Fix broken "read only" fields added in v0.11.0.

These fields were changed as a minor hardening attempt when we switched to Distroless, but I bungled the field names and we never noticed because Kapp doesn't apply API validations. This change fixes the field names so they act as was originally intended. We should also follow up with a change that validates all of our installation manifest in CI. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-09-02 16:08:00 -05:00 · 2021-09-02 16:08:00 -05:00 · f0a1555aca
commit f0a1555aca
parent b3b3c2303f
2 changed files with 9 additions and 6 deletions
--- a/deploy/concierge/deployment.yaml
+++ b/deploy/concierge/deployment.yaml
@ -116,7 +116,6 @@ spec:
        scheduler.alpha.kubernetes.io/critical-pod: ""
    spec:
      securityContext:
-        readOnlyRootFilesystem: true
        runAsUser: #@ data.values.run_as_user
        runAsGroup: #@ data.values.run_as_group
      serviceAccountName: #@ defaultResourceName()
@ -132,6 +131,8 @@ spec:
          image: #@ data.values.image_repo + ":" + data.values.image_tag
          #@ end
          imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
          resources:
            requests:
              cpu: "100m"
@ -148,10 +149,13 @@ spec:
              mountPath: /tmp
            - name: config-volume
              mountPath: /etc/config
+              readOnly: true
            - name: podinfo
              mountPath: /etc/podinfo
+              readOnly: true
            - name: impersonation-proxy
              mountPath: /var/run/secrets/impersonation-proxy.concierge.pinniped.dev/serviceaccount
+              readOnly: true
          env:
            #@ if data.values.https_proxy:
            - name: HTTPS_PROXY
@ -185,7 +189,6 @@ spec:
            medium: Memory
            sizeLimit: 100Mi
        - name: config-volume
-          readOnly: true
          configMap:
            name: #@ defaultResourceNameWithSuffix("config")
        - name: impersonation-proxy
@ -195,7 +198,6 @@ spec:
              - key: token
                path: token
        - name: podinfo
-          readOnly: true
          downwardAPI:
            items:
              - path: "labels"
--- a/deploy/supervisor/deployment.yaml
+++ b/deploy/supervisor/deployment.yaml
@ -65,7 +65,6 @@ spec:
      labels: #@ defaultLabel()
    spec:
      securityContext:
-        readOnlyRootFilesystem: true
        runAsUser: #@ data.values.run_as_user
        runAsGroup: #@ data.values.run_as_group
      serviceAccountName: #@ defaultResourceName()
@ -85,6 +84,8 @@ spec:
            - pinniped-supervisor
            - /etc/podinfo
            - /etc/config/pinniped.yaml
+          securityContext:
+            readOnlyRootFilesystem: true
          resources:
            requests:
              cpu: "100m"
@ -95,8 +96,10 @@ spec:
          volumeMounts:
            - name: config-volume
              mountPath: /etc/config
+              readOnly: true
            - name: podinfo
              mountPath: /etc/podinfo
+              readOnly: true
          ports:
            - containerPort: 8080
              protocol: TCP
@ -131,11 +134,9 @@ spec:
            failureThreshold: 3
      volumes:
        - name: config-volume
-          readOnly: true
          configMap:
            name: #@ defaultResourceNameWithSuffix("static-config")
        - name: podinfo
-          readOnly: true
          downwardAPI:
            items:
              - path: "labels"