openstack/openstack-helm-infra
Code Issues Proposed changes

Run as ceph user and disallow privilege escalation

Browse Source 
This PS is to address security best practices concerning running
containers as a non-privileged user and disallowing privilege
escalation. Ceph-client is used for the mgr and mds pods.

Change-Id: Idbd87408c17907eaae9c6398fbc942f203b51515
This commit is contained in:
Frank Ritchie 2021-01-04 11:45:13 -05:00
parent 3ded481794
commit abf8d1bc6e
2 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ceph-client/Chart.yaml
View File

@ -15,6 +15,6 @@ apiVersion: v1
appVersion: v1.0.0 appVersion: v1.0.0
description: OpenStack-Helm Ceph Client description: OpenStack-Helm Ceph Client
name: ceph-client name: ceph-client
version: 0.1.2 version: 0.1.3
home: https://github.com/ceph/ceph-client home: https://github.com/ceph/ceph-client
... ...

6
ceph-client/values.yaml
View File

@ -71,8 +71,9 @@ pod:
runAsUser: 0 runAsUser: 0
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
mds: mds:
runAsUser: 0 runAsUser: 64045
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
mgr: mgr:
pod: pod:
runAsUser: 65534 runAsUser: 65534
@ -81,8 +82,9 @@ pod:
runAsUser: 0 runAsUser: 0
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
mgr: mgr:
runAsUser: 0 runAsUser: 64045
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
bootstrap: bootstrap:
pod: pod:
runAsUser: 65534 runAsUser: 65534