Skip to content

Commit

Permalink
Merge pull request #82 from steadybit/refa/helm-no-hardcoded-uid
Browse files Browse the repository at this point in the history
refa: avoid hard-coded uid in helm chart
  • Loading branch information
joshiste authored Dec 6, 2024
2 parents cd1f7e2 + 1deb622 commit afdff86
Show file tree
Hide file tree
Showing 4 changed files with 75 additions and 55 deletions.
2 changes: 1 addition & 1 deletion charts/steadybit-extension-k6/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: steadybit-extension-k6
description: Steadybit k6 extension Helm chart for Kubernetes.
version: 1.2.9
version: 1.2.10
appVersion: v1.0.18
home: https://www.steadybit.com/
icon: https://steadybit-website-assets.s3.amazonaws.com/logo-symbol-transparent.png
Expand Down
11 changes: 3 additions & 8 deletions charts/steadybit-extension-k6/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -115,15 +115,10 @@ spec:
httpGet:
path: /health/readiness
port: 8088
{{- with .Values.containerSecurityContext }}
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: tmp-dir
emptyDir: { }
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -78,12 +78,13 @@ manifest should match snapshot using podAnnotations and Labels:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-k6
volumes:
- emptyDir: {}
Expand Down Expand Up @@ -170,15 +171,16 @@ manifest should match snapshot with TLS:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
- mountPath: /etc/extension/certificates/server-cert
name: certificate-server-cert
readOnly: true
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-k6
volumes:
- emptyDir: {}
Expand Down Expand Up @@ -270,12 +272,13 @@ manifest should match snapshot with api key:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-k6
volumes:
- emptyDir: {}
Expand Down Expand Up @@ -363,12 +366,13 @@ manifest should match snapshot with existing secret:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-k6
volumes:
- emptyDir: {}
Expand Down Expand Up @@ -458,12 +462,13 @@ manifest should match snapshot with extra env vars:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-k6
volumes:
- emptyDir: {}
Expand Down Expand Up @@ -548,12 +553,13 @@ manifest should match snapshot with extra labels:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-k6
volumes:
- emptyDir: {}
Expand Down Expand Up @@ -636,14 +642,15 @@ manifest should match snapshot with extra volumes:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
- mountPath: /foobar
name: example
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-k6
volumes:
- emptyDir: {}
Expand Down Expand Up @@ -734,9 +741,6 @@ manifest should match snapshot with mutual TLS:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
Expand All @@ -746,6 +750,10 @@ manifest should match snapshot with mutual TLS:
- mountPath: /etc/extension/certificates/server-cert
name: certificate-server-cert
readOnly: true
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-k6
volumes:
- emptyDir: {}
Expand Down Expand Up @@ -842,12 +850,13 @@ manifest should match snapshot with mutual TLS using containerPaths:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-k6
volumes:
- emptyDir: {}
Expand Down Expand Up @@ -930,14 +939,14 @@ manifest should match snapshot with podSecurityContext:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
securityContext:
runAsNonRoot: true
runAsUser: 2222
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-k6
volumes:
- emptyDir: {}
Expand Down Expand Up @@ -1020,13 +1029,14 @@ manifest should match snapshot with priority class:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
priorityClassName: my-priority-class
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-k6
volumes:
- emptyDir: {}
Expand Down Expand Up @@ -1109,12 +1119,13 @@ manifest should match snapshot without TLS:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-k6
volumes:
- emptyDir: {}
Expand Down Expand Up @@ -1199,12 +1210,13 @@ should add cluster name from global values:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-k6
volumes:
- emptyDir: {}
Expand Down Expand Up @@ -1289,12 +1301,13 @@ should add cluster name from local values:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-k6
volumes:
- emptyDir: {}
Expand Down Expand Up @@ -1379,12 +1392,13 @@ should enable location selection:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-k6
volumes:
- emptyDir: {}
Expand Down
13 changes: 12 additions & 1 deletion charts/steadybit-extension-k6/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,18 @@ affinity: {}
priorityClassName: null

# podSecurityContext -- SecurityContext to apply to the pod.
podSecurityContext: {}
podSecurityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true

# containerSecurityContext -- SecurityContext to apply to the container.
containerSecurityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL

# extraEnv -- Array with extra environment variables to add to the container
# e.g:
Expand Down

0 comments on commit afdff86

Please sign in to comment.