maas-ingress and maas-ingress-errors pods with non-root user
Run the maas-ingress and maas-ingress-vip containers with the 'www-data' (33) user Run the maas-ingress-errors container with the error-page image [0], from [1] which already runs as nobody user. [0] Dockerfile.404-server-with-metrics [1] https://github.com/kubernetes/ingress-gce Change-Id: Idf3791a958017d512bb3f5015b59452e2831b1b3
This commit is contained in:
parent
e7046aa956
commit
5641cc1117
|
@ -45,21 +45,7 @@ spec:
|
||||||
image: {{ .Values.images.tags.error_pages }}
|
image: {{ .Values.images.tags.error_pages }}
|
||||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_errors | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_errors | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
{{ dict "envAll" $envAll "application" "ingress_errors" "container" "maas_ingress_errors" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
args:
|
||||||
command:
|
- "-port"
|
||||||
- /tmp/maas-ingress-errors.sh
|
- {{ tuple "maas_ingress" "podport" "error_pages" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
|
||||||
- start
|
|
||||||
env:
|
|
||||||
- name: BIND_PORT
|
|
||||||
value: {{ tuple "maas_ingress" "podport" "error_pages" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /tmp/maas-ingress-errors.sh
|
|
||||||
name: maas-bin
|
|
||||||
subPath: maas-ingress-errors
|
|
||||||
readOnly: true
|
|
||||||
volumes:
|
|
||||||
- name: maas-bin
|
|
||||||
configMap:
|
|
||||||
name: maas-bin
|
|
||||||
defaultMode: 0555
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
|
@ -196,11 +196,10 @@ spec:
|
||||||
image: {{ .Values.images.tags.ingress_vip }}
|
image: {{ .Values.images.tags.ingress_vip }}
|
||||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_vip | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_vip | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
securityContext:
|
{{ dict "envAll" $envAll "application" "ingress" "container" "maas_ingress_vip" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
- 'NET_ADMIN'
|
- 'NET_ADMIN'
|
||||||
runAsUser: 0
|
|
||||||
command:
|
command:
|
||||||
- /bin/init
|
- /bin/init
|
||||||
env:
|
env:
|
||||||
|
@ -224,11 +223,10 @@ spec:
|
||||||
image: {{ .Values.images.tags.ingress }}
|
image: {{ .Values.images.tags.ingress }}
|
||||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.maas_ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.maas_ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
securityContext:
|
{{ dict "envAll" $envAll "application" "ingress" "container" "maas_ingress" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
- 'NET_BIND_SERVICE'
|
- 'NET_BIND_SERVICE'
|
||||||
runAsUser: 0
|
|
||||||
command:
|
command:
|
||||||
- /tmp/maas-ingress.sh
|
- /tmp/maas-ingress.sh
|
||||||
- start
|
- start
|
||||||
|
|
|
@ -98,7 +98,7 @@ images:
|
||||||
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
|
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
|
||||||
ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0
|
ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0
|
||||||
ingress_vip: docker.io/busybox:latest
|
ingress_vip: docker.io/busybox:latest
|
||||||
error_pages: gcr.io/google_containers/defaultbackend:1.0
|
error_pages: gcr.io/google_containers/ingress-gce-404-server-with-metrics-amd64:v1.6.0
|
||||||
maas_syslog: quay.io/airshipit/maas-region-controller:latest
|
maas_syslog: quay.io/airshipit/maas-region-controller:latest
|
||||||
pull_policy: IfNotPresent
|
pull_policy: IfNotPresent
|
||||||
local_registry:
|
local_registry:
|
||||||
|
@ -284,12 +284,17 @@ pod:
|
||||||
syslog:
|
syslog:
|
||||||
runAsUser: 99
|
runAsUser: 99
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
|
ingress:
|
||||||
|
container:
|
||||||
|
maas_ingress:
|
||||||
|
runAsUser: 33
|
||||||
|
maas_ingress_vip:
|
||||||
|
runAsUser: 33
|
||||||
ingress_errors:
|
ingress_errors:
|
||||||
pod:
|
pod:
|
||||||
runAsUser: 99
|
runAsUser: 65534
|
||||||
container:
|
container:
|
||||||
maas_ingress_errors:
|
maas_ingress_errors:
|
||||||
runAsUser: 0
|
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
affinity:
|
affinity:
|
||||||
anti:
|
anti:
|
||||||
|
|
Loading…
Reference in New Issue