Kube lint

[jkremser]

before this change:

kube-linter lint .
KubeLinter 0.2.3

charts/coredns/templates/deployment.yaml: (object: <no namespace>/test-release-coredns apps/v1, Kind=Deployment) container "coredns" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in the container securityContext.)

charts/coredns/templates/deployment.yaml: (object: <no namespace>/test-release-coredns apps/v1, Kind=Deployment) container "coredns" is not set to runAsNonRoot (check: run-as-non-root, remediation: Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details.)

after this change:

kube-linter lint .
KubeLinter 0.2.3

No lint errors found!

Also updating the links in the comments, because the old ones no longer work (I've tried them all and they do work w/ the new k8s api docs)

[mrueg]

You'll need to bump the chart version as well. Please bump the minor version for this change.

[jkremser]

You'll need to bump the chart version as well. Please bump the minor version for this change.

done

[jkremser]

ah, I didn't realize you actually require the containers to run under root with the default settings. That's why the tests are currently failing, so I am setting it to runAsNonRoot: false

[jkremser]

@mrueg @haad ping

[sarahhodne]

I notice that the default CoreDNS deployment in EKS seems to have this security context:

securityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    add:
      - NET_BIND_SERVICE
    drop:
      - all

Would that help get around some of the downsides of not being able to set runAsNonRoot: true?

[hagaibarel]

Hi, thanks for the PR. I believe that @sarahhodne approach will do the trick in working areound running as non root. Please rebase and bump the chart version