feat: add non root support for k8s#3103
Conversation
| behavior); set .Values.podSecurityContext to run as non-root. See values.yaml | ||
| for the recommended non-root preset. | ||
| */}} | ||
| {{- define "splunk-connect-for-syslog.podSecurityContext" -}} |
There was a problem hiding this comment.
I wonder if defining this helper is necessary, as it only wraps .Values.podSecruityContext
| serviceAccountName: {{ include "splunk-connect-for-syslog.serviceAccountName" . }} | ||
| securityContext: | ||
| {{- toYaml .Values.podSecurityContext | nindent 8 }} | ||
| {{- include "splunk-connect-for-syslog.podSecurityContext" . | nindent 8 }} |
There was a problem hiding this comment.
Again, as in https://github.com/splunk/splunk-connect-for-syslog/pull/3103/changes#r3411615226 what's the benefit of moving it the helper function. Why not add toYaml here?
| # and standard runtimes). | ||
| # | ||
| # To run SC4S as the unprivileged "syslog" user (UID/GID 1024) baked into the | ||
| # image -- required for hardened environments such as RKE2/OpenShift or any |
There was a problem hiding this comment.
I would change -- to just -. I think that -- is sometimes used to represent em-dash but I think that in the code we can just use hyphen
| # image -- required for hardened environments such as RKE2/OpenShift or any | ||
| # cluster that enforces the "restricted" Pod Security Standard -- uncomment the | ||
| # preset below. NET_BIND_SERVICE lets the default privileged ports (514/601) bind | ||
| # as non-root and is the only capability the "restricted" profile permits adding; |
There was a problem hiding this comment.
We mention NET_BIND_SERVICE here but we are adding it to secruityContext. I would move this comment down
| podSecurityContext: | ||
| {} | ||
| # fsGroup: 2000 | ||
| # runAsNonRoot: true |
There was a problem hiding this comment.
I'm curious what will happen when I won't set runAsNonRoot but I will set runAsUser?
2 participants
Addresses RKE cluster deployment from this issue:
#2648