Skip to content

Commit

Permalink
fix: refactor security context inclusion in deployment templates and …
Browse files Browse the repository at this point in the history 
…update service account settings

On-behalf-of: @SAP angel.kafazov@sap.com
Signed-off-by: Angel Kafazov <akafazov@cst-bg.net>
  • Loading branch information
@akafazov
akafazov committed Nov 25, 2024
1 parent 557ba35 commit 0c6af2c
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 8 deletions.
4 changes: 1 addition & 3 deletions charts/extension-manager-operator/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,7 @@ spec:
image: {{ .Values.image.name }}:{{ .Chart.AppVersion }}
imagePullPolicy: {{ include "common.imagePullPolicy" . }}
name: manager
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
{{ include "common.security" . | nindent 10 }}
ports:
- containerPort: {{ .Values.metrics.port }}
name: metrics
Expand Down
4 changes: 4 additions & 0 deletions charts/extension-manager-operator/tests/__snapshot__/deployment_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@ operator match the snapshot:
- --leader-elect
- --log-level=
- --health-probe-bind-address=:8081
automountServiceAccountToken: true
image: ghcr.io/openmfp/extension-content-operator:1.0.0
imagePullPolicy: Always
livenessProbe:
Expand Down Expand Up @@ -118,6 +119,9 @@ operator match the snapshot:
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: extension-manager-operator
startupProbe:
failureThreshold: 30
httpGet:
Expand Down
3 changes: 1 addition & 2 deletions charts/portal/templates/deploy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,7 @@ spec:
- name: {{ include "common.entity.name" . }}
image: {{ .Values.image.name }}:{{ .Chart.AppVersion }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
readOnlyRootFilesystem: true
{{ include "common.security" . | nindent 8 }}
env:
- name: HTTP_PROTOCOL
value: {{ .Values.http.protocol }}
Expand Down
7 changes: 6 additions & 1 deletion charts/portal/tests/__snapshot__/deploy_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,8 @@ matches the snapshot:
app: portal
spec:
containers:
- env:
- automountServiceAccountToken: true
env:
- name: HTTP_PROTOCOL
value: https
- name: OIDC_CLIENT_ID_PORTAL
Expand Down Expand Up @@ -64,6 +65,10 @@ matches the snapshot:
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: portal
securityContext:
fsGroup: 2000
runAsGroup: 3000
Expand Down
14 changes: 12 additions & 2 deletions charts/portal/tests/__snapshot__/istio_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,8 @@ matches the snapshot:
app: portal
spec:
containers:
- env:
- automountServiceAccountToken: true
env:
- name: HTTP_PROTOCOL
value: https
- name: OIDC_CLIENT_ID_PORTAL
Expand Down Expand Up @@ -64,6 +65,10 @@ matches the snapshot:
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: portal
securityContext:
fsGroup: 2000
runAsGroup: 3000
Expand Down Expand Up @@ -160,7 +165,8 @@ matches the snapshot with istio disabled:
app: portal
spec:
containers:
- env:
- automountServiceAccountToken: true
env:
- name: HTTP_PROTOCOL
value: https
- name: OIDC_CLIENT_ID_PORTAL
Expand Down Expand Up @@ -203,6 +209,10 @@ matches the snapshot with istio disabled:
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: portal
securityContext:
fsGroup: 2000
runAsGroup: 3000
Expand Down

0 comments on commit 0c6af2c

Please sign in to comment.