diff --git a/charts/maas/templates/deployment-ingress-errors.yaml b/charts/maas/templates/deployment-ingress-errors.yaml index a702d0f..205ee40 100644 --- a/charts/maas/templates/deployment-ingress-errors.yaml +++ b/charts/maas/templates/deployment-ingress-errors.yaml @@ -45,21 +45,7 @@ spec: image: {{ .Values.images.tags.error_pages }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_errors | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} -{{ dict "envAll" $envAll "application" "ingress_errors" "container" "maas_ingress_errors" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} - command: - - /tmp/maas-ingress-errors.sh - - start - env: - - name: BIND_PORT - value: {{ tuple "maas_ingress" "podport" "error_pages" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} - volumeMounts: - - mountPath: /tmp/maas-ingress-errors.sh - name: maas-bin - subPath: maas-ingress-errors - readOnly: true - volumes: - - name: maas-bin - configMap: - name: maas-bin - defaultMode: 0555 + args: + - "-port" + - {{ tuple "maas_ingress" "podport" "error_pages" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} {{- end }} diff --git a/charts/maas/templates/deployment-maas-ingress.yaml b/charts/maas/templates/deployment-maas-ingress.yaml index ef657b6..8ba9dcf 100644 --- a/charts/maas/templates/deployment-maas-ingress.yaml +++ b/charts/maas/templates/deployment-maas-ingress.yaml @@ -196,11 +196,10 @@ spec: image: {{ .Values.images.tags.ingress_vip }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_vip | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: +{{ dict "envAll" $envAll "application" "ingress" "container" "maas_ingress_vip" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} capabilities: add: - 'NET_ADMIN' - runAsUser: 0 command: - /bin/init env: @@ -224,11 +223,10 @@ spec: image: {{ .Values.images.tags.ingress }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.maas_ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: +{{ dict "envAll" $envAll "application" "ingress" "container" "maas_ingress" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} capabilities: add: - 'NET_BIND_SERVICE' - runAsUser: 0 command: - /tmp/maas-ingress.sh - start diff --git a/charts/maas/values.yaml b/charts/maas/values.yaml index baaa8ad..e81a165 100644 --- a/charts/maas/values.yaml +++ b/charts/maas/values.yaml @@ -98,7 +98,7 @@ images: dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0 ingress_vip: docker.io/busybox:latest - error_pages: gcr.io/google_containers/defaultbackend:1.0 + error_pages: gcr.io/google_containers/ingress-gce-404-server-with-metrics-amd64:v1.6.0 maas_syslog: quay.io/airshipit/maas-region-controller:latest pull_policy: IfNotPresent local_registry: @@ -284,12 +284,17 @@ pod: syslog: runAsUser: 99 readOnlyRootFilesystem: true + ingress: + container: + maas_ingress: + runAsUser: 33 + maas_ingress_vip: + runAsUser: 33 ingress_errors: pod: - runAsUser: 99 + runAsUser: 65534 container: maas_ingress_errors: - runAsUser: 0 readOnlyRootFilesystem: true affinity: anti: