From bcf9cab7b84df84aa971276043fe947421f0504d Mon Sep 17 00:00:00 2001 From: Masaki Yatsu Date: Sun, 23 Nov 2025 15:00:25 +0900 Subject: [PATCH] chore(external-secrets): upgrade and set pod security standards --- external-secrets/external-secrets-values.yaml | 24 +++++++++++++++++-- external-secrets/justfile | 7 +++++- .../vault-secret-store.gomplate.yaml | 4 ++++ 3 files changed, 32 insertions(+), 3 deletions(-) diff --git a/external-secrets/external-secrets-values.yaml b/external-secrets/external-secrets-values.yaml index 0d74123..3b71b07 100644 --- a/external-secrets/external-secrets-values.yaml +++ b/external-secrets/external-secrets-values.yaml @@ -1,6 +1,14 @@ # External Secrets Operator resource configuration # Based on Goldilocks recommendations (Burstable QoS) +podSecurityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault + # Main controller resources: requests: @@ -10,8 +18,14 @@ resources: cpu: 50m memory: 256Mi -# Cert controller certController: + podSecurityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault resources: requests: cpu: 15m @@ -20,8 +34,14 @@ certController: cpu: 50m memory: 256Mi -# Webhook webhook: + podSecurityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault resources: requests: cpu: 15m diff --git a/external-secrets/justfile b/external-secrets/justfile index 80cfd8e..82defb0 100644 --- a/external-secrets/justfile +++ b/external-secrets/justfile @@ -1,7 +1,7 @@ set fallback := true export EXTERNAL_SECRETS_NAMESPACE := env("EXTERNAL_SECRETS_NAMESPACE", "external-secrets") -export EXTERNAL_SECRETS_CHART_VERSION := env("EXTERNAL_SECRETS_CHART_VERSION", "0.19.2") +export EXTERNAL_SECRETS_CHART_VERSION := env("EXTERNAL_SECRETS_CHART_VERSION", "1.1.0") export EXTERNAL_SECRETS_REFRESH_INTERVAL := env("EXTERNAL_SECRETS_REFRESH_INTERVAL", "1800") export K8S_VAULT_NAMESPACE := env("K8S_VAULT_NAMESPACE", "vault") export VAULT_HOST := env("VAULT_HOST", "") @@ -28,6 +28,10 @@ install: --version ${EXTERNAL_SECRETS_CHART_VERSION} -n ${EXTERNAL_SECRETS_NAMESPACE} \ --create-namespace --wait \ -f external-secrets-values.yaml + + kubectl label namespace ${EXTERNAL_SECRETS_NAMESPACE} \ + pod-security.kubernetes.io/enforce=restricted --overwrite + just create-external-secrets-role just create-vault-secret-store @@ -56,5 +60,6 @@ create-external-secrets-role root_token='': vault write auth/kubernetes/role/external-secrets \ bound_service_account_names=external-secrets \ bound_service_account_namespaces=${EXTERNAL_SECRETS_NAMESPACE} \ + audience=vault \ policies=admin \ ttl=1h diff --git a/external-secrets/vault-secret-store.gomplate.yaml b/external-secrets/vault-secret-store.gomplate.yaml index b235d74..d3d5bb5 100644 --- a/external-secrets/vault-secret-store.gomplate.yaml +++ b/external-secrets/vault-secret-store.gomplate.yaml @@ -15,4 +15,8 @@ spec: serviceAccountRef: name: external-secrets namespace: {{ .Env.EXTERNAL_SECRETS_NAMESPACE }} + # Audience must match the audience configured in Vault Kubernetes auth role + # Required for Vault 1.21+ compatibility + audiences: + - vault refreshInterval: {{ .Env.EXTERNAL_SECRETS_REFRESH_INTERVAL }}