fix: added missing securityContext to tunnel container

fbuchmeier · Nov 3, 2022 · e78f196 · e78f196
1 parent 3450b16
commit e78f196
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 0 deletions.
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
@@ -108,6 +108,8 @@ spec:
         {{- end }}
       {{- if .Values.headlessclient.enabled }}
         - name: tunnel
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.tunnel.image.repository }}:{{ .Values.tunnel.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:

diff --git a/test-fixtures/ephemeral.yaml b/test-fixtures/ephemeral.yaml
@@ -716,6 +716,14 @@ spec:
               mountPath: /opt/rsyncd
               readOnly: false
         - name: tunnel
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsGroup: 433
+            runAsNonRoot: true
+            runAsUser: 431
           image: "envoyproxy/envoy:v1.24-latest"
           imagePullPolicy: IfNotPresent
           ports:

diff --git a/test-fixtures/production.yaml b/test-fixtures/production.yaml
@@ -787,6 +787,14 @@ spec:
               mountPath: /opt/rsyncd
               readOnly: false
         - name: tunnel
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsGroup: 433
+            runAsNonRoot: true
+            runAsUser: 431
           image: "envoyproxy/envoy:v1.24-latest"
           imagePullPolicy: IfNotPresent
           ports:

diff --git a/test-fixtures/rwo-rwo.yaml b/test-fixtures/rwo-rwo.yaml
@@ -773,6 +773,14 @@ spec:
               mountPath: /opt/rsyncd
               readOnly: false
         - name: tunnel
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsGroup: 433
+            runAsNonRoot: true
+            runAsUser: 431
           image: "envoyproxy/envoy:v1.24-latest"
           imagePullPolicy: IfNotPresent
           ports:

diff --git a/test-fixtures/rwo-rwx.yaml b/test-fixtures/rwo-rwx.yaml
@@ -773,6 +773,14 @@ spec:
               mountPath: /opt/rsyncd
               readOnly: false
         - name: tunnel
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsGroup: 433
+            runAsNonRoot: true
+            runAsUser: 431
           image: "envoyproxy/envoy:v1.24-latest"
           imagePullPolicy: IfNotPresent
           ports:

diff --git a/test-fixtures/sharedfilesystem.yaml b/test-fixtures/sharedfilesystem.yaml
@@ -688,6 +688,14 @@ spec:
               readOnly: false
       containers:
         - name: tunnel
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsGroup: 433
+            runAsNonRoot: true
+            runAsUser: 431
           image: "envoyproxy/envoy:v1.24-latest"
           imagePullPolicy: IfNotPresent
           ports: