Skip to content

Commit

Permalink
Add config to set Pod securityContext (#103)
Browse files Browse the repository at this point in the history
  • Loading branch information
@kezhenxu94
kezhenxu94 authored Dec 2, 2022
1 parent ab1865f commit 7dc6079
Show file tree
Hide file tree
Showing 6 changed files with 33 additions and 1 deletion.
3 changes: 3 additions & 0 deletions chart/skywalking/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ The following table lists the configurable parameters of the Skywalking chart an
| `oap.resources` | OAP node resources requests & limits | `{} - cpu limit must be an integer` |
| `oap.envoy.als.enabled` | Open envoy als | `false` |
| `oap.env` | OAP environment variables | `[]` |
| `oap.securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000`<br>`runAsUser: 1000` |
| `ui.name` | Web UI deployment name | `ui` |
| `ui.replicas` | Web UI k8s deployment replicas | `1` |
| `ui.image.repository` | Web UI container image name | `skywalking.docker.scarf.sh/apache/skywalking-ui` |
Expand All @@ -80,6 +81,7 @@ The following table lists the configurable parameters of the Skywalking chart an
| `ui.service.loadBalancerIP` | Load Balancer IP address | `nil` |
| `ui.service.annotations` | Kubernetes service annotations | `{}` |
| `ui.service.loadBalancerSourceRanges` | Limit load balancer source IPs to list of CIDRs (where available)) | `[]` |
| `ui.securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000`<br>`runAsUser: 1000` |
| `oapInit.nodeAffinity` | OAP init job node affinity policy | `{}` |
| `oapInit.nodeSelector` | OAP init job labels for master pod assignment | `{}` |
| `oapInit.tolerations` | OAP init job tolerations | `[]` |
Expand Down Expand Up @@ -161,6 +163,7 @@ The following table lists the configurable parameters of the Skywalking chart an
| `satellite.resources` | Satellite node resources requests & limits | `{} - cpu limit must be an integer` |
| `satellite.podAnnotations` | Configurable [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) applied to all Satellite pods | `{}` |
| `satellite.env` | Satellite environment variables | `[]` |
| `satellite.securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 1000`<br>`runAsUser: 1000` |

Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

Expand Down
4 changes: 4 additions & 0 deletions chart/skywalking/templates/oap-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ spec:
{{- end }}
spec:
serviceAccountName: {{ template "skywalking.serviceAccountName.oap" . }}
{{- with .Values.oap.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
affinity:
{{- if eq .Values.oap.antiAffinity "hard" }}
podAntiAffinity:
Expand Down
4 changes: 4 additions & 0 deletions chart/skywalking/templates/oap-init.job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ spec:
release: {{ .Release.Name }}
spec:
serviceAccountName: {{ template "skywalking.serviceAccountName.oap" . }}
{{- with .Values.oap.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.oapInit.nodeAffinity }}
affinity:
{{- end }}
Expand Down
5 changes: 5 additions & 0 deletions chart/skywalking/templates/satellite-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,11 @@ spec:
{{- end }}
spec:
serviceAccountName: {{ template "skywalking.serviceAccountName.satellite" . }}
{{- with .Values.satellite.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}

affinity:
{{- if eq .Values.satellite.antiAffinity "hard" }}
podAntiAffinity:
Expand Down
5 changes: 5 additions & 0 deletions chart/skywalking/templates/ui-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,11 @@ spec:
{{ toYaml .Values.ui.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- with .Values.ui.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}

affinity:
{{- with .Values.ui.nodeAffinity }}
nodeAffinity:
Expand Down
13 changes: 12 additions & 1 deletion chart/skywalking/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,10 @@ oap:
# memory: 4Gi
# podAnnotations:
# example: oap-foo
securityContext: {}
# runAsUser: 1000
# runAsGroup: 1000
# fsGroup: 1000
envoy:
als:
enabled: false
Expand Down Expand Up @@ -132,6 +136,10 @@ ui:
annotations: {}
## Limit load balancer source ips to list of CIDRs (where available)
# loadBalancerSourceRanges: []
securityContext: {}
# runAsUser: 1000
# runAsGroup: 1000
# fsGroup: 1000

oapInit:
nodeAffinity: {}
Expand Down Expand Up @@ -433,7 +441,10 @@ satellite:
config: {}
# satellite_config.yaml: |
# key: val

securityContext: {}
# runAsUser: 1000
# runAsGroup: 1000
# fsGroup: 1000

nameOverride: ""
fullnameOverride: ""

0 comments on commit 7dc6079

Please sign in to comment.