Skip to content

Instantly share code, notes, and snippets.

@davidlu1001

davidlu1001/Kustomization-multi-containers.yaml

Last active September 9, 2025 23:45
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save davidlu1001/235530c56e4033ea9f629d34c3426e4b to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save davidlu1001/235530c56e4033ea9f629d34c3426e4b to your computer and use it in GitHub Desktop.
Download ZIP
Kustomization.yaml
Raw
Kustomization-multi-containers.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- all.yaml
patches:
# ================================
# UNIVERSAL POD-LEVEL SECURITY CONTEXT
# ================================
- target:
kind: Deployment
patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: placeholder
spec:
template:
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
- target:
kind: StatefulSet
patch: |-
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: placeholder
spec:
template:
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
- target:
group: batch
version: v1
kind: Job
patch: |-
apiVersion: batch/v1
kind: Job
metadata:
name: placeholder
spec:
template:
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
- target:
kind: CronJob
patch: |-
apiVersion: batch/v1
kind: CronJob
metadata:
name: placeholder
spec:
jobTemplate:
spec:
template:
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
- target:
kind: DaemonSet
patch: |-
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: placeholder
spec:
template:
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
- target:
kind: Pod
patch: |-
apiVersion: v1
kind: Pod
metadata:
name: placeholder
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
# ================================
# CONTAINER SECURITY CONTEXT - DEPLOYMENTS
# ================================
# immuta-audit (1 container, 0 initContainers)
- target:
kind: Deployment
name: immuta-audit
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext
value: {}
- target:
kind: Deployment
name: immuta-audit
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
# immuta-audit-temporal-worker (1 container, 0 initContainers)
- target:
kind: Deployment
name: immuta-audit-temporal-worker
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext
value: {}
- target:
kind: Deployment
name: immuta-audit-temporal-worker
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
# immuta-cache (1 container, 0 initContainers)
- target:
kind: Deployment
name: immuta-cache
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext
value: {}
- target:
kind: Deployment
name: immuta-cache
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
# immuta-discover (1 container, 0 initContainers)
- target:
kind: Deployment
name: immuta-discover
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext
value: {}
- target:
kind: Deployment
name: immuta-discover
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
# immuta-secure-web (1 container, 0 initContainers)
- target:
kind: Deployment
name: immuta-secure-web
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext
value: {}
- target:
kind: Deployment
name: immuta-secure-web
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
# immuta-secure-background-worker (1 container, 0 initContainers)
- target:
kind: Deployment
name: immuta-secure-background-worker
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext
value: {}
- target:
kind: Deployment
name: immuta-secure-background-worker
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
# immuta-temporal-proxy (1 container, 3 initContainers)
- target:
kind: Deployment
name: immuta-temporal-proxy
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext
value: {}
- target:
kind: Deployment
name: immuta-temporal-proxy
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
- target:
kind: Deployment
name: immuta-temporal-proxy
patch: |-
- op: add
path: /spec/template/spec/initContainers/0/securityContext
value: {}
- target:
kind: Deployment
name: immuta-temporal-proxy
patch: |-
- op: add
path: /spec/template/spec/initContainers/0/securityContext/readOnlyRootFilesystem
value: true
- target:
kind: Deployment
name: immuta-temporal-proxy
patch: |-
- op: add
path: /spec/template/spec/initContainers/1/securityContext
value: {}
- target:
kind: Deployment
name: immuta-temporal-proxy
patch: |-
- op: add
path: /spec/template/spec/initContainers/1/securityContext/readOnlyRootFilesystem
value: true
- target:
kind: Deployment
name: immuta-temporal-proxy
patch: |-
- op: add
path: /spec/template/spec/initContainers/2/securityContext
value: {}
- target:
kind: Deployment
name: immuta-temporal-proxy
patch: |-
- op: add
path: /spec/template/spec/initContainers/2/securityContext/readOnlyRootFilesystem
value: true
# immuta-temporal-frontend (1 container, 0 initContainers)
- target:
kind: Deployment
name: immuta-temporal-frontend
