Skip to content

Commit

Permalink
set security context readOnlyFilesystem=true and allwoPriviledgeEscal…
Browse files Browse the repository at this point in the history 
…ation=false by default

fix #22
  • Loading branch information
@PierreBesson
PierreBesson committed Jul 3, 2023
1 parent a9e3df3 commit 1de164c
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 2 deletions.
2 changes: 1 addition & 1 deletion charts/node/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: node
description: A Helm chart to deploy Substrate/Polkadot nodes
type: application
version: 5.0.0
version: 5.0.1
maintainers:
- name: Parity
url: https://github.com/paritytech/helm-charts
Expand Down
4 changes: 3 additions & 1 deletion charts/node/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -450,8 +450,10 @@ If you're running a collator node:
| podDisruptionBudget.enabled | bool | `false` | Enable podDisruptionBudget |
| podDisruptionBudget.maxUnavailable | string | `nil` | maxUnavailable replicas |
| podDisruptionBudget.minAvailable | string | `nil` | minAvailable replicas |
| podSecurityContext | object | `{"fsGroup":1000,"runAsGroup":1000,"runAsUser":1000}` | SecurityContext holds pod-level security attributes and common container settings. This defaults to non root user with uid 1000 and gid 1000. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
| podSecurityContext | object | `{"allowPrivilegeEscalation":false,"fsGroup":1000,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsUser":1000}` | SecurityContext holds pod-level security attributes and common container settings. This defaults to non root user with uid 1000 and gid 1000. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
| podSecurityContext.allowPrivilegeEscalation | bool | `false` | Set container's Security Context allowPrivilegeEscalation |
| podSecurityContext.fsGroup | int | `1000` | Set container's Security Context fsGroup |
| podSecurityContext.readOnlyRootFilesystem | bool | `true` | Set container's Security Context readOnlyRootFilesystem |
| podSecurityContext.runAsGroup | int | `1000` | Set container's Security Context runAsGroup |
| podSecurityContext.runAsUser | int | `1000` | Set container's Security Context runAsUser |
| serviceAccount | object | `{"annotations":{},"create":true,"createRoleBinding":true,"name":""}` | Service account for the node to use. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ |
Expand Down
4 changes: 4 additions & 0 deletions charts/node/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,10 @@ podSecurityContext:
runAsGroup: 1000
# -- Set container's Security Context fsGroup
fsGroup: 1000
# -- Set container's Security Context readOnlyRootFilesystem
readOnlyRootFilesystem: true
# -- Set container's Security Context allowPrivilegeEscalation
allowPrivilegeEscalation: false

# -- podDisruptionBudget configuration
podDisruptionBudget:
Expand Down

0 comments on commit 1de164c

Please sign in to comment.