeletePodLabels: {}

# containerSecurityContext values for bootstrap containers
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
4 changes: 4 additions & 0 deletions components/tyk-dashboard/templates/deployment-dashboard.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,10 @@ spec:
- name: init-analytics-conf
image: busybox:1.32
args: ["sh", "-c", 'touch /etc/tyk-dashboard/tyk_analytics.conf && echo "{}" > /etc/tyk-dashboard/tyk_analytics.conf']
{{- if .Values.dashboard.containerSecurityContext }}
securityContext:
{{- toYaml .Values.dashboard.containerSecurityContext | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: /etc/tyk-dashboard
name: analytics-conf
Expand Down
5 changes: 4 additions & 1 deletion components/tyk-dashboard/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -334,12 +334,15 @@ dashboard:
# containerSecurityContext holds container-level security attributes for Tyk Dashboard container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# nodeSelector is a selector which must be true for Tyk Dashboard pod to fit on a specific node.
nodeSelector: {}
Expand Down
5 changes: 4 additions & 1 deletion components/tyk-dev-portal/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,12 +195,15 @@ securityContext:
# containerSecurityContext holds container-level security attributes for Tyk Developer Portal pod. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# nodeSelector is a selector which must be true for Tyk Developer Portal pod to fit on a specific node.
nodeSelector: {}
Expand Down
4 changes: 4 additions & 0 deletions components/tyk-gateway/templates/deployment-gw-repset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,10 @@ spec:
image: "{{ .Values.gateway.initContainers.setupDirectories.repository }}:{{ .Values.gateway.initContainers.setupDirectories.tag }}"
command: ['sh','-c','mkdir -p apps middleware policies && touch policies/policies.json']
workingDir: /mnt/tyk-gateway
{{- if .Values.gateway.containerSecurityContext }}
securityContext:
{{- toYaml .Values.gateway.containerSecurityContext | nindent 12 }}
{{- end }}
volumeMounts:
- name: tyk-scratch
mountPath: /mnt/tyk-gateway
Expand Down
5 changes: 4 additions & 1 deletion components/tyk-gateway/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -372,12 +372,15 @@ gateway:
# containerSecurityContext values for gateway container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# node labels for gateway pod assignment
nodeSelector: {}
Expand Down
12 changes: 8 additions & 4 deletions components/tyk-mdcb/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,12 +252,16 @@ mdcb:

# containerSecurityContext holds container-level security attributes for Tyk MDCB container. All fields from SecurityContext object can be added here.
containerSecurityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
# allowPrivilegeEscalation: false
# privileged: false
# readOnlyRootFilesystem: true
# seccompProfile:
# type: RuntimeDefault
# capabilities:
# drop:
# - ALL

service:
# type corresponds to the service type of Tyk MDCB Service.
Expand Down
5 changes: 4 additions & 1 deletion components/tyk-pump/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -316,12 +316,15 @@ pump:
# containerSecurityContext values for pump container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# node labels for pump pod assignment
nodeSelector: {}
Expand Down
32 changes: 24 additions & 8 deletions tyk-control-plane/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -415,12 +415,15 @@ tyk-gateway:
# containerSecurityContext values for gateway container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# node labels for gateway pod assignment
nodeSelector: {}
Expand Down Expand Up @@ -674,12 +677,15 @@ tyk-pump:
# containerSecurityContext values for pump container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# node labels for pump pod assignment
nodeSelector: {}
Expand Down Expand Up @@ -967,12 +973,15 @@ tyk-dashboard:
# containerSecurityContext holds container-level security attributes for Tyk Dashboard container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# nodeSelector is a selector which must be true for Tyk Dashboard pod to fit on a specific node.
nodeSelector: {}
Expand Down Expand Up @@ -1170,12 +1179,16 @@ tyk-mdcb:

# containerSecurityContext holds container-level security attributes for Tyk MDCB container. All fields from SecurityContext object can be added here.
containerSecurityContext: {}
# runAsNonRoot: true
# runAsUser: 1000
# allowPrivilegeEscalation: false
# privileged: false
# readOnlyRootFilesystem: true
# seccompProfile:
# type: RuntimeDefault
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
# - ALL

service:
# type corresponds to the service type of Tyk MDCB Service.
Expand Down Expand Up @@ -1397,12 +1410,15 @@ tyk-dev-portal:
# containerSecurityContext holds container-level security attributes for Tyk Developer Portal pod. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL
# nodeSelector is a selector which must be true for Tyk Developer Portal pod to fit on a specific node.
nodeSelector: {}
# tolerations specifies tolerations to be applied on Tyk Developer Portal pods.
Expand Down
10 changes: 8 additions & 2 deletions tyk-data-plane/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -362,12 +362,15 @@ tyk-gateway:
# containerSecurityContext values for gateway container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# node labels for gateway pod assignment
nodeSelector: {}
Expand Down Expand Up @@ -627,12 +630,15 @@ tyk-pump:
# containerSecurityContext values for pump container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# node labels for pump pod assignment
nodeSelector: {}
Expand Down
10 changes: 8 additions & 2 deletions tyk-oss/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -332,12 +332,15 @@ tyk-gateway:
# containerSecurityContext values for gateway container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# node labels for gateway pod assignment
nodeSelector: {}
Expand Down Expand Up @@ -576,12 +579,15 @@ tyk-pump:
# containerSecurityContext values for pump container. All fields from SecurityContext object can be added here.
containerSecurityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- all
- ALL

# node labels for pump pod assignment
nodeSelector: {}
Expand Down
Loading