diff options
author | Morgan Richomme <morgan.richomme@orange.com> | 2020-05-15 19:38:35 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2020-05-15 19:38:35 +0000 |
commit | 9d4cdf7ef706b85ec1d86b4945812d61cbdb3f15 (patch) | |
tree | 28c54349731147abdf505c7d5f0259181dba7b7c | |
parent | af79d35b1c583078e4b03604d1f253d5854de02d (diff) | |
parent | 1e6740ddde8f7040b204e63bc457c1f6bea90523 (diff) |
Merge "[ESR] Force esr-server to run as non-root"
-rw-r--r-- | kubernetes/esr/charts/esr-server/templates/deployment.yaml | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/kubernetes/esr/charts/esr-server/templates/deployment.yaml b/kubernetes/esr/charts/esr-server/templates/deployment.yaml index d6704285d0..995a409d8a 100644 --- a/kubernetes/esr/charts/esr-server/templates/deployment.yaml +++ b/kubernetes/esr/charts/esr-server/templates/deployment.yaml @@ -31,6 +31,27 @@ spec: app: {{ include "common.name" . }} release: {{ include "common.release" . }} spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 + initContainers: + - command: + - cp + args: + - -r + - -T + - /home/esr/conf + - /opt/conf + securityContext: + privileged: true + image: "{{ include "common.repository" . }}/{{ .Values.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: create-conf-dir + volumeMounts: + - name: conf-dir + mountPath: /opt/conf + containers: - name: {{ .Chart.Name }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -60,6 +81,8 @@ spec: readOnly: true - mountPath: /home/esr/works/logs name: {{ include "common.fullname" . }}-logs + - mountPath: /home/esr/conf + name: conf-dir resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -72,6 +95,9 @@ spec: {{- end }} # Filebeat sidecar container - name: {{ include "common.name" . }}-filebeat-onap + securityContext: + runAsUser: 1000 + runAsGroup: 1000 image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: @@ -99,5 +125,8 @@ spec: emptyDir: {} - name: {{ include "common.fullname" . }}-logs emptyDir: {} + - name: conf-dir + emptyDir: {} + imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" |