From 6240c13d542b2d0e9801e68f04b78e11f619be35 Mon Sep 17 00:00:00 2001 From: ihcsim Date: Tue, 30 Jul 2019 11:03:04 -0700 Subject: [PATCH] Add partials for service account token mount path and security context capabilities Signed-off-by: ihcsim --- charts/linkerd/values.yaml | 7 +++++++ charts/partials/templates/_capabilities.tpl | 16 ++++++++++++++++ charts/partials/templates/_proxy-init.tpl | 12 ++++++++++++ charts/partials/templates/_proxy.tpl | 6 ++++++ 4 files changed, 41 insertions(+) create mode 100644 charts/partials/templates/_capabilities.tpl diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index 4e29a52516a0b..bb8dc44256fde 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -80,6 +80,9 @@ PrometheusResources: # proxy configuration Proxy: + Capabilities: + Add: + Drop: ClusterDomain: *cluster_domain ControlPlaneNamespace: *namespace EnableExternalProfile: false @@ -92,6 +95,7 @@ Proxy: PullPolicy: *image_pull_policy Version: *linkerd_version LogLevel: &proxy_log_level warn,linkerd2_proxy=info + MountPaths: Port: &proxy_ports Admin: &proxy_port_admin 4191 Control: &proxy_port_control 4190 @@ -114,6 +118,9 @@ Proxy: # proxy-init configuration ProxyInit: + Capabilities: + Add: + Drop: Image: Name: &proxy_init_image_name gcr.io/linkerd-io/proxy-init PullPolicy: *image_pull_policy diff --git a/charts/partials/templates/_capabilities.tpl b/charts/partials/templates/_capabilities.tpl new file mode 100644 index 0000000000000..48eca891c2426 --- /dev/null +++ b/charts/partials/templates/_capabilities.tpl @@ -0,0 +1,16 @@ +{{- define "partials.proxy.capabilities" -}} +capabilities: + {{- if .Capabilities.Add }} + add: + {{- toYaml .Capabilities.Add | trim | nindent 2 }} + {{- end }} + {{- if .Capabilities.Drop }} + drop: + {{- toYaml .Capabilities.Drop | trim | nindent 2 }} + {{- end }} +{{- end -}} + +{{- define "partials.proxy-init.capabilities.drop" -}} +drop: +{{ toYaml .Capabilities.Drop | trim }} +{{- end -}} diff --git a/charts/partials/templates/_proxy-init.tpl b/charts/partials/templates/_proxy-init.tpl index 14f69fb232a7c..3df9de3a8ab83 100644 --- a/charts/partials/templates/_proxy-init.tpl +++ b/charts/partials/templates/_proxy-init.tpl @@ -20,9 +20,21 @@ add: - NET_ADMIN - NET_RAW + {{- if .Capabilities -}} + {{- if .Capabilities.Add }} + {{- toYaml .Capabilities.Add | trim | nindent 6 }} + {{- end }} + {{- if .Capabilities.Drop -}} + {{- include "partials.proxy-init.capabilities.drop" . | nindent 6 -}} + {{- end }} + {{- end }} privileged: false readOnlyRootFilesystem: true runAsNonRoot: false runAsUser: 0 terminationMessagePolicy: FallbackToLogsOnError + {{- if .MountPaths }} + volumeMounts: + {{- toYaml .MountPaths | trim | nindent 2 -}} + {{- end }} {{- end -}} diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 66a59e3a5af23..f00f29e090826 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -88,10 +88,16 @@ {{- end }} securityContext: allowPrivilegeEscalation: false + {{- if .Capabilities -}} + {{- include "partials.proxy.capabilities" . | nindent 4 -}} + {{- end }} readOnlyRootFilesystem: true runAsUser: {{.UID}} terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/linkerd/identity/end-entity name: linkerd-identity-end-entity + {{- if .MountPaths }} + {{- toYaml .MountPaths | trim | nindent 2 -}} + {{- end }} {{ end -}}