Fix securityContext for pod (#2623)

Some of the `securityContext` settings need to be on the container, not on the pod, including the read-only file system, which was not previously enabled. This now enables the read-only file system. Also map the crawler /tmp directory to use the same volume as crawls (as crawler currently uses /tmp dir) as /tmp becomes read-only otherwise.
2025-05-27 10:59:50 -07:00 · 2025-05-27 10:59:50 -07:00 · 5b0f851857
commit 5b0f851857
parent 7674672027
1 changed files with 9 additions and 2 deletions
--- a/chart/app-templates/crawler.yaml
+++ b/chart/app-templates/crawler.yaml
@ -55,8 +55,6 @@ spec:
    runAsUser: {{ crawler_uid }}
    runAsGroup: {{ crawler_gid }}
    fsGroup: {{ crawler_fsgroup }}
-    allowPrivilegeEscalation: false
-    readOnlyRootFilesystem: true

  terminationGracePeriodSeconds: {{ termination_grace_secs }}
  volumes:
@ -185,6 +183,11 @@ spec:
       {% endif %}
        - name: crawl-data
          mountPath: /crawls
+
+        - name: crawl-data
+          mountPath: /tmp
+          subPath: tmp
+
      envFrom:
        - configMapRef:
            name: shared-crawler-config
@ -238,4 +241,8 @@ spec:
        failureThreshold: 3
      {% endif %}

+      securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+
 {% endif %}