Skip to content
This repository was archived by the owner on Jul 26, 2022. It is now read-only.

Commit 27ba7e1

Browse files
chadlwilsonchadlwilson
authored
feat: improve out-of-the-box compatibility with clusters running locked down PodSecurityPolicy enabling runAsNonRoot by default (#361)
1 parent 865caeb commit 27ba7e1

File tree

3 files changed

+40
-37
lines changed

3 files changed

+40
-37
lines changed

Dockerfile

+2-1
Original file line numberDiff line numberDiff line change
@@ -11,5 +11,6 @@ RUN npm ci --production
1111
# Copy app to source directory
1212
COPY . .
1313

14-
USER node
14+
# Change back to the "node" user; using its UID for PodSecurityPolicy "non-root" compatibility
15+
USER 1000
1516
CMD ["npm", "start"]

charts/kubernetes-external-secrets/README.md

+35-35
Original file line numberDiff line numberDiff line change
@@ -41,41 +41,41 @@ helm delete my-release
4141

4242
The following table lists the configurable parameters of the `kubernetes-external-secrets` chart and their default values.
4343

44-
| Parameter | Description | Default |
45-
| ------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------- |
46-
| `env.AWS_REGION` | Set AWS_REGION in Deployment Pod | `us-west-2` |
47-
| `env.LOG_LEVEL` | Set the application log level | `info` |
48-
| `env.METRICS_PORT` | Specify the port for the prometheus metrics server | `3001` |
49-
| `env.ROLE_PERMITTED_ANNOTATION` | Specify the annotation key where to lookup the role arn permission boundaries | `iam.amazonaws.com/permitted` |
50-
| `env.POLLER_INTERVAL_MILLISECONDS` | Set POLLER_INTERVAL_MILLISECONDS in Deployment Pod | `10000` |
51-
| `env.VAULT_ADDR` | Endpoint for the Vault backend, if using Vault | `http://127.0.0.1:8200 |
52-
| `env.DISABLE_POLLING` | Disables backend polling and only updates secrets when ExternalSecret is modified, setting this to any value will disable polling | `nil` |
53-
| `envVarsFromSecret.AWS_ACCESS_KEY_ID` | Set AWS_ACCESS_KEY_ID (from a secret) in Deployment Pod | |
54-
| `envVarsFromSecret.AWS_SECRET_ACCESS_KEY` | Set AWS_SECRET_ACCESS_KEY (from a secret) in Deployment Pod | |
55-
| `envVarsFromSecret.AZURE_TENANT_ID` | Set AZURE_TENANT_ID (from a secret) in Deployment Pod | |
56-
| `envVarsFromSecret.AZURE_CLIENT_ID` | Set AZURE_CLIENT_ID (from a secret) in Deployment Pod | |
57-
| `envVarsFromSecret.AZURE_CLIENT_SECRET` | Set AZURE_CLIENT_SECRET (from a secret) in Deployment Pod | |
58-
| `image.repository` | kubernetes-external-secrets Image name | `godaddy/kubernetes-external-secrets` |
59-
| `image.tag` | kubernetes-external-secrets Image tag | `3.2.0` |
60-
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
61-
| `nameOverride` | Override the name of app | `nil` |
62-
| `fullnameOverride` | Override the full name of app | `nil` |
63-
| `rbac.create` | Create & use RBAC resources | `true` |
64-
| `securityContext.fsGroup` | Security context for the container | `{}` |
65-
| `serviceAccount.create` | Whether a new service account name should be created. | `true` |
66-
| `serviceAccount.name` | Service account to be used. | automatically generated |
67-
| `serviceAccount.annotations` | Annotations to be added to service account | `nil` |
68-
| `podAnnotations` | Annotations to be added to pods | `{}` |
69-
| `podLabels` | Additional labels to be added to pods | `{}` |
70-
| `replicaCount` | Number of replicas | `1` |
71-
| `nodeSelector` | node labels for pod assignment | `{}` |
72-
| `tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | `[]` |
73-
| `affinity` | Affinity for pod assignment | `{}` |
74-
| `resources` | Pod resource requests & limits | `{}` |
75-
| `imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` |
76-
