forked from kubearmor/KubeArmor
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdeployment.yaml
142 lines (142 loc) · 4.6 KB
/
deployment.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
{{- if .Values.kubearmorRelay.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
kubearmor-app: kubearmor-relay
name: kubearmor-relay
namespace: {{ .Release.Namespace }}
spec:
replicas: 1
selector:
matchLabels:
kubearmor-app: kubearmor-relay
template:
metadata:
annotations:
kubearmor-policy: audited
labels:
kubearmor-app: kubearmor-relay
spec:
{{- if .Values.kubearmorRelay.image.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.kubearmorRelay.image.imagePullSecrets | indent 6 }}
{{- end }}
{{- if .Values.kubearmorRelay.tolerations }}
tolerations:
{{ toYaml .Values.kubearmorRelay.tolerations | indent 6 }}
{{- end }}
containers:
- args:
{{printf "- -tlsEnabled=%t" .Values.tls.enabled}}
{{printf "- -tlsCertPath=%s" .Values.kubearmorRelay.tls.tlsCertPath}}
{{printf "- -tlsCertProvider=%s" .Values.kubearmorRelay.tls.tlsCertProvider}}
image: {{printf "%s:%s" .Values.kubearmorRelay.image.repository .Values.kubearmorRelay.image.tag}}
imagePullPolicy: {{ .Values.kubearmorRelay.imagePullPolicy }}
name: kubearmor-relay-server
env:
- name: ENABLE_STDOUT_LOGS
value: {{ quote .Values.kubearmorRelay.enableStdoutLogs }}
- name: ENABLE_STDOUT_ALERTS
value: {{ quote .Values.kubearmorRelay.enableStdoutAlerts }}
- name: ENABLE_STDOUT_MSGS
value: {{ quote .Values.kubearmorRelay.enableStdoutMsg }}
ports:
- containerPort: 32767
{{- if .Values.tls.enabled }}
volumeMounts:
{{- toYaml .Values.kubearmorRelay.tls.certVolumeMount | trim | nindent 10 }}
{{- end}}
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: kubearmor-relay
{{- if .Values.tls.enabled }}
volumes:
{{- toYaml .Values.kubearmorRelay.tls.certVolume | trim | nindent 8 }}
{{- end }}
{{- end }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
kubearmor-app: {{ .Values.kubearmorController.name }}
name: {{ .Values.kubearmorController.name }}
namespace: {{ .Release.Namespace }}
spec:
replicas: {{ .Values.kubearmorController.replicas }}
selector:
matchLabels:
kubearmor-app: {{ .Values.kubearmorController.name }}
template:
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/kube-rbac-proxy: unconfined
container.apparmor.security.beta.kubernetes.io/manager: unconfined
kubectl.kubernetes.io/default-container: manager
kubearmor-policy: audited
labels:
kubearmor-app: {{ .Values.kubearmorController.name }}
spec:
containers:
- args:
- --health-probe-bind-address=:8081
- --leader-elect
- --anotateExisting=false
command:
- /manager
image: {{printf "%s:%s" .Values.kubearmorController.image.repository .Values.kubearmorController.image.tag}}
imagePullPolicy: {{ .Values.kubearmorController.imagePullPolicy }}
{{- if .Values.kubearmorController.image.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.kubearmorController.image.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.kubearmorController.tolerations }}
tolerations:
{{ toYaml .Values.kubearmorController.tolerations | indent 6 }}
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
- mountPath: /sys/kernel/security
name: sys-path
securityContext:
runAsNonRoot: true
serviceAccountName: {{ .Values.kubearmorController.name }}
terminationGracePeriodSeconds: 10
volumes:
- name: cert
secret:
defaultMode: 420
secretName: {{ .Values.kubearmorController.name }}-webhook-server-cert
- hostPath:
path: /sys/kernel/security
type: Directory
name: sys-path