chore(vault): disable CSI and set pod security standards
This commit is contained in:
Masaki Yatsu
@@ -1,7 +1,7 @@
|
|||||||
set fallback := true
|
set fallback := true
|
||||||
|
|
||||||
export K8S_VAULT_NAMESPACE := env("K8S_VAULT_NAMESPACE", "vault")
|
export K8S_VAULT_NAMESPACE := env("K8S_VAULT_NAMESPACE", "vault")
|
||||||
export VAULT_CHART_VERSION := env("VAULT_CHART_VERSION", "0.29.1")
|
export VAULT_CHART_VERSION := env("VAULT_CHART_VERSION", "0.31.0")
|
||||||
export VAULT_HOST := env("VAULT_HOST", "")
|
export VAULT_HOST := env("VAULT_HOST", "")
|
||||||
export VAULT_ADDR := "https://" + VAULT_HOST
|
export VAULT_ADDR := "https://" + VAULT_HOST
|
||||||
export VAULT_DEBUG := env("VAULT_DEBUG", "false")
|
export VAULT_DEBUG := env("VAULT_DEBUG", "false")
|
||||||
@@ -77,6 +77,10 @@ install: check-env
|
|||||||
set -eu
|
set -eu
|
||||||
just create-namespace
|
just create-namespace
|
||||||
just add-helm-repo
|
just add-helm-repo
|
||||||
|
|
||||||
|
kubectl label namespace ${K8S_VAULT_NAMESPACE} \
|
||||||
|
pod-security.kubernetes.io/enforce=restricted --overwrite
|
||||||
|
|
||||||
gomplate -f vault-values.gomplate.yaml -o vault-values.yaml
|
gomplate -f vault-values.gomplate.yaml -o vault-values.yaml
|
||||||
helm upgrade --cleanup-on-fail --install vault hashicorp/vault \
|
helm upgrade --cleanup-on-fail --install vault hashicorp/vault \
|
||||||
--version ${VAULT_CHART_VERSION} -n ${K8S_VAULT_NAMESPACE} --wait -f vault-values.yaml
|
--version ${VAULT_CHART_VERSION} -n ${K8S_VAULT_NAMESPACE} --wait -f vault-values.yaml
|
||||||
|
|||||||
@@ -1,4 +1,17 @@
|
|||||||
injector:
|
injector:
|
||||||
|
securityContext:
|
||||||
|
pod:
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 100
|
||||||
|
runAsGroup: 1000
|
||||||
|
fsGroup: 1000
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
container:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
cpu: 50m
|
cpu: 50m
|
||||||
@@ -8,24 +21,23 @@ injector:
|
|||||||
memory: 128Mi
|
memory: 128Mi
|
||||||
|
|
||||||
csi:
|
csi:
|
||||||
enabled: true
|
enabled: false
|
||||||
agent:
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
cpu: 50m
|
|
||||||
memory: 128Mi
|
|
||||||
limits:
|
|
||||||
cpu: 50m
|
|
||||||
memory: 128Mi
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
cpu: 50m
|
|
||||||
memory: 64Mi
|
|
||||||
limits:
|
|
||||||
cpu: 50m
|
|
||||||
memory: 128Mi
|
|
||||||
|
|
||||||
server:
|
server:
|
||||||
|
statefulSet:
|
||||||
|
securityContext:
|
||||||
|
pod:
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 100
|
||||||
|
runAsGroup: 1000
|
||||||
|
fsGroup: 1000
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
container:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
cpu: 50m
|
cpu: 50m
|
||||||
|
|||||||
Reference in New Issue
Block a user