From 4c4205834827a78e975f97dd624ac77d7e68510e Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak Date: Mon, 23 Nov 2020 22:02:51 +0100 Subject: [MSB] Make consul run as non-root Start whole consul container as non-root and ensure that both dumb-init and consul are able to start and run as non-root. Issue-ID: REQ-362 Change-Id: If5a737953122cc6cd22b8d43ac603b40f4b22727 Signed-off-by: Krzysztof Opasiak (cherry picked from commit bc6a6674f749efc1693c4b6bd58a27f8c37a0ae0) --- .../msb/charts/msb-consul/templates/configmap.yaml | 27 ++++++++++++++++++++++ .../charts/msb-consul/templates/deployment.yaml | 17 ++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 kubernetes/msb/charts/msb-consul/templates/configmap.yaml (limited to 'kubernetes/msb/charts/msb-consul/templates') diff --git a/kubernetes/msb/charts/msb-consul/templates/configmap.yaml b/kubernetes/msb/charts/msb-consul/templates/configmap.yaml new file mode 100644 index 0000000000..32adcaec5f --- /dev/null +++ b/kubernetes/msb/charts/msb-consul/templates/configmap.yaml @@ -0,0 +1,27 @@ +{{/* +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-entrypoint + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} diff --git a/kubernetes/msb/charts/msb-consul/templates/deployment.yaml b/kubernetes/msb/charts/msb-consul/templates/deployment.yaml index 2639a8ed36..c7472cca72 100644 --- a/kubernetes/msb/charts/msb-consul/templates/deployment.yaml +++ b/kubernetes/msb/charts/msb-consul/templates/deployment.yaml @@ -41,6 +41,16 @@ spec: - name: {{ include "common.name" . }} image: "{{ .Values.global.dockerHubRepository | default .Values.dockerHubRepository }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + command: + - docker-entrypoint.sh + args: + - "agent" + - "-dev" + - "-client" + - "0.0.0.0" ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger @@ -62,6 +72,9 @@ spec: - mountPath: /etc/localtime name: localtime readOnly: true + - mountPath: /usr/local/bin/docker-entrypoint.sh + name: entrypoint + subPath: docker-entrypoint.sh resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -76,5 +89,9 @@ spec: - name: localtime hostPath: path: /etc/localtime + - name: entrypoint + configMap: + name: {{ include "common.fullname" . }}-entrypoint + defaultMode: 0777 imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" -- cgit 1.2.3-korg