Browse Source

Merge "Run maas-rack and maas-region containers as non-privileged"

Zuul 1 month ago
parent
commit
cf2c328861

+ 8
- 1
charts/maas/templates/statefulset-rack.yaml View File

@@ -75,7 +75,14 @@ spec:
75 75
           command:
76 76
             - /tmp/start.sh
77 77
           securityContext:
78
-            privileged: true
78
+            capabilities:
79
+              add:
80
+                - 'DAC_READ_SEARCH'
81
+                - 'NET_ADMIN'
82
+                - 'SYS_ADMIN'
83
+                - 'SYS_PTRACE'
84
+                - 'SYS_RESOURCE'
85
+                - 'SYS_TIME'
79 86
           readinessProbe:
80 87
             initialDelaySeconds: 60
81 88
             periodSeconds: 300

+ 8
- 1
charts/maas/templates/statefulset-region.yaml View File

@@ -67,7 +67,14 @@ spec:
67 67
             tcpSocket:
68 68
               port: {{ tuple "maas_region" "podport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
69 69
           securityContext:
70
-            privileged: true
70
+            capabilities:
71
+              add:
72
+                - 'SYS_ADMIN'
73
+                - 'NET_ADMIN'
74
+                - 'SYS_PTRACE'
75
+                - 'SYS_TIME'
76
+                - 'SYS_RESOURCE'
77
+                - 'DAC_READ_SEARCH'
71 78
           command:
72 79
             - /tmp/start.sh
73 80
           volumeMounts:

Loading…
Cancel
Save