From 1e6740ddde8f7040b204e63bc457c1f6bea90523 Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak Date: Thu, 14 May 2020 21:28:54 +0200 Subject: [ESR] Force esr-server to run as non-root Use securityContext to run esr-server as a non-root user. Unfortunately esr-server docker is built in a way that doesn't allow use to just change the user and continue using it. We need to make sure that conf dir is writable for this user because this docker modifies its configuration files from docker_entrypoint.sh Issue-ID: AAI-2896 Signed-off-by: Krzysztof Opasiak Change-Id: If6eba45c9571753fa9e5ce4f386c2e391788c734 --- .../charts/esr-server/templates/deployment.yaml | 29 ++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'kubernetes') diff --git a/kubernetes/esr/charts/esr-server/templates/deployment.yaml b/kubernetes/esr/charts/esr-server/templates/deployment.yaml index d6704285d0..995a409d8a 100644 --- a/kubernetes/esr/charts/esr-server/templates/deployment.yaml +++ b/kubernetes/esr/charts/esr-server/templates/deployment.yaml @@ -31,6 +31,27 @@ spec: app: {{ include "common.name" . }} release: {{ include "common.release" . }} spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 + initContainers: + - command: + - cp + args: + - -r + - -T + - /home/esr/conf + - /opt/conf + securityContext: + privileged: true + image: "{{ include "common.repository" . }}/{{ .Values.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: create-conf-dir + volumeMounts: + - name: conf-dir + mountPath: /opt/conf + containers: - name: {{ .Chart.Name }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -60,6 +81,8 @@ spec: readOnly: true - mountPath: /home/esr/works/logs name: {{ include "common.fullname" . }}-logs + - mountPath: /home/esr/conf + name: conf-dir resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -72,6 +95,9 @@ spec: {{- end }} # Filebeat sidecar container - name: {{ include "common.name" . }}-filebeat-onap + securityContext: + runAsUser: 1000 + runAsGroup: 1000 image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: @@ -99,5 +125,8 @@ spec: emptyDir: {} - name: {{ include "common.fullname" . }}-logs emptyDir: {} + - name: conf-dir + emptyDir: {} + imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" -- cgit 1.2.3-korg