summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMorgan Richomme <morgan.richomme@orange.com>2020-05-15 19:38:25 +0000
committerGerrit Code Review <gerrit@onap.org>2020-05-15 19:38:25 +0000
commitaf79d35b1c583078e4b03604d1f253d5854de02d (patch)
tree09df09b2df01f2c55890975ce6e62b25cca3ab98
parent3201cc3f6fa66565731138836e3aae63cdfec8bc (diff)
parent4c62d4db068a64494fd19870977c3eaa0b63c670 (diff)
Merge "[ESR] Force esr-gui to run as non-root"
-rw-r--r--kubernetes/esr/charts/esr-gui/templates/deployment.yaml33
1 files changed, 31 insertions, 2 deletions
diff --git a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
index 9319485ddf..9c70d327d7 100644
--- a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
+++ b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
@@ -31,6 +31,27 @@ spec:
app: {{ include "common.name" . }}
release: {{ include "common.release" . }}
spec:
+ securityContext:
+ runAsUser: 1000
+ runAsGroup: 1001
+ fsGroup: 1001
+ initContainers:
+ - command:
+ - cp
+ args:
+ - -r
+ - -T
+ - /home/esr/tomcat
+ - /opt/tomcat
+ securityContext:
+ privileged: true
+ image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: create-tomcat-dir
+ volumeMounts:
+ - name: tomcat-workdir
+ mountPath: /opt/tomcat
+
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -54,15 +75,23 @@ spec:
env:
- name: MSB_ADDR
value: {{ tpl .Values.msbaddr . }}
+ volumeMounts:
+ - name: tomcat-workdir
+ mountPath: /home/esr/tomcat/
resources:
{{ include "common.resources" . | indent 12 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
+ nodeSelector:
{{ toYaml .Values.nodeSelector | indent 10 }}
{{- end -}}
{{- if .Values.affinity }}
- affinity:
+ affinity:
{{ toYaml .Values.affinity | indent 10 }}
{{- end }}
+
+ volumes:
+ - name: tomcat-workdir
+ emptyDir: {}
+
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"