arnault/Talks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
10f7798afbba48f1b66b95a834c8a28b2bdfa61a
Talks/talks-slides-dist/templates/deployment.yaml
Le Prévost-Corvellec Arnault 9a4942daad
All checks were successful
Talks slides — image & chart / vars (push) Successful in 1s
Details
Talks slides — image & chart / Helm chart (push) Successful in 11s
Details
Talks slides — image & chart / Build container image (push) Successful in 33s
Details
Refactor Dockerfile and Helm chart to enhance security and user permissions 
- Updated Dockerfile to run as non-root user 'nginx' and adjusted Nginx configuration for improved security.
- Added pod security context in values.yaml to align with the non-root user setup.
- Refined deployment.yaml to utilize the new pod security context for better compliance with Kubernetes security standards.
2026-04-08 21:36:09 +02:00

68 lines
2.1 KiB
YAML
Raw Blame History

apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "talks-slides.fullname" . }}
labels:
{{- include "talks-slides.labels" . | nindent 4 }}
spec:
{{- if not .Values.slides.autoscaling.enabled }}
replicas: {{ .Values.slides.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "talks-slides.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "talks-slides.selectorLabels" . | nindent 8 }}
{{- with .Values.slides.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.slides.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- toYaml .Values.slides.podSecurityContext | nindent 8 }}
containers:
- name: nginx
image: "{{ .Values.slides.image.repository }}:{{ .Values.slides.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.slides.image.pullPolicy }}
securityContext:
allowPrivilegeEscalation: false
# Image : USER nginx + master non-root → pas de SETUID/SETGID ; port 8080 → pas de NET_BIND_SERVICE.
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: false
ports:
- name: http
containerPort: {{ .Values.slides.containerPort }}
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 10
periodSeconds: 30
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 5
periodSeconds: 10
resources:
{{- toYaml .Values.slides.resources | nindent 12 }}
{{- with .Values.slides.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.slides.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.slides.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink