From 0686ec8dc528a29434b19e4a055fd83df1e53b1c Mon Sep 17 00:00:00 2001 From: Erez Tamam Date: Tue, 28 Jun 2022 23:52:47 +0300 Subject: [PATCH] feat: Add pod annotations specific for openshift environment (#2116) Signed-off-by: davis-haba --- cmd/build/helmify/replacements.go | 16 +++++++++++++--- cmd/build/helmify/static/values.yaml | 4 ++-- .../templates/gatekeeper-audit-deployment.yaml | 6 ++++++ ...gatekeeper-controller-manager-deployment.yaml | 6 ++++++ manifest_staging/charts/gatekeeper/values.yaml | 4 ++-- 5 files changed, 29 insertions(+), 7 deletions(-) diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go index 4610edabe5f..8773af89504 100644 --- a/cmd/build/helmify/replacements.go +++ b/cmd/build/helmify/replacements.go @@ -27,7 +27,11 @@ var replacements = map[string]string{ `HELMSUBST_DEPLOYMENT_AUDIT_AFFINITY: ""`: `{{- toYaml .Values.audit.affinity | nindent 8 }}`, - `HELMSUBST_DEPLOYMENT_AUDIT_SECURITY_CONTEXT: ""`: `{{- toYaml .Values.audit.securityContext | nindent 10}}`, + `HELMSUBST_DEPLOYMENT_AUDIT_SECURITY_CONTEXT: ""`: `{{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.audit.securityContext | nindent 10}}`, `HELMSUBST_DEPLOYMENT_AUDIT_TOLERATIONS: ""`: `{{- toYaml .Values.audit.tolerations | nindent 8 }}`, @@ -39,7 +43,11 @@ var replacements = map[string]string{ `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_AFFINITY: ""`: `{{- toYaml .Values.controllerManager.affinity | nindent 8 }}`, - `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_SECURITY_CONTEXT: ""`: `{{- toYaml .Values.controllerManager.securityContext | nindent 10}}`, + `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_SECURITY_CONTEXT: ""`: `{{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.controllerManager.securityContext | nindent 10}}`, `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_TOLERATIONS: ""`: `{{- toYaml .Values.controllerManager.tolerations | nindent 8 }}`, @@ -49,7 +57,9 @@ var replacements = map[string]string{ "HELMSUBST_DEPLOYMENT_REPLICAS": `{{ .Values.replicas }}`, - `HELMSUBST_ANNOTATIONS: ""`: `{{- toYaml .Values.podAnnotations | trim | nindent 8 }}`, + `HELMSUBST_ANNOTATIONS: ""`: `{{- if .Values.podAnnotations }} + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + {{- end }}`, "HELMSUBST_SECRET_ANNOTATIONS": `{{- toYaml .Values.secretAnnotations | trim | nindent 4 }}`, diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 9dbbee8fea3..af5c6467924 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -98,11 +98,11 @@ image: release: v3.9.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] -podAnnotations: - {container.seccomp.security.alpha.kubernetes.io/manager: runtime/default} +podAnnotations: {} podLabels: {} podCountLimit: 100 secretAnnotations: {} +enableRuntimeDefaultSeccompProfile: true controllerManager: exemptNamespaces: [] exemptNamespacePrefixes: [] diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index 06f82ba205f..ca2bf2c2dbb 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -25,7 +25,9 @@ spec: template: metadata: annotations: + {{- if .Values.podAnnotations }} {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + {{- end }} labels: {{- include "gatekeeper.podLabels" . }} app: '{{ template "gatekeeper.name" . }}' @@ -103,6 +105,10 @@ spec: resources: {{- toYaml .Values.audit.resources | nindent 10 }} securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} {{- toYaml .Values.audit.securityContext | nindent 10}} volumeMounts: - mountPath: /tmp/audit diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index e1a47339043..8b742366430 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -25,7 +25,9 @@ spec: template: metadata: annotations: + {{- if .Values.podAnnotations }} {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + {{- end }} labels: {{- include "gatekeeper.podLabels" . }} app: '{{ template "gatekeeper.name" . }}' @@ -118,6 +120,10 @@ spec: resources: {{- toYaml .Values.controllerManager.resources | nindent 10 }} securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} {{- toYaml .Values.controllerManager.securityContext | nindent 10}} volumeMounts: - mountPath: /certs diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 9dbbee8fea3..af5c6467924 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -98,11 +98,11 @@ image: release: v3.9.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] -podAnnotations: - {container.seccomp.security.alpha.kubernetes.io/manager: runtime/default} +podAnnotations: {} podLabels: {} podCountLimit: 100 secretAnnotations: {} +enableRuntimeDefaultSeccompProfile: true controllerManager: exemptNamespaces: [] exemptNamespacePrefixes: []