score-k8s patch templates

Since score-k8s version 0.4.0, as Platform Engineers you can override or patch the default Workload manifests generated by score-k8s generate. Seemlessly for your Developers, by using score-k8s init --patch-templates.

Each template file is evaluated as a Golang text/template and should output a yaml/json encoded array of patches. Each patch is an object with required op (set or delete), patch (a dot-separated json path), a value if the op == set, and an optional description for showing in the logs. The template has access to .Manifests and .Workloads.

For example, to inject more security for each Workload you can use this template score-k8s/unprivileged.tpl:

{{ range $i, $m := .Manifests }}
{{ if eq $m.kind "Deployment" }}
- op: set
  path: {{ $i }}.spec.template.spec.automountServiceAccountToken
  value: false
- op: set
  path: {{ $i }}.spec.template.spec.securityContext
  value:
    fsGroup: 65532
    runAsGroup: 65532
    runAsNonRoot: true
    runAsUser: 65532
    seccompProfile:
      type: "RuntimeDefault"
{{ range $cname, $_ := $m.spec.template.spec.containers }}
- op: set
  path: {{ $i }}.spec.template.spec.containers.{{ $cname }}.securityContext
  value:
    allowPrivilegeEscalation: false
    privileged: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
        - ALL
{{ end }}
{{ end }}
{{ end }}

You can run this command to use this patch template:

score-k8s init --patch-templates https://raw.githubusercontent.com/score-spec/community-patchers/refs/heads/main/score-k8s/unprivileged.tpl

And then the generate command will use it for the generated manifests.yaml file:

score-k8s generate score.yaml

A list of patch templates shared by the community can be found here. Users are encouraged to use them and contribute to this growing list of patch templates.