Add partials for service account token mount path and security contex…

…t capabilities Signed-off-by: ihcsim <ihcsim@gmail.com>
linkerd · Jul 30, 2019 · 6240c13 · 6240c13
1 parent 1d22f4d
commit 6240c13
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 0 deletions.
diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml
@@ -80,6 +80,9 @@ PrometheusResources:
 
 # proxy configuration
 Proxy:
+  Capabilities:
+    Add:
+    Drop:
   ClusterDomain: *cluster_domain
   ControlPlaneNamespace: *namespace
   EnableExternalProfile: false
@@ -92,6 +95,7 @@ Proxy:
     PullPolicy: *image_pull_policy
     Version: *linkerd_version
   LogLevel: &proxy_log_level warn,linkerd2_proxy=info
+  MountPaths:
   Port: &proxy_ports
     Admin: &proxy_port_admin 4191
     Control: &proxy_port_control 4190
@@ -114,6 +118,9 @@ Proxy:
 
 # proxy-init configuration
 ProxyInit:
+  Capabilities:
+    Add:
+    Drop:
   Image:
     Name: &proxy_init_image_name gcr.io/linkerd-io/proxy-init
     PullPolicy: *image_pull_policy

diff --git a/charts/partials/templates/_capabilities.tpl b/charts/partials/templates/_capabilities.tpl
@@ -0,0 +1,16 @@
+{{- define "partials.proxy.capabilities" -}}
+capabilities:
+  {{- if .Capabilities.Add }}
+  add:
+  {{- toYaml .Capabilities.Add | trim | nindent 2 }}
+  {{- end }}
+  {{- if .Capabilities.Drop }}
+  drop:
+  {{- toYaml .Capabilities.Drop | trim | nindent 2 }}
+  {{- end }}
+{{- end -}}
+
+{{- define "partials.proxy-init.capabilities.drop" -}}
+drop:
+{{ toYaml .Capabilities.Drop | trim }}
+{{- end -}}
diff --git a/charts/partials/templates/_proxy-init.tpl b/charts/partials/templates/_proxy-init.tpl
@@ -20,9 +20,21 @@
       add:
       - NET_ADMIN
       - NET_RAW
+      {{- if .Capabilities -}}
+      {{- if .Capabilities.Add }}
+      {{- toYaml .Capabilities.Add | trim | nindent 6 }}
+      {{- end }}
+      {{- if .Capabilities.Drop -}}
+      {{- include "partials.proxy-init.capabilities.drop" . | nindent 6 -}}
+      {{- end }}
+      {{- end }}
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: false
     runAsUser: 0
   terminationMessagePolicy: FallbackToLogsOnError
+  {{- if .MountPaths }}
+  volumeMounts:
+  {{- toYaml .MountPaths | trim | nindent 2 -}}
+  {{- end }}
 {{- end -}}
diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl
@@ -88,10 +88,16 @@
   {{- end }}
   securityContext:
     allowPrivilegeEscalation: false
+    {{- if .Capabilities -}}
+    {{- include "partials.proxy.capabilities" . | nindent 4 -}}
+    {{- end }}
     readOnlyRootFilesystem: true
     runAsUser: {{.UID}}
   terminationMessagePolicy: FallbackToLogsOnError
   volumeMounts:
   - mountPath: /var/run/linkerd/identity/end-entity
     name: linkerd-identity-end-entity
+  {{- if .MountPaths }}
+  {{- toYaml .MountPaths | trim | nindent 2 -}}
+  {{- end }}
 {{ end -}}