-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implements general chart improvements (#13)
* Avoid unnecessary restarts at new helm version: The ConfigMap where the config is stored, contains labels. The labels contains the version of the helm chart. If there is a new helm chart version, the pod gets restarted, too. It doesnt matter, if its necessary or not. To solve this, I moved the config to a named templated which can be sourced from the config map and the hash annotation. I contribute this pattern to many helm charts: ([promtail] Avoid unnecessary pod restart on each helm chart version grafana/helm-charts#2833, [bitnami/kubernetes-event-exporter] Avoid unnecessary pod restart on each helm chart version bitnami/charts#21489, [prometheus-blackbox-exporter] Avoid unnecessary pod restart on each helm chart version prometheus-community/helm-charts#4077, helm: Avoid unnecessary pod restart on each helm chart version kubernetes-sigs/external-dns#4103) * Added securityContexts to container and pod. They contains the current best-practice. The settings are required to run kubelint together with PSA restricted. * Added automountServiceAccountToken to the Deployment and ServiceAccount. A lot of security tools hightlight automountServiceAccountToken=true on a ServiceAccount as insecure. The best-practice is to set automountServiceAccountToken=false on a ServiceAccount and do automountServiceAccountToken=true on the Deployment. Ref: https://securecloud.blog/2021/08/17/azure-aks-reviewing-recommendations-from-security-center-disabling-automounting-api-credentials * Added nodeSelector, affinity, tolerations, priorityClassName Pass .Values.config, .Values.ingress.hosts.hosts through helm tpl function: If kubelint is part of a bigger umbrella helm chart, values from .Values.global can be re-used. It's also useful for the namespace option * Adds configurable readinessProbe to deployment * Bumps chart version number
- Loading branch information
Showing
8 changed files
with
100 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,14 @@ | ||
{{- if .Values.serviceAccount.create -}} | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} | ||
metadata: | ||
{{- if .Values.serviceAccount.annotations }} | ||
annotations: | ||
{{- toYaml .Values.serviceAccount.annotations | nindent 4 }} | ||
{{- end }} | ||
{{- include "kubetail.metadataNamespace" $ | nindent 2 }} | ||
name: {{ include "kubetail.serviceAccountName" . }} | ||
labels: | ||
{{- include "kubetail.labels" $ | nindent 4 }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters