Browse Source

Add ability to configure security context for the different components (#5600)

pull/5601/head
Johnny Cederholm 7 months ago
committed by GitHub
parent
commit
8c59348d28
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
  1. 6
      k8s/charts/seaweedfs/templates/filer-statefulset.yaml
  2. 6
      k8s/charts/seaweedfs/templates/master-statefulset.yaml
  3. 6
      k8s/charts/seaweedfs/templates/post-install-bucket-hook.yaml
  4. 6
      k8s/charts/seaweedfs/templates/s3-deployment.yaml
  5. 6
      k8s/charts/seaweedfs/templates/volume-statefulset.yaml
  6. 76
      k8s/charts/seaweedfs/values.yaml

6
k8s/charts/seaweedfs/templates/filer-statefulset.yaml

@ -62,6 +62,9 @@ spec:
initContainers: initContainers:
{{ tpl .Values.filer.initContainers . | nindent 8 | trim }} {{ tpl .Values.filer.initContainers . | nindent 8 | trim }}
{{- end }} {{- end }}
{{- if .Values.filer.podSecurityContext.enabled }}
securityContext: {{- omit .Values.filer.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
containers: containers:
- name: seaweedfs - name: seaweedfs
image: {{ template "filer.image" . }} image: {{ template "filer.image" . }}
@ -264,6 +267,9 @@ spec:
resources: resources:
{{ tpl .Values.filer.resources . | nindent 12 | trim }} {{ tpl .Values.filer.resources . | nindent 12 | trim }}
{{- end }} {{- end }}
{{- if .Values.filer.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.filer.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.filer.sidecars }} {{- if .Values.filer.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.filer.sidecars "context" $) | nindent 8 }} {{- include "common.tplvalues.render" (dict "value" .Values.filer.sidecars "context" $) | nindent 8 }}
{{- end }} {{- end }}

6
k8s/charts/seaweedfs/templates/master-statefulset.yaml

@ -61,6 +61,9 @@ spec:
initContainers: initContainers:
{{ tpl .Values.master.initContainers . | nindent 8 | trim }} {{ tpl .Values.master.initContainers . | nindent 8 | trim }}
{{- end }} {{- end }}
{{- if .Values.master.podSecurityContext.enabled }}
securityContext: {{- omit .Values.master.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
containers: containers:
- name: seaweedfs - name: seaweedfs
image: {{ template "master.image" . }} image: {{ template "master.image" . }}
@ -222,6 +225,9 @@ spec:
resources: resources:
{{ tpl .Values.master.resources . | nindent 12 | trim }} {{ tpl .Values.master.resources . | nindent 12 | trim }}
{{- end }} {{- end }}
{{- if .Values.master.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.master.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.master.sidecars }} {{- if .Values.master.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.master.sidecars "context" $) | nindent 8 }} {{- include "common.tplvalues.render" (dict "value" .Values.master.sidecars "context" $) | nindent 8 }}
{{- end }} {{- end }}

6
k8s/charts/seaweedfs/templates/post-install-bucket-hook.yaml

@ -22,6 +22,9 @@ spec:
app.kubernetes.io/instance: {{ .Release.Name | quote }} app.kubernetes.io/instance: {{ .Release.Name | quote }}
spec: spec:
restartPolicy: Never restartPolicy: Never
{{- if .Values.filer.podSecurityContext.enabled }}
securityContext: {{- omit .Values.filer.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
containers: containers:
- name: post-install-job - name: post-install-job
image: {{ template "master.image" . }} image: {{ template "master.image" . }}
@ -80,6 +83,9 @@ spec:
{{- end }} {{- end }}
- containerPort: {{ .Values.master.grpcPort }} - containerPort: {{ .Values.master.grpcPort }}
#name: swfs-master-grpc #name: swfs-master-grpc
{{- if .Values.filer.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.filer.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.filer.s3.enableAuth }} {{- if .Values.filer.s3.enableAuth }}
volumes: volumes:
- name: config-users - name: config-users

