This is an automated email from the ASF dual-hosted git repository.
wusheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking-kubernetes.git
The following commit(s) were added to refs/heads/master by this push:
new 7dc6079 Add config to set Pod securityContext (#103)
7dc6079 is described below
commit 7dc60791a2257c55046d8394e6b39473b415c57c
Author: kezhenxu94 <[email protected]>
AuthorDate: Fri Dec 2 11:01:24 2022 +0800
Add config to set Pod securityContext (#103)
---
chart/skywalking/README.md | 3 +++
chart/skywalking/templates/oap-deployment.yaml | 4 ++++
chart/skywalking/templates/oap-init.job.yaml | 4 ++++
chart/skywalking/templates/satellite-deployment.yaml | 5 +++++
chart/skywalking/templates/ui-deployment.yaml | 5 +++++
chart/skywalking/values.yaml | 13 ++++++++++++-
6 files changed, 33 insertions(+), 1 deletion(-)
diff --git a/chart/skywalking/README.md b/chart/skywalking/README.md
index 74b5acc..beb55cd 100644
--- a/chart/skywalking/README.md
+++ b/chart/skywalking/README.md
@@ -60,6 +60,7 @@ The following table lists the configurable parameters of the
Skywalking chart an
| `oap.resources` | OAP node
resources requests & limits
| `{} - cpu limit must be an integer` |
| `oap.envoy.als.enabled` | Open envoy
als
| `false` |
| `oap.env` | OAP
environment variables
| `[]` |
+| `oap.securityContext` | Allows you to
set the
[securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
for the pod | `fsGroup: 1000`<br>`runAsUser: 1000` |
| `ui.name` | Web UI
deployment name
| `ui` |
| `ui.replicas` | Web UI k8s
deployment replicas
| `1` |
| `ui.image.repository` | Web UI
container image name
| `skywalking.docker.scarf.sh/apache/skywalking-ui` |
@@ -80,6 +81,7 @@ The following table lists the configurable parameters of the
Skywalking chart an
| `ui.service.loadBalancerIP` | Load Balancer
IP address
| `nil` |
| `ui.service.annotations` | Kubernetes
service annotations
| `{}` |
| `ui.service.loadBalancerSourceRanges` | Limit load
balancer source IPs to list of CIDRs (where available))
| `[]` |
+| `ui.securityContext` | Allows you to
set the
[securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
for the pod | `fsGroup: 1000`<br>`runAsUser: 1000` |
| `oapInit.nodeAffinity` | OAP init job
node affinity policy
| `{}` |
| `oapInit.nodeSelector` | OAP init job
labels for master pod assignment
| `{}` |
| `oapInit.tolerations` | OAP init job
tolerations
| `[]` |
@@ -161,6 +163,7 @@ The following table lists the configurable parameters of
the Skywalking chart an
| `satellite.resources` | Satellite node resources
requests & limits |
`{} - cpu limit must be an integer` |
| `satellite.podAnnotations` | Configurable
[annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
applied to all Satellite pods
| `{}`
|
| `satellite.env` | Satellite environment
variables |
`[]` |
+| `satellite.securityContext` | Allows you to set the
[securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
for the pod | `fsGroup: 1000`<br>`runAsUser: 1000` |
Specify each parameter using the `--set key=value[,key=value]` argument to
`helm install`. For example,
diff --git a/chart/skywalking/templates/oap-deployment.yaml
b/chart/skywalking/templates/oap-deployment.yaml
index 6d330f5..58b5a97 100644
--- a/chart/skywalking/templates/oap-deployment.yaml
+++ b/chart/skywalking/templates/oap-deployment.yaml
@@ -42,6 +42,10 @@ spec:
{{- end }}
spec:
serviceAccountName: {{ template "skywalking.serviceAccountName.oap" . }}
+ {{- with .Values.oap.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
affinity:
{{- if eq .Values.oap.antiAffinity "hard" }}
podAntiAffinity:
diff --git a/chart/skywalking/templates/oap-init.job.yaml
b/chart/skywalking/templates/oap-init.job.yaml
index d061066..71b06e8 100644
--- a/chart/skywalking/templates/oap-init.job.yaml
+++ b/chart/skywalking/templates/oap-init.job.yaml
@@ -38,6 +38,10 @@ spec:
release: {{ .Release.Name }}
spec:
serviceAccountName: {{ template "skywalking.serviceAccountName.oap" . }}
+ {{- with .Values.oap.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
{{- if .Values.oapInit.nodeAffinity }}
affinity:
{{- end }}
diff --git a/chart/skywalking/templates/satellite-deployment.yaml
b/chart/skywalking/templates/satellite-deployment.yaml
index 2659904..7e01911 100644
--- a/chart/skywalking/templates/satellite-deployment.yaml
+++ b/chart/skywalking/templates/satellite-deployment.yaml
@@ -43,6 +43,11 @@ spec:
{{- end }}
spec:
serviceAccountName: {{ template
"skywalking.serviceAccountName.satellite" . }}
+ {{- with .Values.satellite.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+
affinity:
{{- if eq .Values.satellite.antiAffinity "hard" }}
podAntiAffinity:
diff --git a/chart/skywalking/templates/ui-deployment.yaml
b/chart/skywalking/templates/ui-deployment.yaml
index 34f56ad..738fceb 100644
--- a/chart/skywalking/templates/ui-deployment.yaml
+++ b/chart/skywalking/templates/ui-deployment.yaml
@@ -41,6 +41,11 @@ spec:
{{ toYaml .Values.ui.podAnnotations | indent 8 }}
{{- end }}
spec:
+ {{- with .Values.ui.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+
affinity:
{{- with .Values.ui.nodeAffinity }}
nodeAffinity:
diff --git a/chart/skywalking/values.yaml b/chart/skywalking/values.yaml
index 2e79715..13fb6ed 100644
--- a/chart/skywalking/values.yaml
+++ b/chart/skywalking/values.yaml
@@ -59,6 +59,10 @@ oap:
# memory: 4Gi
# podAnnotations:
# example: oap-foo
+ securityContext: {}
+ # runAsUser: 1000
+ # runAsGroup: 1000
+ # fsGroup: 1000
envoy:
als:
enabled: false
@@ -132,6 +136,10 @@ ui:
annotations: {}
## Limit load balancer source ips to list of CIDRs (where available)
# loadBalancerSourceRanges: []
+ securityContext: {}
+ # runAsUser: 1000
+ # runAsGroup: 1000
+ # fsGroup: 1000
oapInit:
nodeAffinity: {}
@@ -433,7 +441,10 @@ satellite:
config: {}
# satellite_config.yaml: |
# key: val
-
+ securityContext: {}
+ # runAsUser: 1000
+ # runAsGroup: 1000
+ # fsGroup: 1000
nameOverride: ""
fullnameOverride: ""
