diff options
| author |   Morgan Richomme <morgan.richomme@orange.com> | 2020-05-15 19:38:25 +0000 |
|---|---|---|
| committer |   Gerrit Code Review <gerrit@onap.org> | 2020-05-15 19:38:25 +0000 |
| commit | af79d35b1c583078e4b03604d1f253d5854de02d (patch) | |
| tree | 09df09b2df01f2c55890975ce6e62b25cca3ab98 /kubernetes | |
| parent | 3201cc3f6fa66565731138836e3aae63cdfec8bc (diff) | |
| parent | 4c62d4db068a64494fd19870977c3eaa0b63c670 (diff) | |
Merge "[ESR] Force esr-gui to run as non-root"
Diffstat (limited to 'kubernetes')
| -rw-r--r-- | kubernetes/esr/charts/esr-gui/templates/deployment.yaml | 33 |
1 files changed, 31 insertions, 2 deletions
diff --git a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml index 9319485ddf..9c70d327d7 100644 --- a/kubernetes/esr/charts/esr-gui/templates/deployment.yaml +++ b/kubernetes/esr/charts/esr-gui/templates/deployment.yaml @@ -31,6 +31,27 @@ spec: app: {{ include "common.name" . }} release: {{ include "common.release" . }} spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 + initContainers: + - command: + - cp + args: + - -r + - -T + - /home/esr/tomcat + - /opt/tomcat + securityContext: + privileged: true + image: "{{ include "common.repository" . }}/{{ .Values.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: create-tomcat-dir + volumeMounts: + - name: tomcat-workdir + mountPath: /opt/tomcat + containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -54,15 +75,23 @@ spec: env: - name: MSB_ADDR value: {{ tpl .Values.msbaddr . }} + volumeMounts: + - name: tomcat-workdir + mountPath: /home/esr/tomcat/ resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: + nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} {{- end -}} {{- if .Values.affinity }} - affinity: + affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + + volumes: + - name: tomcat-workdir + emptyDir: {} + imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" |