From 3609f2f7da6cce3459844b9310eda277a27d83df Mon Sep 17 00:00:00 2001 From: Wiedemann Matthias Date: Fri, 13 Mar 2020 10:04:02 +0100 Subject: [PATCH] running containers as not-root --- helm/charts/nats/templates/statefulset.yaml | 4 ++++ helm/charts/nats/values.yaml | 8 +++++++- helm/charts/stan/templates/statefulset.yaml | 4 ++++ helm/charts/stan/values.yaml | 7 +++++++ 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/helm/charts/nats/templates/statefulset.yaml b/helm/charts/nats/templates/statefulset.yaml index e77d3a8c..66856951 100644 --- a/helm/charts/nats/templates/statefulset.yaml +++ b/helm/charts/nats/templates/statefulset.yaml @@ -22,6 +22,10 @@ spec: app: {{ template "nats.name" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} spec: +{{- with .Values.securityContext }} + securityContext: +{{ toYaml . | indent 8 }} +{{- end }} # Common volumes for the containers. volumes: - name: config-volume diff --git a/helm/charts/nats/values.yaml b/helm/charts/nats/values.yaml index a1b75013..e1d7a22a 100644 --- a/helm/charts/nats/values.yaml +++ b/helm/charts/nats/values.yaml @@ -43,7 +43,13 @@ nats: connectErrorReports: reconnectErrorReports: -# Toggle whether to use setup a NATS Cluster. +# Toggle whether to use setup a Pod Security Context +# ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +securityContext: + fsGroup: 1000 + runAsUser: 1000 + runAsNonRoot: true + cluster: enabled: false diff --git a/helm/charts/stan/templates/statefulset.yaml b/helm/charts/stan/templates/statefulset.yaml index df020f1a..addf85a5 100644 --- a/helm/charts/stan/templates/statefulset.yaml +++ b/helm/charts/stan/templates/statefulset.yaml @@ -26,6 +26,10 @@ spec: app: {{ template "stan.name" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} spec: +{{- with .Values.securityContext }} + securityContext: +{{ toYaml . | indent 8 }} +{{- end }} terminationGracePeriodSeconds: 30 volumes: - configMap: diff --git a/helm/charts/stan/values.yaml b/helm/charts/stan/values.yaml index d72eae71..3bb32bea 100644 --- a/helm/charts/stan/values.yaml +++ b/helm/charts/stan/values.yaml @@ -20,6 +20,13 @@ stan: nats: url: +# Toggle whether to use setup a Pod Security Context +# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +securityContext: + fsGroup: 1000 + runAsUser: 1000 + runAsNonRoot: true + ########################### # # # Storage configuration #