summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMorgan Richomme <morgan.richomme@orange.com>2020-05-15 19:38:35 +0000
committerGerrit Code Review <gerrit@onap.org>2020-05-15 19:38:35 +0000
commit9d4cdf7ef706b85ec1d86b4945812d61cbdb3f15 (patch)
tree28c54349731147abdf505c7d5f0259181dba7b7c
parentaf79d35b1c583078e4b03604d1f253d5854de02d (diff)
parent1e6740ddde8f7040b204e63bc457c1f6bea90523 (diff)
Merge "[ESR] Force esr-server to run as non-root"
-rw-r--r--kubernetes/esr/charts/esr-server/templates/deployment.yaml29
1 files changed, 29 insertions, 0 deletions
diff --git a/kubernetes/esr/charts/esr-server/templates/deployment.yaml b/kubernetes/esr/charts/esr-server/templates/deployment.yaml
index d6704285d0..995a409d8a 100644
--- a/kubernetes/esr/charts/esr-server/templates/deployment.yaml
+++ b/kubernetes/esr/charts/esr-server/templates/deployment.yaml
@@ -31,6 +31,27 @@ spec:
app: {{ include "common.name" . }}
release: {{ include "common.release" . }}
spec:
+ securityContext:
+ runAsUser: 1000
+ runAsGroup: 1001
+ fsGroup: 1001
+ initContainers:
+ - command:
+ - cp
+ args:
+ - -r
+ - -T
+ - /home/esr/conf
+ - /opt/conf
+ securityContext:
+ privileged: true
+ image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: create-conf-dir
+ volumeMounts:
+ - name: conf-dir
+ mountPath: /opt/conf
+
containers:
- name: {{ .Chart.Name }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -60,6 +81,8 @@ spec:
readOnly: true
- mountPath: /home/esr/works/logs
name: {{ include "common.fullname" . }}-logs
+ - mountPath: /home/esr/conf
+ name: conf-dir
resources:
{{ include "common.resources" . | indent 12 }}
{{- if .Values.nodeSelector }}
@@ -72,6 +95,9 @@ spec:
{{- end }}
# Filebeat sidecar container
- name: {{ include "common.name" . }}-filebeat-onap
+ securityContext:
+ runAsUser: 1000
+ runAsGroup: 1000
image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
volumeMounts:
@@ -99,5 +125,8 @@ spec:
emptyDir: {}
- name: {{ include "common.fullname" . }}-logs
emptyDir: {}
+ - name: conf-dir
+ emptyDir: {}
+
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"