summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2020-05-14 19:41:20 +0200
committerKrzysztof Opasiak <k.opasiak@samsung.com>2020-05-14 19:41:20 +0200
commit4c62d4db068a64494fd19870977c3eaa0b63c670 (patch)
treeb536725a93aabc46f9bf116cc186434438910c8e
parentc32ee22a8436a184d710db9d06da85c4ca385efc (diff)
[ESR] Force esr-gui to run as non-root
Use securityContext to run esr-gui as a non-root user. Unfortunately esr-gui docker is built in a way that doesn't allow use to just change the user and continue using it. We need to copy tomcat directory to volume to make sure that tomcat is able to create additional directories after it starts. Issue-ID: AAI-2896 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: Iae060ea691ce492e8ccb2d540a48c085c0fd66ae
-rw-r--r--kubernetes/esr/charts/esr-gui/templates/deployment.yaml33
1 files changed, 31 insertions, 2 deletions
diff --git a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
index 9319485ddf..9c70d327d7 100644
--- a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
+++ b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
@@ -31,6 +31,27 @@ spec:
app: {{ include "common.name" . }}
release: {{ include "common.release" . }}
spec:
+ securityContext:
+ runAsUser: 1000
+ runAsGroup: 1001
+ fsGroup: 1001
+ initContainers:
+ - command:
+ - cp
+ args:
+ - -r
+ - -T
+ - /home/esr/tomcat
+ - /opt/tomcat
+ securityContext:
+ privileged: true
+ image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: create-tomcat-dir
+ volumeMounts:
+ - name: tomcat-workdir
+ mountPath: /opt/tomcat
+
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -54,15 +75,23 @@ spec:
env:
- name: MSB_ADDR
value: {{ tpl .Values.msbaddr . }}
+ volumeMounts:
+ - name: tomcat-workdir
+ mountPath: /home/esr/tomcat/
resources:
{{ include "common.resources" . | indent 12 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
+ nodeSelector:
{{ toYaml .Values.nodeSelector | indent 10 }}
{{- end -}}
{{- if .Values.affinity }}
- affinity:
+ affinity:
{{ toYaml .Values.affinity | indent 10 }}
{{- end }}
+
+ volumes:
+ - name: tomcat-workdir
+ emptyDir: {}
+
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"