diff --git a/examples/chart/teleport-kube-agent/templates/delete_hook.yaml b/examples/chart/teleport-kube-agent/templates/delete_hook.yaml index 024b15a2b4871..a680d6e3de2f5 100644 --- a/examples/chart/teleport-kube-agent/templates/delete_hook.yaml +++ b/examples/chart/teleport-kube-agent/templates/delete_hook.yaml @@ -66,6 +66,10 @@ spec: {{- if .Values.tolerations }} tolerations: {{- toYaml .Values.tolerations | nindent 6 }} +{{- end }} +{{- if .Values.nodeSelector }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8 }} {{- end }} containers: - name: post-delete-job @@ -82,3 +86,6 @@ spec: {{- end }} command: ["teleport"] args: ["kube-state", "delete"] + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} diff --git a/examples/chart/teleport-kube-agent/templates/hook.yaml b/examples/chart/teleport-kube-agent/templates/hook.yaml index 67ff9fe991618..e6d7de50a80f6 100644 --- a/examples/chart/teleport-kube-agent/templates/hook.yaml +++ b/examples/chart/teleport-kube-agent/templates/hook.yaml @@ -67,12 +67,16 @@ spec: {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} - {{- if .Values.tolerations }} +{{- if .Values.tolerations }} tolerations: {{- toYaml .Values.tolerations | nindent 6 }} - {{- end }} +{{- end }} serviceAccountName: {{ .Release.Name }}-hook restartPolicy: OnFailure +{{- if .Values.nodeSelector }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8 }} +{{- end }} containers: - name: post-install-job image: alpine/k8s:1.26.0 @@ -87,4 +91,7 @@ spec: # delete deployment kubectl delete deployment/{{ .Release.Name }} EOF + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} {{- end}} diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap new file mode 100644 index 0000000000000..5b0dbea65679f --- /dev/null +++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap @@ -0,0 +1,58 @@ +should set nodeSelector in post-delete hook: + 1: | + containers: + - args: + - kube-state + - delete + command: + - teleport + env: + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: 'public.ecr.aws/gravitational/teleport:' + imagePullPolicy: IfNotPresent + name: post-delete-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + nodeSelector: + gravitational.io/k8s-role: node + restartPolicy: OnFailure + serviceAccountName: RELEASE-NAME-delete-hook +should set securityContext in post-delete hook: + 1: | + containers: + - args: + - kube-state + - delete + command: + - teleport + env: + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: 'public.ecr.aws/gravitational/teleport:' + imagePullPolicy: IfNotPresent + name: post-delete-job + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + restartPolicy: OnFailure + serviceAccountName: RELEASE-NAME-delete-hook diff --git a/examples/chart/teleport-kube-agent/tests/job_test.yaml b/examples/chart/teleport-kube-agent/tests/job_test.yaml new file mode 100644 index 0000000000000..a2c0371f6e652 --- /dev/null +++ b/examples/chart/teleport-kube-agent/tests/job_test.yaml @@ -0,0 +1,47 @@ +suite: Job +templates: + - delete_hook.yaml + +release: + upgrade: true +tests: + - it: should set securityContext in post-delete hook + template: delete_hook.yaml + # first 3 items are ServiceAccount, Role, RoleBinding, 3rd (zero-indexed) is the Job + documentIndex: 3 + values: + - ../.lint/backwards-compatibility.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation + value: false + - equal: + path: spec.template.spec.containers[0].securityContext.capabilities + value: + drop: + - all + - equal: + path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.runAsUser + value: 9807 + - matchSnapshot: + path: spec.template.spec + + - it: should set nodeSelector in post-delete hook + template: delete_hook.yaml + # first 3 items are ServiceAccount, Role, RoleBinding, 3rd (zero-indexed) is the Job + documentIndex: 3 + values: + - ../.lint/node-selector.yaml + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + gravitational.io/k8s-role: node + - matchSnapshot: + path: spec.template.spec diff --git a/examples/chart/teleport-kube-agent/values.yaml b/examples/chart/teleport-kube-agent/values.yaml index 3b70c2cb79a0a..9b978c18d8c33 100644 --- a/examples/chart/teleport-kube-agent/values.yaml +++ b/examples/chart/teleport-kube-agent/values.yaml @@ -356,7 +356,7 @@ initSecurityContext: runAsNonRoot: true runAsUser: 9807 -# Security context to add to the container +# Security context to add to other containers securityContext: allowPrivilegeEscalation: false capabilities: