From b9c8df552b95fc6c816bcf722f5677179ab50f58 Mon Sep 17 00:00:00 2001 From: David Kirchner Date: Tue, 3 Mar 2020 07:43:38 -0800 Subject: [PATCH] [stable/traefik] Add distinct container SecurityContext tunable (#20743) (#20887) * [stable/traefik] Add distinct container SecurityContext tunable (#20743) Signed-off-by: David Kirchner * [stable/traefik] Update new securityContext K8S API links to something more up to date Signed-off-by: David Kirchner --- stable/traefik/Chart.yaml | 2 +- stable/traefik/README.md | 3 ++- stable/traefik/templates/deployment.yaml | 8 ++++++-- stable/traefik/templates/storeconfig-job.yaml | 4 ++++ 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/stable/traefik/Chart.yaml b/stable/traefik/Chart.yaml index 5e9410842ffd..0fe0472ad9d9 100644 --- a/stable/traefik/Chart.yaml +++ b/stable/traefik/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: traefik -version: 1.86.1 +version: 1.86.2 appVersion: 1.7.20 description: A Traefik based Kubernetes ingress controller with Let's Encrypt support keywords: diff --git a/stable/traefik/README.md b/stable/traefik/README.md index 072275493810..363c8af78974 100644 --- a/stable/traefik/README.md +++ b/stable/traefik/README.md @@ -109,7 +109,8 @@ The following table lists the configurable parameters of the Traefik chart and t | `memoryLimit` | **DEPRECATED**: use `resources` instead. Memory limit per Traefik pod | None | | `rbac.enabled` | Whether to enable RBAC with a specific cluster role and binding for Traefik | `false` | | `deploymentStrategy` | Specify deployment spec rollout strategy | `{}` | -| `securityContext` | Security context | `{}` | +| `podSecurityContext` | Security context for the pod. See [PodSecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#podsecuritycontext-v1-core). | `{}` | +| `containerSecurityContext` | Security context for the container. See [SecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#securitycontext-v1-core). | `{}` | | `useNonPriviledgedPorts` | Use non privileged ports to listen. Needed if container is not running as root | `false` | | `env` | Environment variables for the container | `{}` | | `nodeSelector` | Node labels for pod assignment | `{}` | diff --git a/stable/traefik/templates/deployment.yaml b/stable/traefik/templates/deployment.yaml index 08fc87cbc4f3..3da8f5e5cb5c 100644 --- a/stable/traefik/templates/deployment.yaml +++ b/stable/traefik/templates/deployment.yaml @@ -49,9 +49,9 @@ spec: {{ toYaml .Values.deployment.podLabels | indent 8 }} {{- end }} spec: - {{- if .Values.securityContext }} + {{- if .Values.podSecurityContext }} securityContext: -{{ toYaml .Values.securityContext | indent 8 }} +{{ toYaml .Values.podSecurityContext | indent 8 }} {{- end }} {{- if .Values.rbac.enabled }} serviceAccountName: {{ template "traefik.fullname" . }} @@ -190,6 +190,10 @@ spec: {{- range .Values.startupArguments }} - {{ . }} {{- end }} + {{- if .Values.containerSecurityContext }} + securityContext: +{{ toYaml .Values.containerSecurityContext | indent 10 }} + {{- end }} volumes: {{- if .Values.extraVolumes }}{{ toYaml .Values.extraVolumes | trim | nindent 6 }}{{ end }} diff --git a/stable/traefik/templates/storeconfig-job.yaml b/stable/traefik/templates/storeconfig-job.yaml index c16c6da8ad4f..d2eff2c208a1 100644 --- a/stable/traefik/templates/storeconfig-job.yaml +++ b/stable/traefik/templates/storeconfig-job.yaml @@ -37,6 +37,10 @@ spec: env: {{ toYaml .Values.env | indent 12 }} {{- end }} + {{- if .Values.containerSecurityContext }} + securityContext: +{{ toYaml .Values.containerSecurityContext | indent 10 }} + {{- end }} volumes: - name: config configMap: