Fixed cluster role. Also implemented security context

glenndehaan · Apr 27, 2023 · 6b5661d · 6b5661d
1 parent 5261022
commit 6b5661d
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 19 deletions.
diff --git a/charts/kube-hook/Chart.yaml b/charts/kube-hook/Chart.yaml
@@ -27,7 +27,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.2
+version: 1.0.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/kube-hook/README.md b/charts/kube-hook/README.md
@@ -1,6 +1,6 @@
 # kube-hook
 
-![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: 1.0.3](https://img.shields.io/badge/Version-1.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 A Kubernetes Webhook server that allows you to remotely restart deployments
 
@@ -40,7 +40,7 @@ A Kubernetes Webhook server that allows you to remotely restart deployments
 | replicaCount | int | `2` | Number of kube-hook replicas to deploy |
 | resources | object | `{"limits":{"memory":"125Mi"},"requests":{"memory":"125Mi"}}` | Resources for pods. Evaluated as a template. |
 | revisionHistoryLimit | int | `1` | Number of kube-hook revisions to keep |
-| securityContext | object | `{}` | Security Context for kube-hook |
+| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":101}` | Security Context for kube-hook |
 | service.port | int | `3000` | Service HTTP port |
 | service.type | string | `"ClusterIP"` | Service type |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |

diff --git a/charts/kube-hook/templates/clusterrole.yaml b/charts/kube-hook/templates/clusterrole.yaml
@@ -6,16 +6,10 @@ metadata:
   labels:
     {{- include "kube-hook.labels" . | nindent 4 }}
 rules:
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get", "list"]
-  - apiGroups: [""]
-    resources: ["deployments"]
-    verbs: ["get", "list", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["replicasets"]
-    verbs: ["get", "list"]
   - apiGroups: [""]
     resources: ["nodes"]
     verbs: ["get", "list"]
+  - apiGroups: ["", "apps"]
+    resources: ["deployments", "replicasets", "pods"]
+    verbs: ["get", "list", "update", "patch"]
 {{- end }}
diff --git a/charts/kube-hook/values.yaml b/charts/kube-hook/values.yaml
@@ -45,13 +45,15 @@ podSecurityContext: {}
   # fsGroup: 2000
 
 # -- Security Context for kube-hook
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsUser: 101
 
 service:
   # -- Service type