mirror of
https://github.com/puppetmaster/typhoon.git
synced 2024-12-26 04:09:34 +01:00
5eb4078d68
* Annotate pods, deployments, and daemonsets to start containers with the Docker runtime's default seccomp profile * Overrides Kubernetes default behavior which started containers with seccomp=unconfined * https://docs.docker.com/engine/security/seccomp/#pass-a-profile-for-a-container
32 lines
804 B
YAML
32 lines
804 B
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: container-linux-update-operator
|
|
namespace: reboot-coordinator
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: container-linux-update-operator
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: container-linux-update-operator
|
|
annotations:
|
|
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
|
spec:
|
|
containers:
|
|
- name: update-operator
|
|
image: quay.io/coreos/container-linux-update-operator:v0.7.0
|
|
command:
|
|
- "/bin/update-operator"
|
|
env:
|
|
- name: POD_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
tolerations:
|
|
- key: node-role.kubernetes.io/master
|
|
operator: Exists
|
|
effect: NoSchedule
|