From 047453fced0cf9d7b7e43c08a4ba4e4a569d9e04 Mon Sep 17 00:00:00 2001 From: holgerbach <132660929+holgerbach@users.noreply.github.com> Date: Fri, 23 Jun 2023 09:05:54 +0200 Subject: [PATCH] Security contexts for k8s (#657) --- deployment/k8s/charts/Chart.yaml | 2 +- deployment/k8s/charts/templates/deployment.yaml | 4 ++++ deployment/k8s/charts/values.yaml | 14 ++++++++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/deployment/k8s/charts/Chart.yaml b/deployment/k8s/charts/Chart.yaml index 5470f4a0d..9d003318e 100644 --- a/deployment/k8s/charts/Chart.yaml +++ b/deployment/k8s/charts/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: 0.11.7 description: A dynamic Web Map tile server name: titiler -version: 1.1.1 +version: 1.1.2 icon: https://raw.githubusercontent.com/developmentseed/titiler/main/docs/logos/TiTiler_logo_small.png maintainers: - name: emmanuelmathot # Emmanuel Mathot diff --git a/deployment/k8s/charts/templates/deployment.yaml b/deployment/k8s/charts/templates/deployment.yaml index 5fa7255bc..fca1a0b86 100644 --- a/deployment/k8s/charts/templates/deployment.yaml +++ b/deployment/k8s/charts/templates/deployment.yaml @@ -14,10 +14,14 @@ spec: labels: {{- include "titiler.selectorLabels" . | nindent 8 }} spec: + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} env: {{- range $key, $val := .Values.env }} - name: {{ $key }} diff --git a/deployment/k8s/charts/values.yaml b/deployment/k8s/charts/values.yaml index b161b8534..ac3a54f6b 100644 --- a/deployment/k8s/charts/values.yaml +++ b/deployment/k8s/charts/values.yaml @@ -65,3 +65,17 @@ nodeSelector: {} tolerations: [] affinity: {} + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # runAsNonRoot: true + # runAsUser: 1001 + +podSecurityContext: {} + # fsGroup: 1001 + # runAsNonRoot: true + # runAsUser: 1001