Merge pull request #221 from ESGF/container-security-contexts (7dfa6dbd) · Commits · ESGF / mirrors / Esgf Docker

deploy/kubernetes/chart/templates/auth/deployment.yaml

+3 −0

Original line number	Diff line number	Diff line
		@@ -53,6 +53,9 @@ spec:
		# where files are expected to change
		- name: tmp
		mountPath: /tmp
		{{- with $auth.securityContext }}
		securityContext: {{ toYaml . \| nindent 12 }}
		{{- end }}
		{{- with $auth.nodeSelector }}
		nodeSelector: {{ toYaml . \| nindent 8 }}
		{{- end }}

+3 −0

Original line number	Diff line number	Diff line
		@@ -38,6 +38,9 @@ spec:
		- name: policy
		mountPath: /policies
		readOnly: true
		{{- with $opa.securityContext }}
		securityContext: {{ toYaml . \| nindent 12 }}
		{{- end }}
		{{- with $opa.nodeSelector }}
		nodeSelector: {{ toYaml . \| nindent 8 }}
		{{- end }}

+3 −2

Original line number	Diff line number	Diff line
		@@ -43,8 +43,9 @@ spec:
		livenessProbe:
		<<: *probe
		initialDelaySeconds: 120
		securityContext:
		readOnlyRootFilesystem: true
		{{- with $search.securityContext }}
		securityContext: {{ toYaml . \| nindent 12 }}
		{{- end }}
		volumeMounts:
		- name: esg-config
		mountPath: /esg/config

+3 −4

Original line number	Diff line number	Diff line
		@@ -144,10 +144,9 @@ spec:
		- name: thredds-cache
		mountPath: /opt/tomcat/content/thredds/cache
		# The shared log volume is only required if the access log sidecar is enabled
		{{- if $accessLogSidecar.enabled }}
		# It is also required for a readOnly root filesystem.
		- name: tomcat-logs
		mountPath: /opt/tomcat/logs
		{{- end }}
		# In order to use a read-only rootfs, we must put emptyDirs where we expect tomcat to write
		- name: tomcat-temp
		mountPath: /opt/tomcat/temp
		@@ -219,11 +218,11 @@ spec:
		emptyDir: {}
		- name: tmp-thredds
		emptyDir: {}
		# These volumes are only required if the access log sidecar is enabled
		{{- if $accessLogSidecar.enabled }}
		# Volume to hold the log pipes
		- name: tomcat-logs
		emptyDir: {}
		# These volumes are only required if the access log sidecar is enabled
		{{- if $accessLogSidecar.enabled }}
		# Logstash config is in a secret
		- name: logstash-conf
		secret:

+13 −1

Original line number	Diff line number	Diff line
		@@ -115,6 +115,10 @@ auth:
		userinfo_endpoint:
		client_kwargs:
		scope: openid profile email
		# Security context for auth container.
		securityContext:
		# Run with a read-only root filesystem by default
		readOnlyRootFilesystem: true

		###
		# OPA server configuration
		@@ -153,6 +157,10 @@ opa:
		logLevel: info
		# Paths to restrict
		restrictedPaths: []
		# Security context for OPA container.
		securityContext:
		# Run with a read-only root filesystem by default
		readOnlyRootFilesystem: true

		###
		# Data node configuration
		@@ -345,7 +353,6 @@ data:
		# See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
		tolerations:


		###
		# Index node configuration
		###
		@@ -463,3 +470,8 @@ index:
		# The tolerations for the search pods
		# See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
		tolerations:
		# Security context for search container.

		securityContext:
		# Run with a read-only root filesystem by default
		readOnlyRootFilesystem: true