diff --git a/charts/steadybit-extension-http/Chart.yaml b/charts/steadybit-extension-http/Chart.yaml index 38995b5..f63d51d 100644 --- a/charts/steadybit-extension-http/Chart.yaml +++ b/charts/steadybit-extension-http/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: steadybit-extension-http description: Steadybit action implementation to check HTTP endpoints. -version: 1.1.15 +version: 1.1.16 appVersion: v1.0.22 home: https://www.steadybit.com/ icon: https://steadybit-website-assets.s3.amazonaws.com/logo-symbol-transparent.png diff --git a/charts/steadybit-extension-http/templates/deployment.yaml b/charts/steadybit-extension-http/templates/deployment.yaml index 24f74ea..d77bd6e 100644 --- a/charts/steadybit-extension-http/templates/deployment.yaml +++ b/charts/steadybit-extension-http/templates/deployment.yaml @@ -103,15 +103,10 @@ spec: httpGet: path: /health/readiness port: 8081 + {{- with .Values.containerSecurityContext }} securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 10000 - runAsGroup: 10000 - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL + {{- toYaml . | nindent 12 }} + {{- end }} volumes: {{- include "extensionlib.deployment.volumes" (list .) | nindent 8 }} serviceAccountName: {{ .Values.serviceAccount.name }} diff --git a/charts/steadybit-extension-http/tests/__snapshot__/deployment_test.yaml.snap b/charts/steadybit-extension-http/tests/__snapshot__/deployment_test.yaml.snap index 43bb1c8..3216f25 100644 --- a/charts/steadybit-extension-http/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/steadybit-extension-http/tests/__snapshot__/deployment_test.yaml.snap @@ -78,10 +78,11 @@ manifest should match snapshot using podAnnotations and Labels: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-http volumes: null manifest should match snapshot with TLS: @@ -166,13 +167,14 @@ manifest should match snapshot with TLS: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /etc/extension/certificates/server-cert name: certificate-server-cert readOnly: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-http volumes: - name: certificate-server-cert @@ -264,10 +266,11 @@ manifest should match snapshot with extra env vars: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-http volumes: null manifest should match snapshot with extra labels: @@ -350,10 +353,11 @@ manifest should match snapshot with extra labels: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-http volumes: null manifest should match snapshot with mutual TLS: @@ -440,9 +444,6 @@ manifest should match snapshot with mutual TLS: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /etc/extension/certificates/client-cert-a name: certificate-client-cert-a @@ -450,6 +451,10 @@ manifest should match snapshot with mutual TLS: - mountPath: /etc/extension/certificates/server-cert name: certificate-server-cert readOnly: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-http volumes: - name: certificate-client-cert-a @@ -544,10 +549,11 @@ manifest should match snapshot with mutual TLS using containerPaths: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-http volumes: null manifest should match snapshot with podSecurityContext: @@ -628,12 +634,12 @@ manifest should match snapshot with podSecurityContext: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null securityContext: + runAsNonRoot: true runAsUser: 2222 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-http volumes: null manifest should match snapshot with priority class: @@ -714,11 +720,12 @@ manifest should match snapshot with priority class: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null priorityClassName: my-priority-class + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-http volumes: null manifest should match snapshot without TLS: @@ -799,10 +806,11 @@ manifest should match snapshot without TLS: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-http volumes: null should add cluster name from global values: @@ -885,10 +893,11 @@ should add cluster name from global values: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-http volumes: null should add cluster name from local values: @@ -971,10 +980,11 @@ should add cluster name from local values: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-http volumes: null should enable location selection: @@ -1057,9 +1067,10 @@ should enable location selection: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-http volumes: null diff --git a/charts/steadybit-extension-http/values.yaml b/charts/steadybit-extension-http/values.yaml index b131fbb..9ab6706 100644 --- a/charts/steadybit-extension-http/values.yaml +++ b/charts/steadybit-extension-http/values.yaml @@ -107,7 +107,18 @@ affinity: {} priorityClassName: null # podSecurityContext -- SecurityContext to apply to the pod. -podSecurityContext: {} +podSecurityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + +# containerSecurityContext -- SecurityContext to apply to the container. +containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL # extraEnv -- Array with extra environment variables to add to the container # e.g: