From 1fa74715cd1b0963e3c10bc46bc1334c0d31e097 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Fri, 18 Apr 2025 18:08:21 +0000 Subject: [PATCH] update values.yaml to adhere to kyverno pod-security-standards rules, also fixes bug in schema and docs Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- .../charts/venafi-kubernetes-agent/README.md | 47 +++++----- .../values.schema.json | 89 ++++--------------- .../venafi-kubernetes-agent/values.yaml | 4 + ...ify-pod-security-standards-exceptions.yaml | 21 ----- 4 files changed, 43 insertions(+), 118 deletions(-) delete mode 100644 make/verify-pod-security-standards-exceptions.yaml diff --git a/deploy/charts/venafi-kubernetes-agent/README.md b/deploy/charts/venafi-kubernetes-agent/README.md index 1d7a7a5b..457bbb05 100644 --- a/deploy/charts/venafi-kubernetes-agent/README.md +++ b/deploy/charts/venafi-kubernetes-agent/README.md @@ -198,36 +198,35 @@ Configures the HTTPS_PROXY environment variable where a HTTP proxy is required. Configures the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded. -#### **securityContext.capabilities.drop[0]** ~ `string` +#### **securityContext** ~ `object` > Default value: > ```yaml -> ALL +> allowPrivilegeEscalation: false +> capabilities: +> drop: +> - ALL +> readOnlyRootFilesystem: true +> runAsNonRoot: true +> seccompProfile: +> type: RuntimeDefault > ``` -#### **securityContext.readOnlyRootFilesystem** ~ `bool` -> Default value: -> ```yaml -> true -> ``` -#### **securityContext.runAsNonRoot** ~ `bool` -> Default value: -> ```yaml -> true -> ``` -#### **resources.requests.memory** ~ `string` -> Default value: -> ```yaml -> 200Mi -> ``` -#### **resources.requests.cpu** ~ `string` -> Default value: -> ```yaml -> 200m -> ``` -#### **resources.limits.memory** ~ `string` + +Add Container specific SecurityContext settings to the container. Takes precedence over `podSecurityContext` when set. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container + +#### **resources** ~ `object` > Default value: > ```yaml -> 500Mi +> limits: +> memory: 500Mi +> requests: +> cpu: 200m +> memory: 200Mi > ``` + +Set resource requests and limits for the pod. + +Read [Venafi Kubernetes components deployment best practices](https://docs.venafi.cloud/vaas/k8s-components/c-k8s-components-best-practice/#scaling) to learn how to choose suitable CPU and memory resource requests and limits. + #### **nodeSelector** ~ `object` > Default value: > ```yaml diff --git a/deploy/charts/venafi-kubernetes-agent/values.schema.json b/deploy/charts/venafi-kubernetes-agent/values.schema.json index 36de4b36..1301063f 100644 --- a/deploy/charts/venafi-kubernetes-agent/values.schema.json +++ b/deploy/charts/venafi-kubernetes-agent/values.schema.json @@ -516,92 +516,35 @@ "type": "number" }, "helm-values.resources": { - "additionalProperties": false, - "properties": { + "default": { "limits": { - "$ref": "#/$defs/helm-values.resources.limits" + "memory": "500Mi" }, "requests": { - "$ref": "#/$defs/helm-values.resources.requests" - } - }, - "type": "object" - }, - "helm-values.resources.limits": { - "additionalProperties": false, - "properties": { - "memory": { - "$ref": "#/$defs/helm-values.resources.limits.memory" - } - }, - "type": "object" - }, - "helm-values.resources.limits.memory": { - "default": "500Mi", - "type": "string" - }, - "helm-values.resources.requests": { - "additionalProperties": false, - "properties": { - "cpu": { - "$ref": "#/$defs/helm-values.resources.requests.cpu" - }, - "memory": { - "$ref": "#/$defs/helm-values.resources.requests.memory" + "cpu": "200m", + "memory": "200Mi" } }, + "description": "Set resource requests and limits for the pod.\n\nRead [Venafi Kubernetes components deployment best practices](https://docs.venafi.cloud/vaas/k8s-components/c-k8s-components-best-practice/#scaling) to learn how to choose suitable CPU and memory resource requests and limits.", "type": "object" }, - "helm-values.resources.requests.cpu": { - "default": "200m", - "type": "string" - }, - "helm-values.resources.requests.memory": { - "default": "200Mi", - "type": "string" - }, "helm-values.securityContext": { - "additionalProperties": false, - "properties": { + "default": { + "allowPrivilegeEscalation": false, "capabilities": { - "$ref": "#/$defs/helm-values.securityContext.capabilities" - }, - "readOnlyRootFilesystem": { - "$ref": "#/$defs/helm-values.securityContext.readOnlyRootFilesystem" - }, - "runAsNonRoot": { - "$ref": "#/$defs/helm-values.securityContext.runAsNonRoot" + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true, + "seccompProfile": { + "type": "RuntimeDefault" } }, + "description": "Add Container specific SecurityContext settings to the container. Takes precedence over `podSecurityContext` when set. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container", "type": "object" }, - "helm-values.securityContext.capabilities": { - "additionalProperties": false, - "properties": { - "drop": { - "$ref": "#/$defs/helm-values.securityContext.capabilities.drop" - } - }, - "type": "object" - }, - "helm-values.securityContext.capabilities.drop": { - "items": { - "$ref": "#/$defs/helm-values.securityContext.capabilities.drop[0]" - }, - "type": "array" - }, - "helm-values.securityContext.capabilities.drop[0]": { - "default": "ALL", - "type": "string" - }, - "helm-values.securityContext.readOnlyRootFilesystem": { - "default": true, - "type": "boolean" - }, - "helm-values.securityContext.runAsNonRoot": { - "default": true, - "type": "boolean" - }, "helm-values.serviceAccount": { "additionalProperties": false, "properties": { diff --git a/deploy/charts/venafi-kubernetes-agent/values.yaml b/deploy/charts/venafi-kubernetes-agent/values.yaml index 88ceee4f..d84a48f6 100644 --- a/deploy/charts/venafi-kubernetes-agent/values.yaml +++ b/deploy/charts/venafi-kubernetes-agent/values.yaml @@ -111,18 +111,22 @@ podSecurityContext: {} # Add Container specific SecurityContext settings to the container. Takes # precedence over `podSecurityContext` when set. See # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container +# +docs:property securityContext: capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: { type: RuntimeDefault } # Set resource requests and limits for the pod. # # Read [Venafi Kubernetes components deployment best # practices](https://docs.venafi.cloud/vaas/k8s-components/c-k8s-components-best-practice/#scaling) # to learn how to choose suitable CPU and memory resource requests and limits. +# +docs:property resources: requests: memory: 200Mi diff --git a/make/verify-pod-security-standards-exceptions.yaml b/make/verify-pod-security-standards-exceptions.yaml deleted file mode 100644 index 8a21011f..00000000 --- a/make/verify-pod-security-standards-exceptions.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: kyverno.io/v2 -kind: PolicyException -metadata: - name: pod-security-exceptions -spec: - exceptions: - - policyName: disallow-privilege-escalation - ruleNames: - - autogen-privilege-escalation - - policyName: restrict-seccomp-strict - ruleNames: - - autogen-check-seccomp-strict - match: - any: - - resources: - kinds: - - Deployment - namespaces: - - default - names: - - venafi-kubernetes-agent-release-name