diff --git a/README.md b/README.md index 3ac21f5..9ecefe2 100755 --- a/README.md +++ b/README.md @@ -135,6 +135,11 @@ In this case, please [open a ticket](https://support.instana.com) and tell us wh ## Changelog +### v0.19.0 + +- Improvement: Allow to specify `securityContext` for the webhook pod and the instrumentation init containers, using the `webhook.pod.securityContext` and `autotrace.instrumentation.webhook`, respectively. +- Deprecation: The `securityContext.runAsUser` setting has been removed, and you can achieve the same effect via the `webhook.securityContext.runAsUser` setting. + ### v0.18.0 - Improvement: Support the `instana-autotrace` label also in metadata of DaemonSets, Deployments, ReplicaSets, and StatefulSets. diff --git a/incubator/instana-autotrace-webhook/APP_VERSION b/incubator/instana-autotrace-webhook/APP_VERSION index cc73d99..fd5a82a 100644 --- a/incubator/instana-autotrace-webhook/APP_VERSION +++ b/incubator/instana-autotrace-webhook/APP_VERSION @@ -1 +1 @@ -1.191.1 +1.191.2 diff --git a/incubator/instana-autotrace-webhook/CHART_VERSION b/incubator/instana-autotrace-webhook/CHART_VERSION index 6633391..1cf0537 100644 --- a/incubator/instana-autotrace-webhook/CHART_VERSION +++ b/incubator/instana-autotrace-webhook/CHART_VERSION @@ -1 +1 @@ -0.18.0 +0.19.0 diff --git a/incubator/instana-autotrace-webhook/templates/deployment.yml b/incubator/instana-autotrace-webhook/templates/deployment.yml index c93d417..dc0a44e 100644 --- a/incubator/instana-autotrace-webhook/templates/deployment.yml +++ b/incubator/instana-autotrace-webhook/templates/deployment.yml @@ -7,7 +7,7 @@ metadata: {{- if .Values.webhook.deployment.additionalLabels }} {{ toYaml .Values.webhook.deployment.additionalLabels | indent 4 }} {{- end }} - {{ if .Values.webhook.deployment.additionalAnnotations }} + {{- if .Values.webhook.deployment.additionalAnnotations }} annotations: {{ toYaml .Values.webhook.deployment.additionalAnnotations | indent 4 }} {{- end }} @@ -34,9 +34,9 @@ spec: {{- if .Values.rbac.enabled }} serviceAccountName: {{ .Release.Name }} {{- end }} - {{- if .Values.securityContext.enabled }} securityContext: - runAsUser: {{ required "When using 'securityContext.enabled=true', you must specify 'securityContext.runAsUser'" .Values.securityContext.runAsUser }} + {{- if .Values.webhook.pod.securityContext }} +{{ toYaml .Values.webhook.pod.securityContext | indent 8 }} {{- end }} imagePullSecrets: - name: containers-instana-io @@ -44,6 +44,12 @@ spec: - name: instana-autotrace-webhook image: {{ required "You must provide a value for 'webhook.image'" .Values.webhook.image | quote }} imagePullPolicy: {{ .Values.webhook.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - all env: - name: WEBHOOK_POD_NAMESPACE valueFrom: @@ -57,9 +63,13 @@ spec: value: {{ .Values.webhook.pod.port | quote }} - name: IGNORED_NAMESPACES value: {{ join "," .Values.autotrace.exclude.namespaces }} - - name: INSTANA_INSTRUMENTATION_IMAGE + {{- if .Values.autotrace.instrumentation.securityContext }} + - name: INSTANA_INSTRUMENTATION_INIT_CONTAINER_SECURITY_CONTEXT + value: {{ toJson .Values.autotrace.instrumentation.securityContext | default "{}" | quote }} + {{- end }} + - name: INSTANA_INSTRUMENTATION_INIT_CONTAINER_IMAGE value: {{ .Values.autotrace.instrumentation.image | quote }} - - name: INSTANA_INSTRUMENTATION_IMAGE_PULL_POLICY + - name: INSTANA_INSTRUMENTATION_INIT_CONTAINER_IMAGE_PULL_POLICY value: {{ .Values.autotrace.instrumentation.imagePullPolicy | quote }} - name: INSTANA_AUTOTRACE_OPT_IN value: {{ .Values.autotrace.opt_in | quote }} diff --git a/incubator/instana-autotrace-webhook/values.yaml b/incubator/instana-autotrace-webhook/values.yaml index 53279fb..7b7d5fc 100644 --- a/incubator/instana-autotrace-webhook/values.yaml +++ b/incubator/instana-autotrace-webhook/values.yaml @@ -2,12 +2,14 @@ rbac: enabled: false + psp: # Ignored unless rbac.enabled == true + enabled: true webhook: debug: false ssl: insecure: false caBundle: - image: containers.instana.io/instana/release/agent/instana-autotrace-webhook@sha256:a175ac0e25c6427779a74235496363e2617b9ad4c22b12f2b3b38aaa1f5e6d3e + image: containers.instana.io/instana/release/agent/instana-autotrace-webhook@sha256:3602ebef2942dc93dc0659eba85c07be3240ecd108d364644e030d13c0ca7ffa imagePullPolicy: Always imagePullCredentials: registry: containers.instana.io @@ -30,6 +32,8 @@ webhook: # Ensure that, in case of overlay networks, we bind to the host network, or the control plane # won't be able to call into this webhook hostNetwork: true + # This security context is carried verbatim to the security context of the webhook pod + securityContext: autotrace: # By default the instana-autotrace-webhook will instrument all pods that are not # labelled with `instana-autotrace=false`. If this switch is flipped on, @@ -40,6 +44,13 @@ autotrace: instrumentation: image: instana/instrumentation@sha256:f815b7f721a817b116a8e0cac94d9795a992fe9fc6b5c824e9e06defb3abfe03 imagePullPolicy: Always + # This security context is carried verbatim to the security context of all instrumentation init containers + securityContext: + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - all kong: enabled: true ingress_nginx: @@ -57,6 +68,3 @@ autotrace: - instana-* # Avoid conflicts with the Instana Agent and other Instana-related deployments - openshift-* # Guess what, Openshift! - pks-system # TKGI, formerly known as PKS -securityContext: - enabled: false - runAsUser: 1001 # If OpenShift, must be in the [1000580000, 1000589999] range