diff options
author | Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-11-25 16:54:36 +0100 |
---|---|---|
committer | Sylvain Desbureaux <sylvain.desbureaux@orange.com> | 2020-12-01 15:39:12 +0000 |
commit | 775b166148ff8f4abb2e667a9824a66f5bd674c0 (patch) | |
tree | a05e4e7f4452dcf0be0a97aaadf50456ac73e098 | |
parent | 30d1d3a6eff0985ac1553da015c04f063d1607cc (diff) |
[CONSUL] Make consul run as non-root
Use our recently build consul image (still based on the same old
consul version) and modify the deployment to make sure that it is able
to run as non-root user.
Yes, I know that moving consul-server to component would be more
proper solution but as this commit is supposed to be cherry-picked to
guilin I've tried to make as little changes as possible.
Issue-ID: REQ-362
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: Idfc09ee225d4f89bb699683fa5e4ae3b86491c08
-rw-r--r-- | kubernetes/consul/charts/consul-server/templates/statefulset.yaml | 3 | ||||
-rw-r--r-- | kubernetes/consul/charts/consul-server/values.yaml | 9 | ||||
-rw-r--r-- | kubernetes/consul/templates/deployment.yaml | 41 | ||||
-rw-r--r-- | kubernetes/consul/values.yaml | 12 |
4 files changed, 52 insertions, 13 deletions
diff --git a/kubernetes/consul/charts/consul-server/templates/statefulset.yaml b/kubernetes/consul/charts/consul-server/templates/statefulset.yaml index 430b6dd1bd..872ef13f95 100644 --- a/kubernetes/consul/charts/consul-server/templates/statefulset.yaml +++ b/kubernetes/consul/charts/consul-server/templates/statefulset.yaml @@ -42,6 +42,9 @@ spec: containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} command: ["/usr/local/bin/docker-entrypoint.sh"] args: - "agent" diff --git a/kubernetes/consul/charts/consul-server/values.yaml b/kubernetes/consul/charts/consul-server/values.yaml index 81472e71eb..d4c03e54ca 100644 --- a/kubernetes/consul/charts/consul-server/values.yaml +++ b/kubernetes/consul/charts/consul-server/values.yaml @@ -25,8 +25,8 @@ global: # Application configuration defaults. ################################################################# # application image -repository: docker.io -image: consul:1.0.6 +repository: nexus3.onap.org:10001 +image: onap/oom/consul:2.1.0 pullPolicy: Always # flag to enable debugging - application support required @@ -90,3 +90,8 @@ resources: cpu: 1 memory: 2Gi unlimited: {} + +securityContext: + fsGroup: 1000 + runAsUser: 100 + runAsGroup: 1000 diff --git a/kubernetes/consul/templates/deployment.yaml b/kubernetes/consul/templates/deployment.yaml index 51c6eb72d5..eece2b704f 100644 --- a/kubernetes/consul/templates/deployment.yaml +++ b/kubernetes/consul/templates/deployment.yaml @@ -39,15 +39,36 @@ spec: spec: imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" - containers: - - image: "{{ include "common.repository" . }}/{{ .Values.image }}" + initContainers: + - name: {{ include "common.name" . }}-chown + image: "{{ include "common.repository" . }}/{{ .Values.image }}" command: - - /bin/sh - - "-c" + - sh + args: + - -c - | - apk update && apk add jq - cp /tmp/consul/config/* /consul/config - /usr/local/bin/docker-entrypoint.sh agent -client 0.0.0.0 -enable-script-checks -retry-join {{ .Values.consulServer.nameOverride }} + cp -r -L /tmp/consul/config/* /consul/config/ + chown -R {{ .Values.consulUID }}:{{ .Values.consulGID }} /consul/config + ls -la /consul/config + volumeMounts: + - mountPath: /tmp/consul/config + name: consul-agent-config + - mountPath: /consul/config + name: consul-agent-config-dir + containers: + - image: {{ include "common.repository" . }}/{{ .Values.image }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + command: + - docker-entrypoint.sh + args: + - agent + - -client + - 0.0.0.0 + - -enable-script-checks + - -retry-join + - {{ .Values.consulServer.nameOverride }} name: {{ include "common.name" . }} env: - name: SDNC_ODL_COUNT @@ -55,14 +76,16 @@ spec: - name: SDNC_IS_PRIMARY_CLUSTER value: "{{ .Values.sdnc.config.isPrimaryCluster }}" volumeMounts: - - mountPath: /tmp/consul/config - name: consul-agent-config + - mountPath: /consul/config + name: consul-agent-config-dir - mountPath: /consul/scripts name: consul-agent-scripts-config - mountPath: /consul/certs name: consul-agent-certs-config resources: {{ include "common.resources" . | nindent 10 }} volumes: + - name: consul-agent-config-dir + emptyDir: {} - configMap: name: {{ include "common.fullname" . }}-configmap name: consul-agent-config diff --git a/kubernetes/consul/values.yaml b/kubernetes/consul/values.yaml index 512c4c3dac..54eee3624b 100644 --- a/kubernetes/consul/values.yaml +++ b/kubernetes/consul/values.yaml @@ -25,14 +25,17 @@ global: # Application configuration defaults. ################################################################# # application image -repository: docker.io -image: oomk8s/consul:1.0.0 +repository: nexus3.onap.org:10001 +image: onap/oom/consul:2.1.0 pullPolicy: Always #subchart name consulServer: nameOverride: consul-server +consulUID: 100 +consulGID: 1000 + # flag to enable debugging - application support required debugEnabled: false @@ -103,3 +106,8 @@ sdnc: config: isPrimaryCluster: true replicaCount: 1 + +securityContext: + fsGroup: 1000 + runAsUser: 100 + runAsGroup: 1000 |