From d426e2c3991a851d9b3fbbab35ef4ae41f8bad3e Mon Sep 17 00:00:00 2001 From: Matt Dainty Date: Tue, 17 Oct 2023 21:47:56 +0100 Subject: [PATCH] Update securityContext defaults (#1346) Co-authored-by: Andy Suderman --- stable/goldilocks/Chart.yaml | 2 +- stable/goldilocks/README.md | 4 ++-- stable/goldilocks/values.yaml | 8 ++++++-- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/stable/goldilocks/Chart.yaml b/stable/goldilocks/Chart.yaml index 8a2ab1a73..41f935379 100644 --- a/stable/goldilocks/Chart.yaml +++ b/stable/goldilocks/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 appVersion: "v4.10.0" -version: 7.3.0 +version: 7.3.1 kubeVersion: ">= 1.22.0-0" description: | A Helm chart for running Fairwinds Goldilocks. See https://github.com/FairwindsOps/goldilocks diff --git a/stable/goldilocks/README.md b/stable/goldilocks/README.md index 7d45b8f6a..181013191 100644 --- a/stable/goldilocks/README.md +++ b/stable/goldilocks/README.md @@ -85,7 +85,7 @@ This will completely remove the VPA and then re-install it using the new method. | controller.affinity | object | `{}` | Affinity for the controller pods | | controller.topologySpreadConstraints | list | `[]` | Topology spread constraints for the controller pods | | controller.resources | object | `{"limits":{},"requests":{"cpu":"25m","memory":"256Mi"}}` | The resources block for the controller pods | -| controller.podSecurityContext | object | `{}` | Defines the podSecurityContext for the controller pod | +| controller.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Defines the podSecurityContext for the controller pod | | controller.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":10324}` | The container securityContext for the controller container | | controller.deployment.extraVolumeMounts | list | `[]` | Extra volume mounts for the controller container | | controller.deployment.extraVolumes | list | `[]` | Extra volumes for the controller pod | @@ -119,7 +119,7 @@ This will completely remove the VPA and then re-install it using the new method. | dashboard.ingress.hosts[0].paths[0].type | string | `"ImplementationSpecific"` | | | dashboard.ingress.tls | list | `[]` | | | dashboard.resources | object | `{"limits":{},"requests":{"cpu":"25m","memory":"256Mi"}}` | A resources block for the dashboard. | -| dashboard.podSecurityContext | object | `{}` | Defines the podSecurityContext for the dashboard pod | +| dashboard.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Defines the podSecurityContext for the dashboard pod | | dashboard.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":10324}` | The container securityContext for the dashboard container | | dashboard.nodeSelector | object | `{}` | | | dashboard.tolerations | list | `[]` | | diff --git a/stable/goldilocks/values.yaml b/stable/goldilocks/values.yaml index f50e929cf..3fe26040f 100644 --- a/stable/goldilocks/values.yaml +++ b/stable/goldilocks/values.yaml @@ -66,7 +66,9 @@ controller: cpu: 25m memory: 256Mi # controller.podSecurityContext -- Defines the podSecurityContext for the controller pod - podSecurityContext: {} + podSecurityContext: + seccompProfile: + type: RuntimeDefault # controller.securityContext -- The container securityContext for the controller container securityContext: readOnlyRootFilesystem: true @@ -163,7 +165,9 @@ dashboard: cpu: 25m memory: 256Mi # dashboard.podSecurityContext -- Defines the podSecurityContext for the dashboard pod - podSecurityContext: {} + podSecurityContext: + seccompProfile: + type: RuntimeDefault # dashboard.securityContext -- The container securityContext for the dashboard container securityContext: readOnlyRootFilesystem: true