docs: Update examples and docs to add security context (#6608)

aws · Jul 30, 2024 · a0df7a2 · a0df7a2
1 parent a5d5473
commit a0df7a2
Show file tree

Hide file tree

Showing 17 changed files with 137 additions and 35 deletions.
diff --git a/examples/workloads/arm64.yaml b/examples/workloads/arm64.yaml
@@ -3,7 +3,7 @@ kind: Deployment
 metadata:
   name: arm64
 spec:
-  replicas: 0
+  replicas: 1
   selector:
     matchLabels:
       app: arm64
@@ -12,12 +12,18 @@ spec:
       labels:
         app: arm64
     spec:
+      securityContext:
+        runAsUser: 2000
+        runAsGroup: 3000
+        fsGroup: 2000
       containers:
       - image: public.ecr.aws/eks-distro/kubernetes/pause:3.2
         name: arm64
         resources:
           requests:
             cpu: "1"
             memory: 256M
+        securityContext:
+          allowPrivilegedEscalation: false
       nodeSelector:
         kubernetes.io/arch: arm64
diff --git a/examples/workloads/disruption-budget.yaml b/examples/workloads/disruption-budget.yaml
@@ -22,12 +22,18 @@ spec:
       labels:
         app: pdb
     spec:
+      securityContext:
+        runAsUser: 2000
+        runAsGroup: 3000
+        fsGroup: 2000
       containers:
       - image: public.ecr.aws/eks-distro/kubernetes/pause:3.2
         name: pdb
         resources:
           requests:
             cpu: "1"
             memory: 256M
+        securityContext:
+          allowPrivilegedEscalation: false
       nodeSelector:
         kubernetes.io/arch: amd64
diff --git a/examples/workloads/gpu-amd.yaml b/examples/workloads/gpu-amd.yaml
@@ -12,6 +12,10 @@ spec:
       labels:
         app: gpu-amd
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        fsGroup: 2000
       containers:
       - image: public.ecr.aws/eks-distro/kubernetes/pause:3.2
         name: gpu-amd
@@ -20,4 +24,6 @@ spec:
             amd.com/gpu: "1"
           requests:
             cpu: "1"
-            memory: 256M
+            memory: 256M
+        securityContext:
+          allowPrivilegedEscalation: false
diff --git a/examples/workloads/gpu-nvidia.yaml b/examples/workloads/gpu-nvidia.yaml
@@ -12,6 +12,10 @@ spec:
       labels:
         app: gpu-nvidia
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        fsGroup: 2000
       containers:
       - image: public.ecr.aws/eks-distro/kubernetes/pause:3.2
         name: gpu-nvidia
@@ -20,4 +24,6 @@ spec:
             nvidia.com/gpu: "1"
           requests:
             cpu: "1"
-            memory: 256M
+            memory: 256M
+        securityContext:
+          allowPrivilegedEscalation: false
diff --git a/examples/workloads/inflate.yaml b/examples/workloads/inflate.yaml
@@ -11,10 +11,16 @@ spec:
       labels:
         app: inflate
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        fsGroup: 2000
       containers:
       - image: public.ecr.aws/eks-distro/kubernetes/pause:3.2
         name: inflate
         resources:
           requests:
             cpu: "1"
             memory: 256M
+        securityContext:
+          allowPrivilegeEscalation: false
diff --git a/examples/workloads/neuron.yaml b/examples/workloads/neuron.yaml
@@ -12,6 +12,10 @@ spec:
       labels:
         app: neuron
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        fsGroup: 2000
       containers:
       - image: public.ecr.aws/eks-distro/kubernetes/pause:3.2
         name: neuron
@@ -20,4 +24,6 @@ spec:
             aws.amazon.com/neuron: "1"
           requests:
             cpu: "1"
-            memory: 256M
+            memory: 256M
+        securityContext:
+          allowPrivilegeEscalation: false
diff --git a/examples/workloads/prefer-arm.yaml b/examples/workloads/prefer-arm.yaml
@@ -12,6 +12,10 @@ spec:
       labels:
         app: prefer-arm
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        fsGroup: 2000
       affinity:
         nodeAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -35,4 +39,6 @@ spec:
         resources:
           requests:
             cpu: "1"
-            memory: 256M
+            memory: 256M
+        securityContext:
+          allowPrivilegeEscalation: false
diff --git a/examples/workloads/spot.yaml b/examples/workloads/spot.yaml
@@ -12,12 +12,18 @@ spec:
       labels:
         app: spot
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        fsGroup: 2000
       containers:
       - image: public.ecr.aws/eks-distro/kubernetes/pause:3.2
         name: spot
         resources:
           requests:
             cpu: "1"
             memory: 256M
+        securityContext:
+          allowPrivilegeEscalation: false
       nodeSelector:
         karpenter.sh/capacity-type: spot
diff --git a/examples/workloads/spread-hostname-zone.yaml b/examples/workloads/spread-hostname-zone.yaml
@@ -12,13 +12,19 @@ spec:
       labels:
         app: host-zone-spread
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        fsGroup: 2000
       containers:
       - image: public.ecr.aws/eks-distro/kubernetes/pause:3.2
         name: host-zone-spread
         resources:
           requests:
             cpu: "1"
             memory: 256M
+        securityContext:
+          allowPrivilegeEscalation: false
       topologySpreadConstraints:
       - labelSelector:
           matchLabels:

diff --git a/examples/workloads/spread-hostname.yaml b/examples/workloads/spread-hostname.yaml
@@ -12,13 +12,19 @@ spec:
       labels:
         app: host-spread
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        fsGroup: 2000
       containers:
       - image: public.ecr.aws/eks-distro/kubernetes/pause:3.2
         name: host-spread
         resources:
           requests:
             cpu: "1"
             memory: 256M
+        securityContext:
+          allowPrivilegeEscalation: false
       topologySpreadConstraints:
       - labelSelector:
           matchLabels:

diff --git a/examples/workloads/spread-zone.yaml b/examples/workloads/spread-zone.yaml
@@ -12,13 +12,19 @@ spec:
       labels:
         app: zone-spread
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        fsGroup: 2000
       containers:
       - image: public.ecr.aws/eks-distro/kubernetes/pause:3.2
         name: zone-spread
         resources:
           requests:
             cpu: "1"
             memory: 256M
+        securityContext:
+          allowPrivilegeEscalation: false
       topologySpreadConstraints:
       - labelSelector:
           matchLabels:

diff --git a/...ting-started/getting-started-with-karpenter/scripts/step13-automatic-node-provisioning.sh b/...ting-started/getting-started-with-karpenter/scripts/step13-automatic-node-provisioning.sh
@@ -14,12 +14,18 @@ spec:
         app: inflate
     spec:
       terminationGracePeriodSeconds: 0
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        fsGroup: 2000
       containers:
-        - name: inflate
-          image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
-          resources:
-            requests:
-              cpu: 1
+      - name: inflate
+        image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
+        resources:
+          requests:
+            cpu: 1
+        securityContext:
+          allowPrivilegeEscalation: false
 EOF
 
 kubectl scale deployment inflate --replicas 5

diff --git a/...ting-started/getting-started-with-karpenter/scripts/step13-automatic-node-provisioning.sh b/...ting-started/getting-started-with-karpenter/scripts/step13-automatic-node-provisioning.sh
@@ -14,12 +14,18 @@ spec:
         app: inflate
     spec:
       terminationGracePeriodSeconds: 0
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        fsGroup: 2000
       containers:
-        - name: inflate
-          image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
-          resources:
-            requests:
-              cpu: 1
+      - name: inflate
+        image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
+        resources:
+          requests:
+            cpu: 1
+        securityContext:
+          allowPrivilegeEscalation: false
 EOF
 
 kubectl scale deployment inflate --replicas 5

diff --git a/...ting-started/getting-started-with-karpenter/scripts/step13-automatic-node-provisioning.sh b/...ting-started/getting-started-with-karpenter/scripts/step13-automatic-node-provisioning.sh
@@ -14,12 +14,18 @@ spec:
         app: inflate
     spec:
       terminationGracePeriodSeconds: 0
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        fsGroup: 2000
       containers:
-        - name: inflate
-          image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
-          resources:
-            requests:
-              cpu: 1
+      - name: inflate
+        image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
+        resources:
+          requests:
+            cpu: 1
+        securityContext:
+          allowPrivilegeEscalation: false
 EOF
 
 kubectl scale deployment inflate --replicas 5

diff --git a/...ting-started/getting-started-with-karpenter/scripts/step13-automatic-node-provisioning.sh b/...ting-started/getting-started-with-karpenter/scripts/step13-automatic-node-provisioning.sh
@@ -14,12 +14,18 @@ spec:
         app: inflate
     spec:
       terminationGracePeriodSeconds: 0
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        fsGroup: 2000
       containers:
-        - name: inflate
-          image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
-          resources:
-            requests:
-              cpu: 1
+      - name: inflate
+        image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
+        resources:
+          requests:
+            cpu: 1
+        securityContext:
+          allowPrivilegeEscalation: false
 EOF
 
 kubectl scale deployment inflate --replicas 5

diff --git a/...ting-started/getting-started-with-karpenter/scripts/step13-automatic-node-provisioning.sh b/...ting-started/getting-started-with-karpenter/scripts/step13-automatic-node-provisioning.sh
@@ -14,12 +14,18 @@ spec:
         app: inflate
     spec:
       terminationGracePeriodSeconds: 0
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        fsGroup: 2000
       containers:
-        - name: inflate
-          image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
-          resources:
-            requests:
-              cpu: 1
+      - name: inflate
+        image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
+        resources:
+          requests:
+            cpu: 1
+      securityContext:
+        allowPrivilegeEscalation: false
 EOF
 
 kubectl scale deployment inflate --replicas 5

diff --git a/...ting-started/getting-started-with-karpenter/scripts/step13-automatic-node-provisioning.sh b/...ting-started/getting-started-with-karpenter/scripts/step13-automatic-node-provisioning.sh
@@ -14,12 +14,18 @@ spec:
         app: inflate
     spec:
       terminationGracePeriodSeconds: 0
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        fsGroup: 2000
       containers:
-        - name: inflate
-          image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
-          resources:
-            requests:
-              cpu: 1
+      - name: inflate
+        image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
+        resources:
+          requests:
+            cpu: 1
+        securityContext:
+          allowPrivilegeEscalation: false
 EOF
 
 kubectl scale deployment inflate --replicas 5