chore(external-secrets): upgrade and set pod security standards

2025-11-23 15:00:25 +09:00
parent 0957ef9791
commit bcf9cab7b8
3 changed files with 32 additions and 3 deletions
--- a/external-secrets/external-secrets-values.yaml
+++ b/external-secrets/external-secrets-values.yaml
@@ -1,6 +1,14 @@
 # External Secrets Operator resource configuration
 # Based on Goldilocks recommendations (Burstable QoS)

+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  fsGroup: 1000
+  seccompProfile:
+    type: RuntimeDefault
+
 # Main controller
 resources:
  requests:
@@ -10,8 +18,14 @@ resources:
    cpu: 50m
    memory: 256Mi

-# Cert controller
 certController:
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+    seccompProfile:
+      type: RuntimeDefault
  resources:
    requests:
      cpu: 15m
@@ -20,8 +34,14 @@ certController:
      cpu: 50m
      memory: 256Mi

-# Webhook
 webhook:
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+    seccompProfile:
+      type: RuntimeDefault
  resources:
    requests:
      cpu: 15m
--- a/external-secrets/justfile
+++ b/external-secrets/justfile
@@ -1,7 +1,7 @@
 set fallback := true

 export EXTERNAL_SECRETS_NAMESPACE := env("EXTERNAL_SECRETS_NAMESPACE", "external-secrets")
-export EXTERNAL_SECRETS_CHART_VERSION := env("EXTERNAL_SECRETS_CHART_VERSION", "0.19.2")
+export EXTERNAL_SECRETS_CHART_VERSION := env("EXTERNAL_SECRETS_CHART_VERSION", "1.1.0")
 export EXTERNAL_SECRETS_REFRESH_INTERVAL := env("EXTERNAL_SECRETS_REFRESH_INTERVAL", "1800")
 export K8S_VAULT_NAMESPACE := env("K8S_VAULT_NAMESPACE", "vault")
 export VAULT_HOST := env("VAULT_HOST", "")
@@ -28,6 +28,10 @@ install:
        --version ${EXTERNAL_SECRETS_CHART_VERSION} -n ${EXTERNAL_SECRETS_NAMESPACE} \
        --create-namespace --wait \
        -f external-secrets-values.yaml
+
+    kubectl label namespace ${EXTERNAL_SECRETS_NAMESPACE} \
+        pod-security.kubernetes.io/enforce=restricted --overwrite
+
    just create-external-secrets-role
    just create-vault-secret-store

@@ -56,5 +60,6 @@ create-external-secrets-role root_token='':
    vault write auth/kubernetes/role/external-secrets \
        bound_service_account_names=external-secrets \
        bound_service_account_namespaces=${EXTERNAL_SECRETS_NAMESPACE} \
+        audience=vault \
        policies=admin \
        ttl=1h
--- a/external-secrets/vault-secret-store.gomplate.yaml
+++ b/external-secrets/vault-secret-store.gomplate.yaml
@@ -15,4 +15,8 @@ spec:
          serviceAccountRef:
            name: external-secrets
            namespace: {{ .Env.EXTERNAL_SECRETS_NAMESPACE }}
+            # Audience must match the audience configured in Vault Kubernetes auth role
+            # Required for Vault 1.21+ compatibility
+            audiences:
+              - vault
  refreshInterval: {{ .Env.EXTERNAL_SECRETS_REFRESH_INTERVAL }}