diff options
| author |   Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-05-14 19:41:20 +0200 |
|---|---|---|
| committer | Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-05-14 19:41:20 +0200 |
| commit | 4c62d4db068a64494fd19870977c3eaa0b63c670 (patch) | |
| tree | b536725a93aabc46f9bf116cc186434438910c8e | |
| parent | c32ee22a8436a184d710db9d06da85c4ca385efc (diff) | |
[ESR] Force esr-gui to run as non-root
Use securityContext to run esr-gui as a non-root user.
Unfortunately esr-gui docker is built in a way that doesn't allow use
to just change the user and continue using it. We need to copy tomcat
directory to volume to make sure that tomcat is able to create
additional directories after it starts.
Issue-ID: AAI-2896
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: Iae060ea691ce492e8ccb2d540a48c085c0fd66ae
| -rw-r--r-- | kubernetes/esr/charts/esr-gui/templates/deployment.yaml | 33 |
1 files changed, 31 insertions, 2 deletions
diff --git a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml index 9319485ddf..9c70d327d7 100644 --- a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml +++ b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml @@ -31,6 +31,27 @@ spec: app: {{ include "common.name" . }} release: {{ include "common.release" . }} spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 + initContainers: + - command: + - cp + args: + - -r + - -T + - /home/esr/tomcat + - /opt/tomcat + securityContext: + privileged: true + image: "{{ include "common.repository" . }}/{{ .Values.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: create-tomcat-dir + volumeMounts: + - name: tomcat-workdir + mountPath: /opt/tomcat + containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -54,15 +75,23 @@ spec: env: - name: MSB_ADDR value: {{ tpl .Values.msbaddr . }} + volumeMounts: + - name: tomcat-workdir + mountPath: /home/esr/tomcat/ resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: + nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} {{- end -}} {{- if .Values.affinity }} - affinity: + affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + + volumes: + - name: tomcat-workdir + emptyDir: {} + imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" |