feat: fix charts

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
kyverno · Oct 30, 2024 · a3743a6 · a3743a6
1 parent 6dedb8b
commit a3743a6
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 22 deletions.
diff --git a/charts/reports-server/templates/deployment.yaml b/charts/reports-server/templates/deployment.yaml
@@ -87,6 +87,9 @@ spec:
           {{- end}}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp-dir
           image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:

diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml
@@ -59,16 +59,16 @@ podSecurityContext:
 # -- Container security context
 # @default -- See [values.yaml](values.yaml)
 securityContext:
-  # capabilities:
-  #   drop:
-  #   - ALL
-  readOnlyRootFilesystem: false
-  # runAsNonRoot: true
-  runAsUser: 0
-  privileged: true
-  allowPrivilegeEscalation: true
-  # seccompProfile:
-  #   type: RuntimeDefault
+  capabilities:
+      drop:
+      - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+  privileged: false
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: RuntimeDefault
 
 # -- Liveness probe
 livenessProbe:

diff --git a/config/install-etcd.yaml b/config/install-etcd.yaml
@@ -178,6 +178,7 @@ metadata:
   name: etcd
   namespace: reports-server
   labels:
+    app: etcd-reports-server
     helm.sh/chart: reports-server-0.1.1
     app.kubernetes.io/name: reports-server
     app.kubernetes.io/instance: reports-server
@@ -259,10 +260,19 @@ spec:
             - --secure-port=4443
             - --authorization-always-allow-paths=/metrics
           securityContext:
-            allowPrivilegeEscalation: true
-            privileged: true
-            readOnlyRootFilesystem: false
-            runAsUser: 0
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp-dir
           image: "ghcr.io/kyverno/reports-server:latest"
           imagePullPolicy: IfNotPresent
           ports:
@@ -298,6 +308,7 @@ metadata:
   namespace: reports-server
   name: etcd
   labels:
+    app: etcd-reports-server
     helm.sh/chart: reports-server-0.1.1
     app.kubernetes.io/name: reports-server
     app.kubernetes.io/instance: reports-server
@@ -311,7 +322,7 @@ spec:
     type: RollingUpdate
   selector:
     matchLabels:
-      app: etcd
+      app: etcd-reports-server
   template:
     metadata:
       labels:
@@ -329,7 +340,7 @@ spec:
                 - key: app
                   operator: In
                   values:
-                  - etcd
+                  - etcd-reports-server
               topologyKey: "kubernetes.io/hostname"
       containers:
       - name: etcd

diff --git a/config/install.yaml b/config/install.yaml
@@ -178,6 +178,7 @@ metadata:
   name: etcd
   namespace: reports-server
   labels:
+    app: etcd-reports-server
     helm.sh/chart: reports-server-0.1.1
     app.kubernetes.io/name: reports-server
     app.kubernetes.io/instance: reports-server
@@ -259,10 +260,19 @@ spec:
             - --secure-port=4443
             - --authorization-always-allow-paths=/metrics
           securityContext:
-            allowPrivilegeEscalation: true
-            privileged: true
-            readOnlyRootFilesystem: false
-            runAsUser: 0
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp-dir
           image: "ghcr.io/kyverno/reports-server:latest"
           imagePullPolicy: IfNotPresent
           ports:
@@ -298,6 +308,7 @@ metadata:
   namespace: reports-server
   name: etcd
   labels:
+    app: etcd-reports-server
     helm.sh/chart: reports-server-0.1.1
     app.kubernetes.io/name: reports-server
     app.kubernetes.io/instance: reports-server
@@ -311,7 +322,7 @@ spec:
     type: RollingUpdate
   selector:
     matchLabels:
-      app: etcd
+      app: etcd-reports-server
   template:
     metadata:
       labels:
@@ -329,7 +340,7 @@ spec:
                 - key: app
                   operator: In
                   values:
-                  - etcd
+                  - etcd-reports-server
               topologyKey: "kubernetes.io/hostname"
       containers:
       - name: etcd