diff options
Diffstat (limited to 'kubernetes/common/common/templates/_serviceMesh.tpl')
| -rw-r--r-- | kubernetes/common/common/templates/_serviceMesh.tpl | 36 |
1 files changed, 33 insertions, 3 deletions
diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl index de779f8db8..638db8cab1 100644 --- a/kubernetes/common/common/templates/_serviceMesh.tpl +++ b/kubernetes/common/common/templates/_serviceMesh.tpl @@ -27,14 +27,27 @@ true {{- end -}} {{/* + Calculate if we require a sidecar killer. +*/}} +{{- define "common.requireSidecarKiller" -}} +{{- if (include "common.onServiceMesh" .) }} +{{- if eq .Values.global.serviceMesh.engine "istio" }} +{{- if not (default false .Values.global.serviceMesh.nativeSidecars) -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* Kills the sidecar proxy associated with a pod. */}} {{- define "common.serviceMesh.killSidecar" -}} -{{- if (include "common.onServiceMesh" .) }} +{{- if (include "common.requireSidecarKiller" .) }} RCODE="$?"; echo "*** script finished with exit code $RCODE" ; echo "*** killing service mesh sidecar" ; -curl -sf -X POST http://127.0.0.1:15020/quitquitquit ; +wget --quiet --post-data '' --output-document=- http://127.0.0.1:15020/quitquitquit || exit $? ; echo "" ; echo "*** exiting with script exit code" ; exit "$RCODE" @@ -47,7 +60,7 @@ exit "$RCODE" {{- define "common.waitForJobContainer" -}} {{- $dot := default . .dot -}} {{- $wait_for_job_container := default $dot.Values.wait_for_job_container .wait_for_job_container -}} -{{- if (include "common.onServiceMesh" .) }} +{{- if (include "common.requireSidecarKiller" .) }} - name: {{ include "common.name" $dot }}{{ ternary "" (printf "-%s" $wait_for_job_container.name) (empty $wait_for_job_container.name) }}-service-mesh-wait-for-job-container image: {{ include "repositoryGenerator.image.quitQuit" $dot }} imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} @@ -65,6 +78,23 @@ exit "$RCODE" fieldRef: apiVersion: v1 fieldPath: metadata.namespace + securityContext: + capabilities: + drop: + - ALL + - CAP_NET_RAW + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsUser: 100 + runAsGroup: 65533 + resources: + limits: + cpu: 100m + memory: 500Mi + requests: + cpu: 10m + memory: 10Mi {{- end }} {{- end }} |