Skip to content
This repository has been archived by the owner on Feb 20, 2024. It is now read-only.

Commit

Permalink
[cp-schema-registry] add support for security context (#525)
Browse files Browse the repository at this point in the history
  • Loading branch information
OuesFa authored Apr 23, 2021
1 parent 8cf487e commit 3ffbdf9
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 0 deletions.
10 changes: 10 additions & 0 deletions charts/cp-schema-registry/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,16 @@ The configuration parameters in this section control the resources requested and
| --------- | ----------- | ------- |
| `podAnnotations` | Map of custom annotations to attach to the pod spec. | `{}` |

### Security Context

| Parameter | Description | Default |
| --------- | ----------- | ------- |
| `securityContext.runAsUser` | All processes for the container will run with this user ID | 10001
| `securityContext.runAsGroup` | All processes for the container will run with this primary group ID | 10001
| `securityContext.fsGroup` | All processes for the container will run with this supplementary group ID | 10001
| `securityContext.runAsNonRoot` | The kubelet will validate the image at runtime to make sure that it does not run as UID 0 (root) and won’t start the container if it does | true


### JMX Configuration

| Parameter | Description | Default |
Expand Down
4 changes: 4 additions & 0 deletions charts/cp-schema-registry/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,10 @@ spec:
{{- end }}
{{- end }}
spec:
securityContext:
{{- if .Values.securityContext }}
{{ toYaml .Values.securityContext | indent 8 }}
{{- end}}
containers:
{{- if .Values.prometheus.jmx.enabled }}
- name: prometheus-jmx-exporter
Expand Down
8 changes: 8 additions & 0 deletions charts/cp-schema-registry/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,14 @@ tolerations: []
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
affinity: {}

## Privilege and access control settings for a Pod or Container
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsUser: 10001
runAsGroup: 10001
fsGroup: 10001
runAsNonRoot: true

## Monitoring
## Schema Registry JMX Settings
## ref: https://docs.confluent.io/current/schema-registry/docs/monitoring.html
Expand Down

0 comments on commit 3ffbdf9

Please sign in to comment.