6
k8s/charts/seaweedfs/templates/s3-deployment.yaml

@ -50,6 +50,9 @@ spec:
initContainers: initContainers:
{{ tpl .Values.s3.initContainers . | nindent 8 | trim }} {{ tpl .Values.s3.initContainers . | nindent 8 | trim }}
{{- end }} {{- end }}
{{- if .Values.s3.podSecurityContext.enabled }}
securityContext: {{- omit .Values.s3.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
containers: containers:
- name: seaweedfs - name: seaweedfs
image: {{ template "s3.image" . }} image: {{ template "s3.image" . }}
@ -199,6 +202,9 @@ spec:
resources: resources:
{{ tpl .Values.s3.resources . | nindent 12 | trim }} {{ tpl .Values.s3.resources . | nindent 12 | trim }}
{{- end }} {{- end }}
{{- if .Values.s3.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.s3.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.s3.sidecars }} {{- if .Values.s3.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.s3.sidecars "context" $) | nindent 8 }} {{- include "common.tplvalues.render" (dict "value" .Values.s3.sidecars "context" $) | nindent 8 }}
{{- end }} {{- end }}

6
k8s/charts/seaweedfs/templates/volume-statefulset.yaml

@ -72,6 +72,9 @@ spec:
{{ tpl .Values.volume.initContainers . | nindent 8 | trim }} {{ tpl .Values.volume.initContainers . | nindent 8 | trim }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.volume.podSecurityContext.enabled }}
securityContext: {{- omit .Values.volume.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
containers: containers:
- name: seaweedfs - name: seaweedfs
image: {{ template "volume.image" . }} image: {{ template "volume.image" . }}
@ -237,6 +240,9 @@ spec:
resources: resources:
{{ tpl .Values.volume.resources . | nindent 12 | trim }} {{ tpl .Values.volume.resources . | nindent 12 | trim }}
{{- end }} {{- end }}
{{- if .Values.volume.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.volume.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.volume.sidecars }} {{- if .Values.volume.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.volume.sidecars "context" $) | nindent 8 }} {{- include "common.tplvalues.render" (dict "value" .Values.volume.sidecars "context" $) | nindent 8 }}
{{- end }} {{- end }}

76
k8s/charts/seaweedfs/values.yaml

@ -167,6 +167,25 @@ master:
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
serviceAccountName: "" serviceAccountName: ""
# Configure security context for Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
# Example:
# podSecurityContext:
# enabled: true
# runAsUser: 1000
# runAsGroup: 3000
# fsGroup: 2000
podSecurityContext: {}
# Configure security context for Container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
# Example:
# containerSecurityContext:
# enabled: true
# runAsUser: 2000
# allowPrivilegeEscalation: false
containerSecurityContext: {}
ingress: ingress:
enabled: false enabled: false
className: "nginx" className: "nginx"
@ -378,6 +397,25 @@ volume:
extraEnvironmentVars: extraEnvironmentVars:
# Configure security context for Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
# Example:
# podSecurityContext:
# enabled: true
# runAsUser: 1000
# runAsGroup: 3000
# fsGroup: 2000
podSecurityContext: {}
# Configure security context for Container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
# Example:
# containerSecurityContext:
# enabled: true
# runAsUser: 2000
# allowPrivilegeEscalation: false
containerSecurityContext: {}
# used to configure livenessProbe on volume-server containers # used to configure livenessProbe on volume-server containers
# #
livenessProbe: livenessProbe:
@ -536,6 +574,25 @@ filer:
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
serviceAccountName: "" serviceAccountName: ""
# Configure security context for Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
# Example:
# podSecurityContext:
# enabled: true
# runAsUser: 1000
# runAsGroup: 3000
# fsGroup: 2000
podSecurityContext: {}
# Configure security context for Container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
# Example:
# containerSecurityContext:
# enabled: true
# runAsUser: 2000
# allowPrivilegeEscalation: false
containerSecurityContext: {}
ingress: ingress:
enabled: false enabled: false
className: "nginx" className: "nginx"
@ -707,6 +764,25 @@ s3:
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
serviceAccountName: "" serviceAccountName: ""
# Configure security context for Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
# Example:
# podSecurityContext:
# enabled: true
# runAsUser: 1000
# runAsGroup: 3000
# fsGroup: 2000
podSecurityContext: {}
# Configure security context for Container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
# Example:
# containerSecurityContext:
# enabled: true
# runAsUser: 2000
# allowPrivilegeEscalation: false
containerSecurityContext: {}
logs: logs:
type: "hostPath" type: "hostPath"
size: "" size: ""

Loading…
Cancel
Save