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext
value: {}
- target:
kind: Deployment
name: immuta-temporal-frontend
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
# immuta-temporal-history (1 container, 1 initContainer)
- target:
kind: Deployment
name: immuta-temporal-history
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext
value: {}
- target:
kind: Deployment
name: immuta-temporal-history
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
- target:
kind: Deployment
name: immuta-temporal-history
patch: |-
- op: add
path: /spec/template/spec/initContainers/0/securityContext
value: {}
- target:
kind: Deployment
name: immuta-temporal-history
patch: |-
- op: add
path: /spec/template/spec/initContainers/0/securityContext/readOnlyRootFilesystem
value: true
# immuta-temporal-matching (1 container, 1 initContainer)
- target:
kind: Deployment
name: immuta-temporal-matching
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext
value: {}
- target:
kind: Deployment
name: immuta-temporal-matching
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
- target:
kind: Deployment
name: immuta-temporal-matching
patch: |-
- op: add
path: /spec/template/spec/initContainers/0/securityContext
value: {}
- target:
kind: Deployment
name: immuta-temporal-matching
patch: |-
- op: add
path: /spec/template/spec/initContainers/0/securityContext/readOnlyRootFilesystem
value: true
# immuta-temporal-worker (1 container, 1 initContainer)
- target:
kind: Deployment
name: immuta-temporal-worker
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext
value: {}
- target:
kind: Deployment
name: immuta-temporal-worker
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
- target:
kind: Deployment
name: immuta-temporal-worker
patch: |-
- op: add
path: /spec/template/spec/initContainers/0/securityContext
value: {}
- target:
kind: Deployment
name: immuta-temporal-worker
patch: |-
- op: add
path: /spec/template/spec/initContainers/0/securityContext/readOnlyRootFilesystem
value: true
# ================================
# JOB PATCHES
# ================================
# immuta-audit-init (1 container, 0 initContainers)
- target:
group: batch
version: v1
kind: Job
name: immuta-audit-init
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext
value: {}
- target:
group: batch
version: v1
kind: Job
name: immuta-audit-init
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
# immuta-secure-database-migrate (1 container, 0 initContainers)
- target:
group: batch
version: v1
kind: Job
name: immuta-secure-database-migrate
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext
value: {}
- target:
group: batch
version: v1
kind: Job
name: immuta-secure-database-migrate
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
# immuta-temporal-schema (1 container, 4 initContainers)
- target:
group: batch
version: v1
kind: Job
name: immuta-temporal-schema
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext
value: {}
- target:
group: batch
version: v1
kind: Job
name: immuta-temporal-schema
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
# InitContainers for immuta-temporal-schema (4 initContainers)
- target:
group: batch
version: v1
kind: Job
name: immuta-temporal-schema
patch: |-
- op: add
path: /spec/template/spec/initContainers/0/securityContext
value: {}
- target:
group: batch
version: v1
kind: Job
name: immuta-temporal-schema
patch: |-
- op: add
path: /spec/template/spec/initContainers/0/securityContext/readOnlyRootFilesystem
value: true
- target:
group: batch
version: v1
kind: Job
name: immuta-temporal-schema
patch: |-
- op: add
path: /spec/template/spec/initContainers/1/securityContext
value: {}
- target:
group: batch
version: v1
kind: Job
name: immuta-temporal-schema
patch: |-
- op: add
path: /spec/template/spec/initContainers/1/securityContext/readOnlyRootFilesystem
value: true
- target:
group: batch
version: v1
kind: Job
name: immuta-temporal-schema
patch: |-
- op: add
path: /spec/template/spec/initContainers/2/securityContext
value: {}
- target:
group: batch
version: v1
kind: Job
name: immuta-temporal-schema
patch: |-
- op: add
path: /spec/template/spec/initContainers/2/securityContext/readOnlyRootFilesystem
value: true
- target:
group: batch
version: v1
kind: Job
name: immuta-temporal-schema
patch: |-
- op: add
path: /spec/template/spec/initContainers/3/securityContext
value: {}
- target:
group: batch
version: v1
kind: Job
name: immuta-temporal-schema
patch: |-
- op: add
path: /spec/template/spec/initContainers/3/securityContext/readOnlyRootFilesystem
value: true
Raw
Kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- all.yaml
patches:
# Deployment: Pod-level security context (preserves existing user/group settings)
- target:
kind: Deployment
patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: placeholder
spec:
template:
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
