Merge pull request #647 from jetstack/pod_security_standards

Update values.yaml to adhere to kyverno pod-security-standards rules

Author: inteon

deploy/charts/venafi-kubernetes-agent/README.md

@@ -198,36 +198,35 @@ Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.
 
 Configures the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded.
 
-#### **securityContext.capabilities.drop[0]** ~ `string`
+#### **securityContext** ~ `object`
 > Default value:
 > ```yaml
-> ALL
+> allowPrivilegeEscalation: false
+> capabilities:
+>   drop:
+>     - ALL
+> readOnlyRootFilesystem: true
+> runAsNonRoot: true
+> seccompProfile:
+>   type: RuntimeDefault
 > ```
-#### **securityContext.readOnlyRootFilesystem** ~ `bool`
-> Default value:
-> ```yaml
-> true
-> ```
-#### **securityContext.runAsNonRoot** ~ `bool`
-> Default value:
-> ```yaml
-> true
-> ```
-#### **resources.requests.memory** ~ `string`
-> Default value:
-> ```yaml
-> 200Mi
-> ```
-#### **resources.requests.cpu** ~ `string`
-> Default value:
-> ```yaml
-> 200m
-> ```
-#### **resources.limits.memory** ~ `string`
+
+Add Container specific SecurityContext settings to the container. Takes precedence over `podSecurityContext` when set. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container
+
+#### **resources** ~ `object`
 > Default value:
 > ```yaml
-> 500Mi
+> limits:
+>   memory: 500Mi
+> requests:
+>   cpu: 200m
+>   memory: 200Mi
 > ```
+
+Set resource requests and limits for the pod.  
+  
+Read [Venafi Kubernetes components deployment best practices](https://docs.venafi.cloud/vaas/k8s-components/c-k8s-components-best-practice/#scaling) to learn how to choose suitable CPU and memory resource requests and limits.
+
 #### **nodeSelector** ~ `object`
 > Default value:
 > ```yaml

deploy/charts/venafi-kubernetes-agent/values.schema.json

@@ -516,92 +516,35 @@
       "type": "number"
     },
     "helm-values.resources": {
-      "additionalProperties": false,
-      "properties": {
+      "default": {
         "limits": {
-          "$ref": "#/$defs/helm-values.resources.limits"
+          "memory": "500Mi"
         },
         "requests": {
-          "$ref": "#/$defs/helm-values.resources.requests"
-        }
-      },
-      "type": "object"
-    },
-    "helm-values.resources.limits": {
-      "additionalProperties": false,
-      "properties": {
-        "memory": {
-          "$ref": "#/$defs/helm-values.resources.limits.memory"
-        }
-      },
-      "type": "object"
-    },
-    "helm-values.resources.limits.memory": {
-      "default": "500Mi",
-      "type": "string"
-    },
-    "helm-values.resources.requests": {
-      "additionalProperties": false,
-      "properties": {
-        "cpu": {
-          "$ref": "#/$defs/helm-values.resources.requests.cpu"
-        },
-        "memory": {
-          "$ref": "#/$defs/helm-values.resources.requests.memory"
+          "cpu": "200m",
+          "memory": "200Mi"
         }
       },
+      "description": "Set resource requests and limits for the pod.\n\nRead [Venafi Kubernetes components deployment best practices](https://docs.venafi.cloud/vaas/k8s-components/c-k8s-components-best-practice/#scaling) to learn how to choose suitable CPU and memory resource requests and limits.",
       "type": "object"
     },
-    "helm-values.resources.requests.cpu": {
-      "default": "200m",
-      "type": "string"
-    },
-    "helm-values.resources.requests.memory": {
-      "default": "200Mi",
-      "type": "string"
-    },
     "helm-values.securityContext": {
-      "additionalProperties": false,
-      "properties": {
+      "default": {
+        "allowPrivilegeEscalation": false,
         "capabilities": {
-          "$ref": "#/$defs/helm-values.securityContext.capabilities"
-        },
-        "readOnlyRootFilesystem": {
-          "$ref": "#/$defs/helm-values.securityContext.readOnlyRootFilesystem"
-        },
-        "runAsNonRoot": {
-          "$ref": "#/$defs/helm-values.securityContext.runAsNonRoot"
+          "drop": [
+            "ALL"
+          ]
+        },
+        "readOnlyRootFilesystem": true,
+        "runAsNonRoot": true,
+        "seccompProfile": {
+          "type": "RuntimeDefault"
         }
       },
+      "description": "Add Container specific SecurityContext settings to the container. Takes precedence over `podSecurityContext` when set. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container",
       "type": "object"
     },
-    "helm-values.securityContext.capabilities": {
-      "additionalProperties": false,
-      "properties": {
-        "drop": {
-          "$ref": "#/$defs/helm-values.securityContext.capabilities.drop"
-        }
-      },
-      "type": "object"
-    },
-    "helm-values.securityContext.capabilities.drop": {
-      "items": {
-        "$ref": "#/$defs/helm-values.securityContext.capabilities.drop[0]"
-      },
-      "type": "array"
-    },
-    "helm-values.securityContext.capabilities.drop[0]": {
-      "default": "ALL",
-      "type": "string"
-    },
-    "helm-values.securityContext.readOnlyRootFilesystem": {
-      "default": true,
-      "type": "boolean"
-    },
-    "helm-values.securityContext.runAsNonRoot": {
-      "default": true,
-      "type": "boolean"
-    },
     "helm-values.serviceAccount": {
       "additionalProperties": false,
       "properties": {

deploy/charts/venafi-kubernetes-agent/values.yaml

@@ -111,18 +111,22 @@ podSecurityContext: {}
 # Add Container specific SecurityContext settings to the container. Takes
 # precedence over `podSecurityContext` when set. See
 # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container
+# +docs:property
 securityContext:
   capabilities:
     drop:
       - ALL
   readOnlyRootFilesystem: true
   runAsNonRoot: true
+  allowPrivilegeEscalation: false
+  seccompProfile: { type: RuntimeDefault }
 
 # Set resource requests and limits for the pod.
 #
 # Read [Venafi Kubernetes components deployment best
 # practices](https://docs.venafi.cloud/vaas/k8s-components/c-k8s-components-best-practice/#scaling)
 # to learn how to choose suitable CPU and memory resource requests and limits.
+# +docs:property
 resources:
   requests:
     memory: 200Mi