Publish Helm chart version 0.19.0; App version: 1.191.2

instana · Dec 11, 2020 · 182177e · 182177e
1 parent 25a38a9
commit 182177e
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -135,6 +135,11 @@ In this case, please [open a ticket](https://support.instana.com) and tell us wh
 
 ## Changelog
 
+### v0.19.0
+
+- Improvement: Allow to specify `securityContext` for the webhook pod and the instrumentation init containers, using the `webhook.pod.securityContext` and `autotrace.instrumentation.webhook`, respectively.
+- Deprecation: The `securityContext.runAsUser` setting has been removed, and you can achieve the same effect via the `webhook.securityContext.runAsUser` setting.
+
 ### v0.18.0
 
 - Improvement: Support the `instana-autotrace` label also in metadata of DaemonSets, Deployments, ReplicaSets, and StatefulSets.

diff --git a/incubator/instana-autotrace-webhook/APP_VERSION b/incubator/instana-autotrace-webhook/APP_VERSION
@@ -1 +1 @@
-1.191.1
+1.191.2
diff --git a/incubator/instana-autotrace-webhook/CHART_VERSION b/incubator/instana-autotrace-webhook/CHART_VERSION
@@ -1 +1 @@
-0.18.0
+0.19.0
diff --git a/incubator/instana-autotrace-webhook/templates/deployment.yml b/incubator/instana-autotrace-webhook/templates/deployment.yml
@@ -7,7 +7,7 @@ metadata:
     {{- if .Values.webhook.deployment.additionalLabels }}
     {{ toYaml .Values.webhook.deployment.additionalLabels | indent 4 }}
     {{- end }}
-  {{ if .Values.webhook.deployment.additionalAnnotations }}
+  {{- if .Values.webhook.deployment.additionalAnnotations }}
   annotations:
     {{ toYaml .Values.webhook.deployment.additionalAnnotations | indent 4 }}
   {{- end }}
@@ -34,16 +34,22 @@ spec:
       {{- if .Values.rbac.enabled }}
       serviceAccountName: {{ .Release.Name }}
       {{- end }}
-      {{- if .Values.securityContext.enabled }}
       securityContext:
-        runAsUser: {{ required "When using 'securityContext.enabled=true', you must specify 'securityContext.runAsUser'" .Values.securityContext.runAsUser }}
+      {{- if .Values.webhook.pod.securityContext }}
+{{ toYaml .Values.webhook.pod.securityContext | indent 8 }}
       {{- end }}
       imagePullSecrets:
       - name: containers-instana-io
       containers:
       - name: instana-autotrace-webhook
         image: {{ required "You must provide a value for 'webhook.image'" .Values.webhook.image | quote }}
         imagePullPolicy: {{ .Values.webhook.imagePullPolicy }}
+        securityContext:
+          privileged: false
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - all
         env:
         - name: WEBHOOK_POD_NAMESPACE
           valueFrom:
@@ -57,9 +63,13 @@ spec:
           value: {{ .Values.webhook.pod.port | quote }}
         - name: IGNORED_NAMESPACES
           value: {{ join "," .Values.autotrace.exclude.namespaces }}
-        - name: INSTANA_INSTRUMENTATION_IMAGE
+        {{- if .Values.autotrace.instrumentation.securityContext }}
+        - name: INSTANA_INSTRUMENTATION_INIT_CONTAINER_SECURITY_CONTEXT
+          value: {{ toJson .Values.autotrace.instrumentation.securityContext | default "{}" | quote }}
+        {{- end }}
+        - name: INSTANA_INSTRUMENTATION_INIT_CONTAINER_IMAGE
           value: {{ .Values.autotrace.instrumentation.image | quote }}
-        - name: INSTANA_INSTRUMENTATION_IMAGE_PULL_POLICY
+        - name: INSTANA_INSTRUMENTATION_INIT_CONTAINER_IMAGE_PULL_POLICY
           value: {{ .Values.autotrace.instrumentation.imagePullPolicy | quote }}
         - name: INSTANA_AUTOTRACE_OPT_IN
           value: {{ .Values.autotrace.opt_in | quote }}

diff --git a/incubator/instana-autotrace-webhook/values.yaml b/incubator/instana-autotrace-webhook/values.yaml
@@ -2,12 +2,14 @@
 
 rbac:
   enabled: false
+  psp: # Ignored unless rbac.enabled == true
+    enabled: true
 webhook:
   debug: false
   ssl:
     insecure: false
     caBundle:
-  image: containers.instana.io/instana/release/agent/instana-autotrace-webhook@sha256:a175ac0e25c6427779a74235496363e2617b9ad4c22b12f2b3b38aaa1f5e6d3e
+  image: containers.instana.io/instana/release/agent/instana-autotrace-webhook@sha256:3602ebef2942dc93dc0659eba85c07be3240ecd108d364644e030d13c0ca7ffa
   imagePullPolicy: Always
   imagePullCredentials:
     registry: containers.instana.io
@@ -30,6 +32,8 @@ webhook:
     # Ensure that, in case of overlay networks, we bind to the host network, or the control plane
     # won't be able to call into this webhook
     hostNetwork: true
+    # This security context is carried verbatim to the security context of the webhook pod
+    securityContext:
 autotrace:
   # By default the instana-autotrace-webhook will instrument all pods that are not
   # labelled with `instana-autotrace=false`. If this switch is flipped on,
@@ -40,6 +44,13 @@ autotrace:
   instrumentation:
     image: instana/instrumentation@sha256:f815b7f721a817b116a8e0cac94d9795a992fe9fc6b5c824e9e06defb3abfe03
     imagePullPolicy: Always
+    # This security context is carried verbatim to the security context of all instrumentation init containers
+    securityContext:
+      privileged: false
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - all
   kong:
     enabled: true
   ingress_nginx:
@@ -57,6 +68,3 @@ autotrace:
       - instana-* # Avoid conflicts with the Instana Agent and other Instana-related deployments
       - openshift-* # Guess what, Openshift!
       - pks-system # TKGI, formerly known as PKS
-securityContext:
-  enabled: false
-  runAsUser: 1001 # If OpenShift, must be in the [1000580000, 1000589999] range