diff --git a/charts/kube-hook/Chart.yaml b/charts/kube-hook/Chart.yaml index bc764d1..4418fff 100644 --- a/charts/kube-hook/Chart.yaml +++ b/charts/kube-hook/Chart.yaml @@ -27,7 +27,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.2 +version: 1.0.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/kube-hook/README.md b/charts/kube-hook/README.md index b59de9c..f053dbe 100644 --- a/charts/kube-hook/README.md +++ b/charts/kube-hook/README.md @@ -1,6 +1,6 @@ # kube-hook -![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square) +![Version: 1.0.3](https://img.shields.io/badge/Version-1.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square) A Kubernetes Webhook server that allows you to remotely restart deployments @@ -40,7 +40,7 @@ A Kubernetes Webhook server that allows you to remotely restart deployments | replicaCount | int | `2` | Number of kube-hook replicas to deploy | | resources | object | `{"limits":{"memory":"125Mi"},"requests":{"memory":"125Mi"}}` | Resources for pods. Evaluated as a template. | | revisionHistoryLimit | int | `1` | Number of kube-hook revisions to keep | -| securityContext | object | `{}` | Security Context for kube-hook | +| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":101,"runAsUser":101}` | Security Context for kube-hook | | service.port | int | `3000` | Service HTTP port | | service.type | string | `"ClusterIP"` | Service type | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | diff --git a/charts/kube-hook/templates/clusterrole.yaml b/charts/kube-hook/templates/clusterrole.yaml index 1835603..0072dbd 100644 --- a/charts/kube-hook/templates/clusterrole.yaml +++ b/charts/kube-hook/templates/clusterrole.yaml @@ -6,16 +6,10 @@ metadata: labels: {{- include "kube-hook.labels" . | nindent 4 }} rules: - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["deployments"] - verbs: ["get", "list", "update", "patch"] - - apiGroups: [""] - resources: ["replicasets"] - verbs: ["get", "list"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list"] + - apiGroups: ["", "apps"] + resources: ["deployments", "replicasets", "pods"] + verbs: ["get", "list", "update", "patch"] {{- end }} diff --git a/charts/kube-hook/values.yaml b/charts/kube-hook/values.yaml index 498f119..303439b 100644 --- a/charts/kube-hook/values.yaml +++ b/charts/kube-hook/values.yaml @@ -45,13 +45,15 @@ podSecurityContext: {} # fsGroup: 2000 # -- Security Context for kube-hook -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 101 + runAsUser: 101 service: # -- Service type