summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2020-05-14 19:41:20 +0200
committerKrzysztof Opasiak <k.opasiak@samsung.com>2020-05-18 09:44:47 +0000
commite3b30aac58435e9a88dcf8a5e318c3a09bb77c93 (patch)
tree19f202feb5b3f5131113c058cb86e94dd12f03af
parente96ecb1c4d00e50a4b077d195ea145328a523193 (diff)
[ESR] Force esr-gui to run as non-root
Use securityContext to run esr-gui as a non-root user. Unfortunately esr-gui docker is built in a way that doesn't allow use to just change the user and continue using it. We need to copy tomcat directory to volume to make sure that tomcat is able to create additional directories after it starts. Issue-ID: AAI-2896 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: Iae060ea691ce492e8ccb2d540a48c085c0fd66ae (cherry picked from commit 4c62d4db068a64494fd19870977c3eaa0b63c670)
-rw-r--r--kubernetes/esr/charts/esr-gui/templates/deployment.yaml33
1 files changed, 31 insertions, 2 deletions
diff --git a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
index 9319485ddf..9c70d327d7 100644
--- a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
+++ b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml
@@ -31,6 +31,27 @@ spec:
app: {{ include "common.name" . }}
release: {{ include "common.release" . }}
spec:
+ securityContext:
+ runAsUser: 1000
+ runAsGroup: 1001
+ fsGroup: 1001
+ initContainers:
+ - command:
+ - cp
+ args:
+ - -r
+ - -T
+ - /home/esr/tomcat
+ - /opt/tomcat
+ securityContext:
+ privileged: true
+ image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: create-tomcat-dir
+ volumeMounts:
+ - name: tomcat-workdir
+ mountPath: /opt/tomcat
+
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -54,15 +75,23 @@ spec:
env:
- name: MSB_ADDR
value: {{ tpl .Values.msbaddr . }}
+ volumeMounts:
+ - name: tomcat-workdir
+ mountPath: /home/esr/tomcat/
resources:
{{ include "common.resources" . | indent 12 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
+ nodeSelector:
{{ toYaml .Values.nodeSelector | indent 10 }}
{{- end -}}
{{- if .Values.affinity }}
- affinity:
+ affinity:
{{ toYaml .Values.affinity | indent 10 }}
{{- end }}
+
+ volumes:
+ - name: tomcat-workdir
+ emptyDir: {}
+
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"