diff options
author | Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-11-23 22:02:51 +0100 |
---|---|---|
committer | Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-11-23 22:09:55 +0100 |
commit | bc6a6674f749efc1693c4b6bd58a27f8c37a0ae0 (patch) | |
tree | 15e2625591ed0d6353ff802eb331d831fcaf7b8d /kubernetes/msb/charts/msb-consul/templates | |
parent | f0dacd23777a7998915afe00150b25135b932f86 (diff) |
[MSB] Make consul run as non-root
Start whole consul container as non-root and ensure that both
dumb-init and consul are able to start and run as non-root.
Issue-ID: REQ-362
Change-Id: If5a737953122cc6cd22b8d43ac603b40f4b22727
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Diffstat (limited to 'kubernetes/msb/charts/msb-consul/templates')
-rw-r--r-- | kubernetes/msb/charts/msb-consul/templates/configmap.yaml | 27 | ||||
-rw-r--r-- | kubernetes/msb/charts/msb-consul/templates/deployment.yaml | 17 |
2 files changed, 44 insertions, 0 deletions
diff --git a/kubernetes/msb/charts/msb-consul/templates/configmap.yaml b/kubernetes/msb/charts/msb-consul/templates/configmap.yaml new file mode 100644 index 0000000000..32adcaec5f --- /dev/null +++ b/kubernetes/msb/charts/msb-consul/templates/configmap.yaml @@ -0,0 +1,27 @@ +{{/* +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-entrypoint + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} diff --git a/kubernetes/msb/charts/msb-consul/templates/deployment.yaml b/kubernetes/msb/charts/msb-consul/templates/deployment.yaml index 2639a8ed36..c7472cca72 100644 --- a/kubernetes/msb/charts/msb-consul/templates/deployment.yaml +++ b/kubernetes/msb/charts/msb-consul/templates/deployment.yaml @@ -41,6 +41,16 @@ spec: - name: {{ include "common.name" . }} image: "{{ .Values.global.dockerHubRepository | default .Values.dockerHubRepository }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + command: + - docker-entrypoint.sh + args: + - "agent" + - "-dev" + - "-client" + - "0.0.0.0" ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger @@ -62,6 +72,9 @@ spec: - mountPath: /etc/localtime name: localtime readOnly: true + - mountPath: /usr/local/bin/docker-entrypoint.sh + name: entrypoint + subPath: docker-entrypoint.sh resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -76,5 +89,9 @@ spec: - name: localtime hostPath: path: /etc/localtime + - name: entrypoint + configMap: + name: {{ include "common.fullname" . }}-entrypoint + defaultMode: 0777 imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" |