aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2020-05-14 21:28:54 +0200
committerKrzysztof Opasiak <k.opasiak@samsung.com>2020-05-18 13:16:21 +0000
commit8a538c7d286233a56ccf3b0adcedb9ca01045130 (patch)
tree7349afc84517065b45b70bee29ecb2ee83f1e018
parent7dd6dd1de5ef186769d3df5f5b8d2f57c1448ffe (diff)
[ESR] Force esr-server to run as non-root
Use securityContext to run esr-server as a non-root user. Unfortunately esr-server docker is built in a way that doesn't allow use to just change the user and continue using it. We need to make sure that conf dir is writable for this user because this docker modifies its configuration files from docker_entrypoint.sh Issue-ID: AAI-2896 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: If6eba45c9571753fa9e5ce4f386c2e391788c734 (cherry picked from commit 1e6740ddde8f7040b204e63bc457c1f6bea90523)
-rw-r--r--kubernetes/esr/charts/esr-server/templates/deployment.yaml29
1 files changed, 29 insertions, 0 deletions
diff --git a/kubernetes/esr/charts/esr-server/templates/deployment.yaml b/kubernetes/esr/charts/esr-server/templates/deployment.yaml
index d6704285d0..995a409d8a 100644
--- a/kubernetes/esr/charts/esr-server/templates/deployment.yaml
+++ b/kubernetes/esr/charts/esr-server/templates/deployment.yaml
@@ -31,6 +31,27 @@ spec:
app: {{ include "common.name" . }}
release: {{ include "common.release" . }}
spec:
+ securityContext:
+ runAsUser: 1000
+ runAsGroup: 1001
+ fsGroup: 1001
+ initContainers:
+ - command:
+ - cp
+ args:
+ - -r
+ - -T
+ - /home/esr/conf
+ - /opt/conf
+ securityContext:
+ privileged: true
+ image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: create-conf-dir
+ volumeMounts:
+ - name: conf-dir
+ mountPath: /opt/conf
+
containers:
- name: {{ .Chart.Name }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -60,6 +81,8 @@ spec:
readOnly: true
- mountPath: /home/esr/works/logs
name: {{ include "common.fullname" . }}-logs
+ - mountPath: /home/esr/conf
+ name: conf-dir
resources:
{{ include "common.resources" . | indent 12 }}
{{- if .Values.nodeSelector }}
@@ -72,6 +95,9 @@ spec:
{{- end }}
# Filebeat sidecar container
- name: {{ include "common.name" . }}-filebeat-onap
+ securityContext:
+ runAsUser: 1000
+ runAsGroup: 1000
image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
volumeMounts:
@@ -99,5 +125,8 @@ spec:
emptyDir: {}
- name: {{ include "common.fullname" . }}-logs
emptyDir: {}
+ - name: conf-dir
+ emptyDir: {}
+
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"