refactor: update service names and security contexts in Helm templates
This commit is contained in:
Elmar Kresse
@@ -21,6 +21,17 @@ spec:
|
||||
containers:
|
||||
- name: koha
|
||||
image: {{ .Values.docker.registry }}:{{ .Values.docker.tag }}
|
||||
securityContext:
|
||||
runAsUser: 0 # Set root user
|
||||
allowPrivilegeEscalation: true
|
||||
privileged: true
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
capabilities:
|
||||
add:
|
||||
- SETUID
|
||||
- SETGID
|
||||
- SYS_ADMIN
|
||||
env:
|
||||
- name: USE_PLACK
|
||||
value: "1"
|
||||
@@ -68,7 +79,7 @@ spec:
|
||||
initContainers:
|
||||
- name: init-wait
|
||||
image: alpine
|
||||
command: ["sh", "-c", "for i in $(seq 1 300); do nc -zvw1 {{ .Values.instance }}-plack 5000 && exit 0 || sleep 3; done; exit 1"]
|
||||
command: ["sh", "-c", "for i in $(seq 1 300); do nc -zvw1 koha 5000 && exit 0 || sleep 3; done; exit 1"]
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
@@ -82,9 +93,17 @@ spec:
|
||||
- name: apache
|
||||
image: {{ .Values.docker.registry }}:{{ .Values.docker.tag }}
|
||||
securityContext:
|
||||
runAsUser: 0 # Set root user
|
||||
#fsGroup: 1000 # www-data group
|
||||
allowPrivilegeEscalation: true
|
||||
privileged: true
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
capabilities:
|
||||
add:
|
||||
- NET_BIND_SERVICE
|
||||
- SETUID
|
||||
- SETGID
|
||||
- SYS_ADMIN
|
||||
env:
|
||||
- name: USE_APACHE2
|
||||
value: "1"
|
||||
@@ -100,9 +119,9 @@ spec:
|
||||
- name: koha-pv
|
||||
mountPath: /tmp/libshare
|
||||
subPath: lib
|
||||
ports:
|
||||
- containerPort: {{ .Values.opac.port }}
|
||||
- containerPort: {{ .Values.staff.port }}
|
||||
# ports:
|
||||
# - containerPort: {{ .Values.opac.port }}
|
||||
# - containerPort: {{ .Values.staff.port }}
|
||||
volumes:
|
||||
- name: koha-pv
|
||||
persistentVolumeClaim:
|
||||
@@ -135,6 +154,17 @@ spec:
|
||||
containers:
|
||||
- name: db
|
||||
image: mariadb:10.3
|
||||
securityContext:
|
||||
runAsUser: 999 # Set root user
|
||||
allowPrivilegeEscalation: true
|
||||
privileged: true
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
capabilities:
|
||||
add:
|
||||
- SETUID
|
||||
- SETGID
|
||||
- SYS_ADMIN
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: koha-map
|
||||
@@ -174,13 +204,16 @@ spec:
|
||||
- name: es
|
||||
image: koha/elasticsearch-icu
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsUser: 0 # Set root user
|
||||
allowPrivilegeEscalation: true
|
||||
privileged: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
type: Unconfined
|
||||
capabilities:
|
||||
add:
|
||||
- SETUID
|
||||
- SETGID
|
||||
- SYS_ADMIN
|
||||
env:
|
||||
- name: cluster.name
|
||||
value: "docker-cluster"
|
||||
@@ -196,12 +229,16 @@ spec:
|
||||
- name: set-max-map-count
|
||||
image: alpine
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
runAsUser: 0 # Set root user
|
||||
allowPrivilegeEscalation: true
|
||||
privileged: true
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- SETUID
|
||||
- SETGID
|
||||
- SYS_ADMIN
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
command: ["sh", "-c", "sysctl -w vm.max_map_count=262144 && sysctl -w fs.file-max=65536"]
|
||||
@@ -231,5 +268,16 @@ spec:
|
||||
containers:
|
||||
- name: memcached
|
||||
image: memcached
|
||||
securityContext:
|
||||
runAsUser: 497 # Set root user
|
||||
allowPrivilegeEscalation: true
|
||||
privileged: true
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
capabilities:
|
||||
add:
|
||||
- SETUID
|
||||
- SETGID
|
||||
- SYS_ADMIN
|
||||
command: [ "memcached", "-m", "64m" ]
|
||||
{{ end }}
|
||||
Reference in New Issue
Block a user