From f65304eeb459eb5326f868ff303262fa3f8bbe1d Mon Sep 17 00:00:00 2001 From: Terje Sannum Date: Wed, 23 Oct 2019 09:47:24 +0200 Subject: [PATCH 1/3] Support specifying image digest --- charts/kafka-lag-exporter/templates/040-Deployment.yaml | 4 ++++ charts/kafka-lag-exporter/values.yaml | 2 ++ 2 files changed, 6 insertions(+) diff --git a/charts/kafka-lag-exporter/templates/040-Deployment.yaml b/charts/kafka-lag-exporter/templates/040-Deployment.yaml index c62ba1f7..3258bea7 100644 --- a/charts/kafka-lag-exporter/templates/040-Deployment.yaml +++ b/charts/kafka-lag-exporter/templates/040-Deployment.yaml @@ -28,7 +28,11 @@ spec: {{- end }} containers: - name: {{ .Chart.Name }} + {{- if .Values.image.digest }} + image: "{{ .Values.image.repository }}@{{ .Values.image.digest }}" + {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} env: [] ports: diff --git a/charts/kafka-lag-exporter/values.yaml b/charts/kafka-lag-exporter/values.yaml index 83561420..88378b5b 100644 --- a/charts/kafka-lag-exporter/values.yaml +++ b/charts/kafka-lag-exporter/values.yaml @@ -69,6 +69,8 @@ akkaLogLevel: DEBUG image: repository: lightbend/kafka-lag-exporter tag: 0.5.5-SNAPSHOT + # If digest is set it will be used instead of tag to specify the image + # digest: sha256:0f6387aa011e6eb7952ea211ac139bf8613ad3ef6954a1a5d910676d293bd610 pullPolicy: Always service: type: ClusterIP From 9a5aed9799c4a826158da2303db19368b746b556 Mon Sep 17 00:00:00 2001 From: Terje Sannum Date: Wed, 23 Oct 2019 10:57:37 +0200 Subject: [PATCH 2/3] Set container securityContext --- charts/kafka-lag-exporter/templates/040-Deployment.yaml | 4 ++++ charts/kafka-lag-exporter/values.yaml | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/charts/kafka-lag-exporter/templates/040-Deployment.yaml b/charts/kafka-lag-exporter/templates/040-Deployment.yaml index 3258bea7..027fb20b 100644 --- a/charts/kafka-lag-exporter/templates/040-Deployment.yaml +++ b/charts/kafka-lag-exporter/templates/040-Deployment.yaml @@ -39,6 +39,10 @@ spec: - name: http containerPort: {{ .Values.service.port }} protocol: TCP + {{- if .Values.securityContext }} + securityContext: +{{ toYaml .Values.securityContext | indent 12 }} + {{- end }} livenessProbe: httpGet: path: / diff --git a/charts/kafka-lag-exporter/values.yaml b/charts/kafka-lag-exporter/values.yaml index 88378b5b..8236b65b 100644 --- a/charts/kafka-lag-exporter/values.yaml +++ b/charts/kafka-lag-exporter/values.yaml @@ -72,6 +72,12 @@ image: # If digest is set it will be used instead of tag to specify the image # digest: sha256:0f6387aa011e6eb7952ea211ac139bf8613ad3ef6954a1a5d910676d293bd610 pullPolicy: Always +securityContext: + allowPrivilegeEscalation: false + runAsUser: 1001 + runAsNonRoot: true + capabilities: + drop: ["all"] service: type: ClusterIP port: 8000 From 19430140e8c6521813c6a46d008bd888c0eb8397 Mon Sep 17 00:00:00 2001 From: Terje Sannum Date: Mon, 4 Nov 2019 08:04:08 +0100 Subject: [PATCH 3/3] Empty securityContext as default --- charts/kafka-lag-exporter/values.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/kafka-lag-exporter/values.yaml b/charts/kafka-lag-exporter/values.yaml index 8236b65b..673a1ac7 100644 --- a/charts/kafka-lag-exporter/values.yaml +++ b/charts/kafka-lag-exporter/values.yaml @@ -72,12 +72,12 @@ image: # If digest is set it will be used instead of tag to specify the image # digest: sha256:0f6387aa011e6eb7952ea211ac139bf8613ad3ef6954a1a5d910676d293bd610 pullPolicy: Always -securityContext: - allowPrivilegeEscalation: false - runAsUser: 1001 - runAsNonRoot: true - capabilities: - drop: ["all"] +securityContext: {} + # allowPrivilegeEscalation: false + # runAsUser: 1001 + # runAsNonRoot: true + # capabilities: + # drop: ["all"] service: type: ClusterIP port: 8000