maas-ingress and maas-ingress-errors pods with non-root user

Run the maas-ingress and maas-ingress-vip containers with the
'www-data' (33) user

Run the maas-ingress-errors container with the error-page image [0],
from [1] which already runs as nobody user.

[0] Dockerfile.404-server-with-metrics
[1] https://github.com/kubernetes/ingress-gce

Change-Id: Idf3791a958017d512bb3f5015b59452e2831b1b3

charts/maas/templates/deployment-ingress-errors.yaml

@@ -45,21 +45,7 @@ spec:
           image: {{ .Values.images.tags.error_pages }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_errors | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "ingress_errors" "container" "maas_ingress_errors" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
-          command:
-            - /tmp/maas-ingress-errors.sh
-            - start
-          env:
-            - name: BIND_PORT
-              value: {{ tuple "maas_ingress" "podport" "error_pages" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
-          volumeMounts:
-            - mountPath: /tmp/maas-ingress-errors.sh
-              name: maas-bin
-              subPath: maas-ingress-errors
-              readOnly: true
-      volumes:
-        - name: maas-bin
-          configMap:
-            name: maas-bin
-            defaultMode: 0555
+          args:
+            - "-port"
+            - {{ tuple "maas_ingress" "podport" "error_pages" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
 {{- end }}

charts/maas/templates/deployment-maas-ingress.yaml

@@ -196,11 +196,10 @@ spec:
           image: {{ .Values.images.tags.ingress_vip }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_vip | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
+{{ dict "envAll" $envAll "application" "ingress" "container" "maas_ingress_vip" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
             capabilities:
               add:
                 - 'NET_ADMIN'
-            runAsUser: 0
           command:
             - /bin/init
           env:
@@ -224,11 +223,10 @@ spec:
           image: {{ .Values.images.tags.ingress }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.maas_ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
+{{ dict "envAll" $envAll "application" "ingress" "container" "maas_ingress" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
             capabilities:
               add:
                 - 'NET_BIND_SERVICE'
-            runAsUser: 0
           command:
             - /tmp/maas-ingress.sh
             - start

charts/maas/values.yaml

@@ -98,7 +98,7 @@ images:
     dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
     ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0
     ingress_vip: docker.io/busybox:latest
-    error_pages: gcr.io/google_containers/defaultbackend:1.0
+    error_pages: gcr.io/google_containers/ingress-gce-404-server-with-metrics-amd64:v1.6.0
     maas_syslog: quay.io/airshipit/maas-region-controller:latest
   pull_policy: IfNotPresent
   local_registry:
@@ -284,12 +284,17 @@ pod:
         syslog:
           runAsUser: 99
           readOnlyRootFilesystem: true
+    ingress:
+      container:
+        maas_ingress:
+          runAsUser: 33
+        maas_ingress_vip:
+          runAsUser: 33
     ingress_errors:
       pod:
-        runAsUser: 99
+        runAsUser: 65534
       container:
         maas_ingress_errors:
-          runAsUser: 0
           readOnlyRootFilesystem: true
   affinity:
     anti: