summaryrefslogtreecommitdiffstats
path: root/kubernetes/esr/charts/esr-server/templates
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2020-05-14 21:28:54 +0200
committerKrzysztof Opasiak <k.opasiak@samsung.com>2020-05-14 21:28:54 +0200
commit1e6740ddde8f7040b204e63bc457c1f6bea90523 (patch)
treee6844dd57e43914d13299bcebb1914345fce8c0b /kubernetes/esr/charts/esr-server/templates
parent4c62d4db068a64494fd19870977c3eaa0b63c670 (diff)
[ESR] Force esr-server to run as non-root
Use securityContext to run esr-server as a non-root user. Unfortunately esr-server docker is built in a way that doesn't allow use to just change the user and continue using it. We need to make sure that conf dir is writable for this user because this docker modifies its configuration files from docker_entrypoint.sh Issue-ID: AAI-2896 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: If6eba45c9571753fa9e5ce4f386c2e391788c734
Diffstat (limited to 'kubernetes/esr/charts/esr-server/templates')
-rw-r--r--kubernetes/esr/charts/esr-server/templates/deployment.yaml29
1 files changed, 29 insertions, 0 deletions
diff --git a/kubernetes/esr/charts/esr-server/templates/deployment.yaml b/kubernetes/esr/charts/esr-server/templates/deployment.yaml
index d6704285d0..995a409d8a 100644
--- a/kubernetes/esr/charts/esr-server/templates/deployment.yaml
+++ b/kubernetes/esr/charts/esr-server/templates/deployment.yaml
@@ -31,6 +31,27 @@ spec:
app: {{ include "common.name" . }}
release: {{ include "common.release" . }}
spec:
+ securityContext:
+ runAsUser: 1000
+ runAsGroup: 1001
+ fsGroup: 1001
+ initContainers:
+ - command:
+ - cp
+ args:
+ - -r
+ - -T
+ - /home/esr/conf
+ - /opt/conf
+ securityContext:
+ privileged: true
+ image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: create-conf-dir
+ volumeMounts:
+ - name: conf-dir
+ mountPath: /opt/conf
+
containers:
- name: {{ .Chart.Name }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -60,6 +81,8 @@ spec:
readOnly: true
- mountPath: /home/esr/works/logs
name: {{ include "common.fullname" . }}-logs
+ - mountPath: /home/esr/conf
+ name: conf-dir
resources:
{{ include "common.resources" . | indent 12 }}
{{- if .Values.nodeSelector }}
@@ -72,6 +95,9 @@ spec:
{{- end }}
# Filebeat sidecar container
- name: {{ include "common.name" . }}-filebeat-onap
+ securityContext:
+ runAsUser: 1000
+ runAsGroup: 1000
image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
volumeMounts:
@@ -99,5 +125,8 @@ spec:
emptyDir: {}
- name: {{ include "common.fullname" . }}-logs
emptyDir: {}
+ - name: conf-dir
+ emptyDir: {}
+
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"