Run as ceph user and disallow privilege escalation

This PS is to address security best practices concerning running
containers as a non-privileged user and disallowing privilege
escalation. Ceph-client is used for the mgr and mds pods.

Change-Id: Idbd87408c17907eaae9c6398fbc942f203b51515
This commit is contained in:
Frank Ritchie 2021-01-04 11:45:13 -05:00
parent 3ded481794
commit abf8d1bc6e
2 changed files with 5 additions and 3 deletions

View File

@ -15,6 +15,6 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Ceph Client
name: ceph-client
version: 0.1.2
version: 0.1.3
home: https://github.com/ceph/ceph-client
...

View File

@ -71,8 +71,9 @@ pod:
runAsUser: 0
readOnlyRootFilesystem: true
mds:
runAsUser: 0
runAsUser: 64045
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
mgr:
pod:
runAsUser: 65534
@ -81,8 +82,9 @@ pod:
runAsUser: 0
readOnlyRootFilesystem: true
mgr:
runAsUser: 0
runAsUser: 64045
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
bootstrap:
pod:
runAsUser: 65534