streamnative
feat(sn-platform): Add labels and missing missing configs for Vault
Motivation
This PR made some enhancements to the Vault template
Modifications
This PR changed Vault template including:
- Added
labelsconfig - Added the missing config of pod level containerSecurityContext for
vault.banzaicloud.com/v1alpha1crd - Added the missing config of
annotationsfor vault related Jobs - Set env
SKIP_CHOWN,SKIP_SETCAPas true and set configdisable_mlockas true when Vault is running as non-root
Verifying this change
- [x] Make sure that the change passes the CI checks.
(Please pick either of the following options)
This change is a trivial rework / code cleanup without any test coverage.
(or)
This change is already covered by existing tests, such as (please describe tests).
(or)
This change added tests and can be verified as follows:
(example:)
- Added integration tests for end-to-end deployment with large payloads (10MB)
- Extended integration test for recovery after broker failure
Documentation
Check the box below.
Need to update docs?
-
[ ]
doc-required(If you need help on updating docs, create a doc issue)
-
[x]
no-need-doc(Please explain why)
-
[ ]
doc(If this PR contains doc changes)
Is the motivation for the security context to support running as non-root or minimal permission mode?
Oh yes. Seems some financial users have strict admission policies for running as non-root or minimal permission mode. I think OpenShift also has similar requirements.
Oh yes. Seems some financial users have strict admission policies for running as non-root or minimal permission mode. I think OpenShift also has similar requirements.
How about we run sn-platform in minimal permission mode by default, or add a flag to do so and generate these security context settings automaticallY/
