Skip to content
This repository has been archived by the owner on Jul 26, 2022. It is now read-only.

Commit

Permalink
feat: improve out-of-the-box compatibility with clusters running lock…
Browse files Browse the repository at this point in the history 
…ed down PodSecurityPolicy enabling runAsNonRoot by default (#361)
  • Loading branch information
@chadlwilson
chadlwilson authored Apr 27, 2020
1 parent 865caeb commit 27ba7e1
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 37 deletions.
3 changes: 2 additions & 1 deletion Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,6 @@ RUN npm ci --production
# Copy app to source directory
COPY . .

USER node
# Change back to the "node" user; using its UID for PodSecurityPolicy "non-root" compatibility
USER 1000
CMD ["npm", "start"]
70 changes: 35 additions & 35 deletions charts/kubernetes-external-secrets/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,41 +41,41 @@ helm delete my-release

The following table lists the configurable parameters of the `kubernetes-external-secrets` chart and their default values.

| Parameter | Description | Default |
| ------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------- |
| `env.AWS_REGION` | Set AWS_REGION in Deployment Pod | `us-west-2` |
| `env.LOG_LEVEL` | Set the application log level | `info` |
| `env.METRICS_PORT` | Specify the port for the prometheus metrics server | `3001` |
| `env.ROLE_PERMITTED_ANNOTATION` | Specify the annotation key where to lookup the role arn permission boundaries | `iam.amazonaws.com/permitted` |
| `env.POLLER_INTERVAL_MILLISECONDS` | Set POLLER_INTERVAL_MILLISECONDS in Deployment Pod | `10000` |
| `env.VAULT_ADDR` | Endpoint for the Vault backend, if using Vault | `http://127.0.0.1:8200 |
| `env.DISABLE_POLLING` | Disables backend polling and only updates secrets when ExternalSecret is modified, setting this to any value will disable polling | `nil` |
| `envVarsFromSecret.AWS_ACCESS_KEY_ID` | Set AWS_ACCESS_KEY_ID (from a secret) in Deployment Pod | |
| `envVarsFromSecret.AWS_SECRET_ACCESS_KEY` | Set AWS_SECRET_ACCESS_KEY (from a secret) in Deployment Pod | |
| `envVarsFromSecret.AZURE_TENANT_ID` | Set AZURE_TENANT_ID (from a secret) in Deployment Pod | |
| `envVarsFromSecret.AZURE_CLIENT_ID` | Set AZURE_CLIENT_ID (from a secret) in Deployment Pod | |
| `envVarsFromSecret.AZURE_CLIENT_SECRET` | Set AZURE_CLIENT_SECRET (from a secret) in Deployment Pod | |
| `image.repository` | kubernetes-external-secrets Image name | `godaddy/kubernetes-external-secrets` |
| `image.tag` | kubernetes-external-secrets Image tag | `3.2.0` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `nameOverride` | Override the name of app | `nil` |
| `fullnameOverride` | Override the full name of app | `nil` |
| `rbac.create` | Create & use RBAC resources | `true` |
| `securityContext.fsGroup` | Security context for the container | `{}` |
| `serviceAccount.create` | Whether a new service account name should be created. | `true` |
| `serviceAccount.name` | Service account to be used. | automatically generated |
| `serviceAccount.annotations` | Annotations to be added to service account | `nil` |
| `podAnnotations` | Annotations to be added to pods | `{}` |
| `podLabels` | Additional labels to be added to pods | `{}` |
| `replicaCount` | Number of replicas | `1` |
| `nodeSelector` | node labels for pod assignment | `{}` |
| `tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | `[]` |
| `affinity` | Affinity for pod assignment | `{}` |
| `resources` | Pod resource requests & limits | `{}` |
| `imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` |
| `serviceMonitor.enabled` | Enable the creation of a serviceMonitor object for the Prometheus operator | `false` |
| `serviceMonitor.interval` | The interval the Prometheus endpoint is scraped | `30s` |
| `serviceMonitor.namespace` | The namespace where the serviceMonitor object has to be created | `nil` |
| Parameter | Description | Default |
| ----------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- |
| `env.AWS_REGION` | Set AWS_REGION in Deployment Pod | `us-west-2` |
| `env.LOG_LEVEL` | Set the application log level | `info` |
| `env.METRICS_PORT` | Specify the port for the prometheus metrics server | `3001` |
| `env.ROLE_PERMITTED_ANNOTATION` | Specify the annotation key where to lookup the role arn permission boundaries | `iam.amazonaws.com/permitted` |
| `env.POLLER_INTERVAL_MILLISECONDS` | Set POLLER_INTERVAL_MILLISECONDS in Deployment Pod | `10000` |
| `env.VAULT_ADDR` | Endpoint for the Vault backend, if using Vault | `http://127.0.0.1:8200 |
| `env.DISABLE_POLLING` | Disables backend polling and only updates secrets when ExternalSecret is modified, setting this to any value will disable polling | `nil` |
| `envVarsFromSecret.AWS_ACCESS_KEY_ID` | Set AWS_ACCESS_KEY_ID (from a secret) in Deployment Pod | |
| `envVarsFromSecret.AWS_SECRET_ACCESS_KEY` | Set AWS_SECRET_ACCESS_KEY (from a secret) in Deployment Pod | |
| `envVarsFromSecret.AZURE_TENANT_ID` | Set AZURE_TENANT_ID (from a secret) in Deployment Pod | |
| `envVarsFromSecret.AZURE_CLIENT_ID` | Set AZURE_CLIENT_ID (from a secret) in Deployment Pod | |
| `envVarsFromSecret.AZURE_CLIENT_SECRET` | Set AZURE_CLIENT_SECRET (from a secret) in Deployment Pod | |
| `image.repository` | kubernetes-external-secrets Image name | `godaddy/kubernetes-external-secrets` |
| `image.tag` | kubernetes-external-secrets Image tag | `3.2.0` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `nameOverride` | Override the name of app | `nil` |
| `fullnameOverride` | Override the full name of app | `nil` |
| `rbac.create` | Create & use RBAC resources | `true` |
| `securityContext` | Pod-wide security context | `{ runAsNonRoot: true }` |
| `serviceAccount.create` | Whether a new service account name should be created. | `true` |
| `serviceAccount.name` | Service account to be used. | automatically generated |
| `serviceAccount.annotations` | Annotations to be added to service account | `nil` |
| `podAnnotations` | Annotations to be added to pods | `{}` |
| `podLabels` | Additional labels to be added to pods | `{}` |
| `replicaCount` | Number of replicas | `1` |
| `nodeSelector` | node labels for pod assignment | `{}` |
| `tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | `[]` |
| `affinity` | Affinity for pod assignment | `{}` |
| `resources` | Pod resource requests & limits | `{}` |
| `imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` |
| `serviceMonitor.enabled` | Enable the creation of a serviceMonitor object for the Prometheus operator | `false` |
| `serviceMonitor.interval` | The interval the Prometheus endpoint is scraped | `30s` |
| `serviceMonitor.namespace` | The namespace where the serviceMonitor object has to be created | `nil` |

Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

Expand Down
4 changes: 3 additions & 1 deletion charts/kubernetes-external-secrets/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,9 @@ fullnameOverride: ""
podAnnotations: {}
podLabels: {}

securityContext: {}
securityContext:
runAsNonRoot: true
# Required for use of IRSA, see https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
# fsGroup: 65534

resources: {}
Expand Down

0 comments on commit 27ba7e1

Please sign in to comment.