| `serviceMonitor.enabled` | Enable the creation of a serviceMonitor object for the Prometheus operator | `false` |
77-
| `serviceMonitor.interval` | The interval the Prometheus endpoint is scraped | `30s` |
78-
| `serviceMonitor.namespace` | The namespace where the serviceMonitor object has to be created | `nil` |
44+
| Parameter | Description | Default |
45+
| ----------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- |
46+
| `env.AWS_REGION` | Set AWS_REGION in Deployment Pod | `us-west-2` |
47+
| `env.LOG_LEVEL` | Set the application log level | `info` |
48+
| `env.METRICS_PORT` | Specify the port for the prometheus metrics server | `3001` |
49+
| `env.ROLE_PERMITTED_ANNOTATION` | Specify the annotation key where to lookup the role arn permission boundaries | `iam.amazonaws.com/permitted` |
50+
| `env.POLLER_INTERVAL_MILLISECONDS` | Set POLLER_INTERVAL_MILLISECONDS in Deployment Pod | `10000` |
51+
| `env.VAULT_ADDR` | Endpoint for the Vault backend, if using Vault | `http://127.0.0.1:8200 |
52+
| `env.DISABLE_POLLING` | Disables backend polling and only updates secrets when ExternalSecret is modified, setting this to any value will disable polling | `nil` |
53+
| `envVarsFromSecret.AWS_ACCESS_KEY_ID` | Set AWS_ACCESS_KEY_ID (from a secret) in Deployment Pod | |
54+
| `envVarsFromSecret.AWS_SECRET_ACCESS_KEY` | Set AWS_SECRET_ACCESS_KEY (from a secret) in Deployment Pod | |
55+
| `envVarsFromSecret.AZURE_TENANT_ID` | Set AZURE_TENANT_ID (from a secret) in Deployment Pod | |
56+
| `envVarsFromSecret.AZURE_CLIENT_ID` | Set AZURE_CLIENT_ID (from a secret) in Deployment Pod | |
57+
| `envVarsFromSecret.AZURE_CLIENT_SECRET` | Set AZURE_CLIENT_SECRET (from a secret) in Deployment Pod | |
58+
| `image.repository` | kubernetes-external-secrets Image name | `godaddy/kubernetes-external-secrets` |
59+
| `image.tag` | kubernetes-external-secrets Image tag | `3.2.0` |
60+
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
61+
| `nameOverride` | Override the name of app | `nil` |
62+
| `fullnameOverride` | Override the full name of app | `nil` |
63+
| `rbac.create` | Create & use RBAC resources | `true` |
64+
| `securityContext` | Pod-wide security context | `{ runAsNonRoot: true }` |
65+
| `serviceAccount.create` | Whether a new service account name should be created. | `true` |
66+
| `serviceAccount.name` | Service account to be used. | automatically generated |
67+
| `serviceAccount.annotations` | Annotations to be added to service account | `nil` |
68+
| `podAnnotations` | Annotations to be added to pods | `{}` |
69+
| `podLabels` | Additional labels to be added to pods | `{}` |
70+
| `replicaCount` | Number of replicas | `1` |
71+
| `nodeSelector` | node labels for pod assignment | `{}` |
72+
| `tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | `[]` |
73+
| `affinity` | Affinity for pod assignment | `{}` |
74+
| `resources` | Pod resource requests & limits | `{}` |
75+
| `imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` |
76+
| `serviceMonitor.enabled` | Enable the creation of a serviceMonitor object for the Prometheus operator | `false` |
77+
| `serviceMonitor.interval` | The interval the Prometheus endpoint is scraped | `30s` |
78+
| `serviceMonitor.namespace` | The namespace where the serviceMonitor object has to be created | `nil` |
7979

8080
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
8181

charts/kubernetes-external-secrets/values.yaml

+3-1
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,9 @@ fullnameOverride: ""
6262
podAnnotations: {}
6363
podLabels: {}
6464

65-
securityContext: {}
65+
securityContext:
66+
runAsNonRoot: true
67+
# Required for use of IRSA, see https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
6668
# fsGroup: 65534
6769

6870
resources: {}

0 commit comments

Comments
 (0)