Update flux pod spec for best practices.

bb3e1272 · runyontr · Micah Nagel · 3c585d01 · bb3e1272 · bb3e1272
Commit bb3e1272 authored 3 years ago by runyontr Committed by Micah Nagel 3 years ago
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -76,6 +76,7 @@ pre vars:
    - .gitlab-ci/jobs/**/*
    - scripts/**/*
    - tests/**/*
+    - base/flux/*

 .deploy_bigbang: &deploy_bigbang
  - |

--- a/base/flux/kustomization.yaml
+++ b/base/flux/kustomization.yaml
@@ -27,6 +27,25 @@ patches:
        name: whatever
      spec:
        template:
+          metadata:
+            annotations:
+              # Required by Kubernetes node autoscaler
+              cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
          spec:
            imagePullSecrets:
            - name: private-registry
+            terminationGracePeriodSeconds: 60
+            # Required by Pod Security Policy
+            securityContext:
+              runAsUser: 10000
+              fsGroup: 1337
+            containers:
+              - name: manager
+                # Required by Pod Security Policy
+                securityContext:
+                  readOnlyRootFilesystem: true
+                  allowPrivilegeEscalation: false
+                  runAsNonRoot: true
+                  capabilities:
+                    drop:
+                      - ALL