# Deployment: Container-level security context (precise addition)
- target:
kind: Deployment
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
# StatefulSet: Pod-level security context
- target:
kind: StatefulSet
patch: |-
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: placeholder
spec:
template:
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
# StatefulSet: Container-level security context
- target:
kind: StatefulSet
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
# Job: Pod-level security context
- target:
kind: Job
patch: |-
apiVersion: batch/v1
kind: Job
metadata:
name: placeholder
spec:
template:
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
# Job: Container-level security context
- target:
kind: Job
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
# CronJob: Pod-level security context
- target:
kind: CronJob
patch: |-
apiVersion: batch/v1
kind: CronJob
metadata:
name: placeholder
spec:
jobTemplate:
spec:
template:
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
# CronJob: Container-level security context
- target:
kind: CronJob
patch: |-
- op: add
path: /spec/jobTemplate/spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
# DaemonSet: Pod-level security context
- target:
kind: DaemonSet
patch: |-
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: placeholder
spec:
template:
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
# DaemonSet: Container-level security context
- target:
kind: DaemonSet
patch: |-
- op: add
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
# Pod: Pod-level security context
- target:
kind: Pod
patch: |-
apiVersion: v1
kind: Pod
metadata:
name: placeholder
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
# Pod: Container-level security context
- target:
kind: Pod
patch: |-
- op: add
path: /spec/containers/0/securityContext/readOnlyRootFilesystem
value: true
Raw
kustomize-post-render.sh
#!/bin/bash
set -e
# Final working kustomize-post-render.sh
# Uses simpler, more reliable yq transformations
log_info() {
echo "INFO: $*" >&2
}
# Check yq
if ! command -v yq >/dev/null 2>&1; then
echo "ERROR: yq not found" >&2
exit 1
fi
# Read helm output
helm_output=$(cat <&0)
# Apply transformations in separate, simple steps
result=$(echo "$helm_output" | \
# Step 1: Add missing securityContext objects
yq eval '(.spec.template.spec | select(has("securityContext") | not) | .securityContext) = {}' - | \
yq eval '(.spec.jobTemplate.spec.template.spec | select(has("securityContext") | not) | .securityContext) = {}' - | \
yq eval '(.spec.template.spec.containers[] | select(has("securityContext") | not) | .securityContext) = {}' - | \
yq eval '(.spec.template.spec.initContainers[]? | select(has("securityContext") | not) | .securityContext) = {}' - | \
yq eval '(.spec.jobTemplate.spec.template.spec.containers[] | select(has("securityContext") | not) | .securityContext) = {}' - | \
# Step 2: Apply seccompProfile to all workload types
yq eval '(select(.kind == "Deployment" or .kind == "StatefulSet" or .kind == "DaemonSet") | .spec.template.spec.securityContext.seccompProfile.type) = "RuntimeDefault"' - | \
yq eval '(select(.kind == "Job") | .spec.template.spec.securityContext.seccompProfile.type) = "RuntimeDefault"' - | \
yq eval '(select(.kind == "CronJob") | .spec.jobTemplate.spec.template.spec.securityContext.seccompProfile.type) = "RuntimeDefault"' - | \
yq eval '(select(.kind == "Pod") | .spec.securityContext.seccompProfile.type) = "RuntimeDefault"' - | \
# Step 3: Apply readOnlyRootFilesystem to specific Deployment containers
yq eval '(select(.kind == "Deployment" and (.metadata.name | test("^immuta-(audit|cache|discover|secure-web|secure-background-worker|temporal-frontend|temporal-history|temporal-matching|temporal-worker|temporal-proxy|audit-temporal-worker)$"))) | .spec.template.spec.containers[].securityContext.readOnlyRootFilesystem) = true' - | \
# Step 4: Apply readOnlyRootFilesystem to Deployment initContainers for specific deployments
yq eval '(select(.kind == "Deployment" and (.metadata.name | test("^immuta-(temporal-proxy|temporal-history|temporal-matching|temporal-worker)$"))) | .spec.template.spec.initContainers[]?.securityContext.readOnlyRootFilesystem) = true' - | \
# Step 5: Apply readOnlyRootFilesystem to ALL Job containers
yq eval '(select(.kind == "Job") | .spec.template.spec.containers[].securityContext.readOnlyRootFilesystem) = true' - | \
# Step 6: Apply readOnlyRootFilesystem to ALL Job initContainers
yq eval '(select(.kind == "Job") | .spec.template.spec.initContainers[]?.securityContext.readOnlyRootFilesystem) = true' -)
# Validate result
if echo "$result" | yq eval '.' >/dev/null 2>&1; then
log_info "Security patches applied successfully"
echo "$result"
else
log_info "Transformation failed, using original output"
echo "$helm_output"
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment