🔧 revise kubelinter config / fix warns

Signed-off-by: Rintaro Okamura <[email protected]>
vdaas · Dec 22, 2020 · 33cf49c · 33cf49c
1 parent 923ef5a
commit 33cf49c
Show file tree

Hide file tree

Showing 19 changed files with 105 additions and 19 deletions.
diff --git a/.github/kubelinter.yaml b/.github/kubelinter.yaml
@@ -3,3 +3,4 @@ checks:
   exclude:
     - "unset-cpu-requirements"
     - "unset-memory-requirements"
+    - "no-read-only-root-fs"
diff --git a/.github/workflows/reviewdog-k8s.yml b/.github/workflows/reviewdog-k8s.yml
@@ -49,4 +49,10 @@ jobs:
           KUBELINTER_VERSION: 0.1.2
       - name: kubelinter
         run: |
-          ./kube-linter lint --config .github/kubelinter.yaml k8s
+          ./kube-linter lint \
+            --config .github/kubelinter.yaml \
+            k8s/agent \
+            k8s/discoverer \
+            k8s/gateway \
+            k8s/manager \
+            k8s/meta
diff --git a/charts/vald/templates/agent/daemonset.yaml b/charts/vald/templates/agent/daemonset.yaml
@@ -136,7 +136,10 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
+      {{- if .Values.agent.securityContext }}
+      securityContext:
+        {{- toYaml .Values.agent.securityContext | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: {{ .Values.agent.terminationGracePeriodSeconds }}
       volumes:
         - name: {{ .Values.agent.name }}-config

diff --git a/charts/vald/templates/agent/deployment.yaml b/charts/vald/templates/agent/deployment.yaml
@@ -141,7 +141,10 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
+      {{- if .Values.agent.securityContext }}
+      securityContext:
+        {{- toYaml .Values.agent.securityContext | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: {{ .Values.agent.terminationGracePeriodSeconds }}
       volumes:
         - name: {{ .Values.agent.name }}-config

diff --git a/charts/vald/templates/agent/statefulset.yaml b/charts/vald/templates/agent/statefulset.yaml
@@ -157,7 +157,10 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
+      {{- if .Values.agent.securityContext }}
+      securityContext:
+        {{- toYaml .Values.agent.securityContext | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: {{ .Values.agent.terminationGracePeriodSeconds }}
       volumes:
         - name: {{ .Values.agent.name }}-config

diff --git a/charts/vald/templates/discoverer/daemonset.yaml b/charts/vald/templates/discoverer/daemonset.yaml
@@ -89,7 +89,10 @@ spec:
       schedulerName: default-scheduler
       serviceAccount: vald
       serviceAccountName: vald
-      securityContext: {}
+      {{- if .Values.discoverer.securityContext }}
+      securityContext:
+        {{- toYaml .Values.discoverer.securityContext | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: {{ .Values.discoverer.terminationGracePeriodSeconds }}
       volumes:
         - name: {{ .Values.discoverer.name }}-config

diff --git a/charts/vald/templates/discoverer/deployment.yaml b/charts/vald/templates/discoverer/deployment.yaml
@@ -92,9 +92,11 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      serviceAccount: vald
-      serviceAccountName: vald
-      securityContext: {}
+      serviceAccountName: {{ .Values.discoverer.serviceAccount.name }}
+      {{- if .Values.discoverer.securityContext }}
+      securityContext:
+        {{- toYaml .Values.discoverer.securityContext | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: {{ .Values.discoverer.terminationGracePeriodSeconds }}
       volumes:
         - name: {{ .Values.discoverer.name }}-config

diff --git a/charts/vald/templates/gateway/vald/daemonset.yaml b/charts/vald/templates/gateway/vald/daemonset.yaml
@@ -87,7 +87,10 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
+      {{- if .Values.gateway.securityContext }}
+      securityContext:
+        {{- toYaml .Values.gateway.securityContext | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: {{ .Values.gateway.terminationGracePeriodSeconds }}
       volumes:
         - name: {{ .Values.gateway.name }}-config

diff --git a/charts/vald/templates/gateway/vald/deployment.yaml b/charts/vald/templates/gateway/vald/deployment.yaml
@@ -92,7 +92,10 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
+      {{- if .Values.gateway.securityContext }}
+      securityContext:
+        {{- toYaml .Values.gateway.securityContext | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: {{ .Values.gateway.terminationGracePeriodSeconds }}
       volumes:
         - name: {{ .Values.gateway.name }}-config

diff --git a/charts/vald/templates/manager/backup/daemonset.yaml b/charts/vald/templates/manager/backup/daemonset.yaml
@@ -87,7 +87,10 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
+      {{- if .Values.backupManager.securityContext }}
+      securityContext:
+        {{- toYaml .Values.backupManager.securityContext | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: {{ .Values.backupManager.terminationGracePeriodSeconds }}
       volumes:
         - name: {{ .Values.backupManager.name }}-config

diff --git a/charts/vald/templates/manager/backup/deployment.yaml b/charts/vald/templates/manager/backup/deployment.yaml
@@ -92,7 +92,10 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
+      {{- if .Values.backupManager.securityContext }}
+      securityContext:
+        {{- toYaml .Values.backupManager.securityContext | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: {{ .Values.backupManager.terminationGracePeriodSeconds }}
       volumes:
         - name: {{ .Values.backupManager.name }}-config

diff --git a/charts/vald/templates/manager/compressor/daemonset.yaml b/charts/vald/templates/manager/compressor/daemonset.yaml
@@ -87,7 +87,10 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
+      {{- if .Values.compressor.securityContext }}
+      securityContext:
+        {{- toYaml .Values.compressor.securityContext | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: {{ .Values.compressor.terminationGracePeriodSeconds }}
       volumes:
         - configMap:

diff --git a/charts/vald/templates/manager/compressor/deployment.yaml b/charts/vald/templates/manager/compressor/deployment.yaml
@@ -92,7 +92,10 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
+      {{- if .Values.compressor.securityContext }}
+      securityContext:
+        {{- toYaml .Values.compressor.securityContext | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: {{ .Values.compressor.terminationGracePeriodSeconds }}
       volumes:
         - configMap:

diff --git a/charts/vald/templates/manager/index/daemonset.yaml b/charts/vald/templates/manager/index/daemonset.yaml
@@ -87,7 +87,10 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
+      {{- if .Values.indexManager.securityContext }}
+      securityContext:
+        {{- toYaml .Values.indexManager.securityContext | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: {{ .Values.indexManager.terminationGracePeriodSeconds }}
       volumes:
         - configMap:

diff --git a/charts/vald/templates/manager/index/deployment.yaml b/charts/vald/templates/manager/index/deployment.yaml
@@ -90,7 +90,10 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
+      {{- if .Values.indexManager.securityContext }}
+      securityContext:
+        {{- toYaml .Values.indexManager.securityContext | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: {{ .Values.indexManager.terminationGracePeriodSeconds }}
       volumes:
         - configMap:

diff --git a/charts/vald/templates/meta/daemonset.yaml b/charts/vald/templates/meta/daemonset.yaml
@@ -87,7 +87,10 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
+      {{- if .Values.meta.securityContext }}
+      securityContext:
+        {{- toYaml .Values.meta.securityContext | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: {{ .Values.meta.terminationGracePeriodSeconds }}
       volumes:
         - name: {{ .Values.meta.name }}-config

diff --git a/charts/vald/templates/meta/deployment.yaml b/charts/vald/templates/meta/deployment.yaml
@@ -92,7 +92,10 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
+      {{- if .Values.meta.securityContext }}
+      securityContext:
+        {{- toYaml .Values.meta.securityContext | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: {{ .Values.meta.terminationGracePeriodSeconds }}
       volumes:
         - name: {{ .Values.meta.name }}-config

diff --git a/charts/vald/values.schema.json b/charts/vald/values.schema.json
diff --git a/charts/vald/values.yaml b/charts/vald/values.yaml
@@ -799,6 +799,11 @@ gateway:
   # @schema {"name": "gateway.terminationGracePeriodSeconds", "type": "integer", "minimum": 0}
   # gateway.terminationGracePeriodSeconds -- duration in seconds pod needs to terminate gracefully
   terminationGracePeriodSeconds: 30
+  # @schema {"name": "gateway.securityContext", "type": "object"}
+  # gateway.securityContext -- security context
+  securityContext:
+    runAsUser: 1002
+    runAsNonRoot: true
   # @schema {"name": "gateway.podPriority", "type": "object", "anchor": "podPriority"}
   podPriority:
     # @schema {"name": "gateway.podPriority.enabled", "type": "boolean"}
@@ -1081,6 +1086,11 @@ agent:
   # @schema {"name": "agent.terminationGracePeriodSeconds", "type": "integer", "minimum": 0}
   # agent.terminationGracePeriodSeconds -- duration in seconds pod needs to terminate gracefully
   terminationGracePeriodSeconds: 120
+  # @schema {"name": "agent.securityContext", "type": "object"}
+  # agent.securityContext -- security context
+  securityContext:
+    runAsUser: 1002
+    runAsNonRoot: true
   # @schema {"name": "agent.podManagementPolicy", "type": "string", "enum": ["OrderedReady", "Parallel"]}
   # agent.podManagementPolicy -- pod management policy: OrderedReady or Parallel
   podManagementPolicy: OrderedReady
@@ -1636,6 +1646,11 @@ discoverer:
   # @schema {"name": "discoverer.terminationGracePeriodSeconds", "type": "integer", "minimum": 0}
   # discoverer.terminationGracePeriodSeconds -- duration in seconds pod needs to terminate gracefully
   terminationGracePeriodSeconds: 30
+  # @schema {"name": "discoverer.securityContext", "type": "object"}
+  # discoverer.securityContext -- security context
+  securityContext:
+    runAsUser: 1002
+    runAsNonRoot: true
   # @schema {"name": "discoverer.podPriority", "alias": "podPriority"}
   podPriority:
     # discoverer.podPriority.enabled -- discoverer pod PriorityClass enabled
@@ -1840,6 +1855,11 @@ compressor:
   # @schema {"name": "compressor.terminationGracePeriodSeconds", "type": "integer", "minimum": 0}
   # compressor.terminationGracePeriodSeconds -- duration in seconds pod needs to terminate gracefully
   terminationGracePeriodSeconds: 120
+  # @schema {"name": "compressor.securityContext", "type": "object"}
+  # compressor.securityContext -- security context
+  securityContext:
+    runAsUser: 1002
+    runAsNonRoot: true
   # @schema {"name": "compressor.podPriority", "alias": "podPriority"}
   podPriority:
     # compressor.podPriority.enabled -- compressor pod PriorityClass enabled
@@ -2046,6 +2066,11 @@ backupManager:
   # @schema {"name": "backupManager.terminationGracePeriodSeconds", "type": "integer", "minimum": 0}
   # backupManager.terminationGracePeriodSeconds -- duration in seconds pod needs to terminate gracefully
   terminationGracePeriodSeconds: 30
+  # @schema {"name": "backupManager.securityContext", "type": "object"}
+  # backupManager.securityContext -- security context
+  securityContext:
+    runAsUser: 1002
+    runAsNonRoot: true
   # @schema {"name": "backupManager.podPriority", "alias": "podPriority"}
   podPriority:
     # backupManager.podPriority.enabled -- backup manager pod PriorityClass enabled
@@ -2490,6 +2515,11 @@ indexManager:
   # @schema {"name": "indexManager.terminationGracePeriodSeconds", "type": "integer", "minimum": 0}
   # indexManager.terminationGracePeriodSeconds -- duration in seconds pod needs to terminate gracefully
   terminationGracePeriodSeconds: 30
+  # @schema {"name": "indexManager.securityContext", "type": "object"}
+  # indexManager.securityContext -- security context
+  securityContext:
+    runAsUser: 1002
+    runAsNonRoot: true
   # @schema {"name": "indexManager.podPriority", "alias": "podPriority"}
   podPriority:
     # indexManager.podPriority.enabled -- index manager pod PriorityClass enabled
@@ -2696,6 +2726,11 @@ meta:
   # @schema {"name": "meta.terminationGracePeriodSeconds", "type": "integer", "minimum": 0}
   # meta.terminationGracePeriodSeconds -- duration in seconds pod needs to terminate gracefully
   terminationGracePeriodSeconds: 30
+  # @schema {"name": "meta.securityContext", "type": "object"}
+  # meta.securityContext -- security context
+  securityContext:
+    runAsUser: 1002
+    runAsNonRoot: true
   # @schema {"name": "meta.podPriority", "alias": "podPriority"}
   podPriority:
     # meta.podPriority.enabled -- meta pod PriorityClass enabled