maas-ingress and maas-ingress-errors pods with non-root user
Run the maas-ingress and maas-ingress-vip containers with the 'www-data' (33) user Run the maas-ingress-errors container with the error-page image [0], from [1] which already runs as nobody user. [0] Dockerfile.404-server-with-metrics [1] https://github.com/kubernetes/ingress-gce Change-Id: Idf3791a958017d512bb3f5015b59452e2831b1b3
This commit is contained in:
parent
e7046aa956
commit
5641cc1117
|
@ -45,21 +45,7 @@ spec:
|
|||
image: {{ .Values.images.tags.error_pages }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_errors | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "ingress_errors" "container" "maas_ingress_errors" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
command:
|
||||
- /tmp/maas-ingress-errors.sh
|
||||
- start
|
||||
env:
|
||||
- name: BIND_PORT
|
||||
value: {{ tuple "maas_ingress" "podport" "error_pages" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
|
||||
volumeMounts:
|
||||
- mountPath: /tmp/maas-ingress-errors.sh
|
||||
name: maas-bin
|
||||
subPath: maas-ingress-errors
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: maas-bin
|
||||
configMap:
|
||||
name: maas-bin
|
||||
defaultMode: 0555
|
||||
args:
|
||||
- "-port"
|
||||
- {{ tuple "maas_ingress" "podport" "error_pages" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
|
||||
{{- end }}
|
||||
|
|
|
@ -196,11 +196,10 @@ spec:
|
|||
image: {{ .Values.images.tags.ingress_vip }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_vip | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
securityContext:
|
||||
{{ dict "envAll" $envAll "application" "ingress" "container" "maas_ingress_vip" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
capabilities:
|
||||
add:
|
||||
- 'NET_ADMIN'
|
||||
runAsUser: 0
|
||||
command:
|
||||
- /bin/init
|
||||
env:
|
||||
|
@ -224,11 +223,10 @@ spec:
|
|||
image: {{ .Values.images.tags.ingress }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.maas_ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
securityContext:
|
||||
{{ dict "envAll" $envAll "application" "ingress" "container" "maas_ingress" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
capabilities:
|
||||
add:
|
||||
- 'NET_BIND_SERVICE'
|
||||
runAsUser: 0
|
||||
command:
|
||||
- /tmp/maas-ingress.sh
|
||||
- start
|
||||
|
|
|
@ -98,7 +98,7 @@ images:
|
|||
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
|
||||
ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0
|
||||
ingress_vip: docker.io/busybox:latest
|
||||
error_pages: gcr.io/google_containers/defaultbackend:1.0
|
||||
error_pages: gcr.io/google_containers/ingress-gce-404-server-with-metrics-amd64:v1.6.0
|
||||
maas_syslog: quay.io/airshipit/maas-region-controller:latest
|
||||
pull_policy: IfNotPresent
|
||||
local_registry:
|
||||
|
@ -284,12 +284,17 @@ pod:
|
|||
syslog:
|
||||
runAsUser: 99
|
||||
readOnlyRootFilesystem: true
|
||||
ingress:
|
||||
container:
|
||||
maas_ingress:
|
||||
runAsUser: 33
|
||||
maas_ingress_vip:
|
||||
runAsUser: 33
|
||||
ingress_errors:
|
||||
pod:
|
||||
runAsUser: 99
|
||||
runAsUser: 65534
|
||||
container:
|
||||
maas_ingress_errors:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: true
|
||||
affinity:
|
||||
anti:
|
||||
|
|
Loading…
Reference in New Issue