diff --git a/charts/steadybit-extension-k6/Chart.yaml b/charts/steadybit-extension-k6/Chart.yaml index dde58f6..5313ce9 100644 --- a/charts/steadybit-extension-k6/Chart.yaml +++ b/charts/steadybit-extension-k6/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: steadybit-extension-k6 description: Steadybit k6 extension Helm chart for Kubernetes. -version: 1.2.9 +version: 1.2.10 appVersion: v1.0.18 home: https://www.steadybit.com/ icon: https://steadybit-website-assets.s3.amazonaws.com/logo-symbol-transparent.png diff --git a/charts/steadybit-extension-k6/templates/deployment.yaml b/charts/steadybit-extension-k6/templates/deployment.yaml index 6ce0625..97f710c 100644 --- a/charts/steadybit-extension-k6/templates/deployment.yaml +++ b/charts/steadybit-extension-k6/templates/deployment.yaml @@ -115,15 +115,10 @@ spec: httpGet: path: /health/readiness port: 8088 + {{- with .Values.containerSecurityContext }} securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 10000 - runAsGroup: 10000 - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL + {{- toYaml . | nindent 12 }} + {{- end }} volumes: - name: tmp-dir emptyDir: { } diff --git a/charts/steadybit-extension-k6/tests/__snapshot__/deployment_test.yaml.snap b/charts/steadybit-extension-k6/tests/__snapshot__/deployment_test.yaml.snap index ab434b9..5806585 100644 --- a/charts/steadybit-extension-k6/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/steadybit-extension-k6/tests/__snapshot__/deployment_test.yaml.snap @@ -78,12 +78,13 @@ manifest should match snapshot using podAnnotations and Labels: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /tmp name: tmp-dir + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-k6 volumes: - emptyDir: {} @@ -170,15 +171,16 @@ manifest should match snapshot with TLS: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /tmp name: tmp-dir - mountPath: /etc/extension/certificates/server-cert name: certificate-server-cert readOnly: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-k6 volumes: - emptyDir: {} @@ -270,12 +272,13 @@ manifest should match snapshot with api key: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /tmp name: tmp-dir + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-k6 volumes: - emptyDir: {} @@ -363,12 +366,13 @@ manifest should match snapshot with existing secret: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /tmp name: tmp-dir + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-k6 volumes: - emptyDir: {} @@ -458,12 +462,13 @@ manifest should match snapshot with extra env vars: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /tmp name: tmp-dir + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-k6 volumes: - emptyDir: {} @@ -548,12 +553,13 @@ manifest should match snapshot with extra labels: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /tmp name: tmp-dir + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-k6 volumes: - emptyDir: {} @@ -636,14 +642,15 @@ manifest should match snapshot with extra volumes: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /tmp name: tmp-dir - mountPath: /foobar name: example + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-k6 volumes: - emptyDir: {} @@ -734,9 +741,6 @@ manifest should match snapshot with mutual TLS: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /tmp name: tmp-dir @@ -746,6 +750,10 @@ manifest should match snapshot with mutual TLS: - mountPath: /etc/extension/certificates/server-cert name: certificate-server-cert readOnly: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-k6 volumes: - emptyDir: {} @@ -842,12 +850,13 @@ manifest should match snapshot with mutual TLS using containerPaths: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /tmp name: tmp-dir + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-k6 volumes: - emptyDir: {} @@ -930,14 +939,14 @@ manifest should match snapshot with podSecurityContext: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /tmp name: tmp-dir securityContext: + runAsNonRoot: true runAsUser: 2222 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-k6 volumes: - emptyDir: {} @@ -1020,13 +1029,14 @@ manifest should match snapshot with priority class: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /tmp name: tmp-dir priorityClassName: my-priority-class + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-k6 volumes: - emptyDir: {} @@ -1109,12 +1119,13 @@ manifest should match snapshot without TLS: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /tmp name: tmp-dir + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-k6 volumes: - emptyDir: {} @@ -1199,12 +1210,13 @@ should add cluster name from global values: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /tmp name: tmp-dir + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-k6 volumes: - emptyDir: {} @@ -1289,12 +1301,13 @@ should add cluster name from local values: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /tmp name: tmp-dir + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-k6 volumes: - emptyDir: {} @@ -1379,12 +1392,13 @@ should enable location selection: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /tmp name: tmp-dir + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-k6 volumes: - emptyDir: {} diff --git a/charts/steadybit-extension-k6/values.yaml b/charts/steadybit-extension-k6/values.yaml index 1cd71f6..a33f520 100644 --- a/charts/steadybit-extension-k6/values.yaml +++ b/charts/steadybit-extension-k6/values.yaml @@ -113,7 +113,18 @@ affinity: {} priorityClassName: null # podSecurityContext -- SecurityContext to apply to the pod. -podSecurityContext: {} +podSecurityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + +# containerSecurityContext -- SecurityContext to apply to the container. +containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL # extraEnv -- Array with extra environment variables to add to the container # e.g: