diff options
author | Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-05-14 21:28:54 +0200 |
---|---|---|
committer | Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-05-14 21:28:54 +0200 |
commit | 1e6740ddde8f7040b204e63bc457c1f6bea90523 (patch) | |
tree | e6844dd57e43914d13299bcebb1914345fce8c0b /kubernetes/esr/charts/esr-server/templates | |
parent | 4c62d4db068a64494fd19870977c3eaa0b63c670 (diff) |
[ESR] Force esr-server to run as non-root
Use securityContext to run esr-server as a non-root user.
Unfortunately esr-server docker is built in a way that doesn't allow use
to just change the user and continue using it. We need to make sure
that conf dir is writable for this user because this docker modifies
its configuration files from docker_entrypoint.sh
Issue-ID: AAI-2896
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: If6eba45c9571753fa9e5ce4f386c2e391788c734
Diffstat (limited to 'kubernetes/esr/charts/esr-server/templates')
-rw-r--r-- | kubernetes/esr/charts/esr-server/templates/deployment.yaml | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/kubernetes/esr/charts/esr-server/templates/deployment.yaml b/kubernetes/esr/charts/esr-server/templates/deployment.yaml index d6704285d0..995a409d8a 100644 --- a/kubernetes/esr/charts/esr-server/templates/deployment.yaml +++ b/kubernetes/esr/charts/esr-server/templates/deployment.yaml @@ -31,6 +31,27 @@ spec: app: {{ include "common.name" . }} release: {{ include "common.release" . }} spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 + initContainers: + - command: + - cp + args: + - -r + - -T + - /home/esr/conf + - /opt/conf + securityContext: + privileged: true + image: "{{ include "common.repository" . }}/{{ .Values.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: create-conf-dir + volumeMounts: + - name: conf-dir + mountPath: /opt/conf + containers: - name: {{ .Chart.Name }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -60,6 +81,8 @@ spec: readOnly: true - mountPath: /home/esr/works/logs name: {{ include "common.fullname" . }}-logs + - mountPath: /home/esr/conf + name: conf-dir resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -72,6 +95,9 @@ spec: {{- end }} # Filebeat sidecar container - name: {{ include "common.name" . }}-filebeat-onap + securityContext: + runAsUser: 1000 + runAsGroup: 1000 image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: @@ -99,5 +125,8 @@ spec: emptyDir: {} - name: {{ include "common.fullname" . }}-logs emptyDir: {} + - name: conf-dir + emptyDir: {} + imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" |