Fix securityContext for pod (#2623)
Some of the `securityContext` settings need to be on the container, not on the pod, including the read-only file system, which was not previously enabled. This now enables the read-only file system. Also map the crawler /tmp directory to use the same volume as crawls (as crawler currently uses /tmp dir) as /tmp becomes read-only otherwise.
This commit is contained in:
Ilya Kreymer
GitHub
parent
7674672027
commit
5b0f851857
@ -55,8 +55,6 @@ spec:
|
|||||||
runAsUser: {{ crawler_uid }}
|
runAsUser: {{ crawler_uid }}
|
||||||
runAsGroup: {{ crawler_gid }}
|
runAsGroup: {{ crawler_gid }}
|
||||||
fsGroup: {{ crawler_fsgroup }}
|
fsGroup: {{ crawler_fsgroup }}
|
||||||
allowPrivilegeEscalation: false
|
|
||||||
readOnlyRootFilesystem: true
|
|
||||||
|
|
||||||
terminationGracePeriodSeconds: {{ termination_grace_secs }}
|
terminationGracePeriodSeconds: {{ termination_grace_secs }}
|
||||||
volumes:
|
volumes:
|
||||||
@ -185,6 +183,11 @@ spec:
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
- name: crawl-data
|
- name: crawl-data
|
||||||
mountPath: /crawls
|
mountPath: /crawls
|
||||||
|
|
||||||
|
- name: crawl-data
|
||||||
|
mountPath: /tmp
|
||||||
|
subPath: tmp
|
||||||
|
|
||||||
envFrom:
|
envFrom:
|
||||||
- configMapRef:
|
- configMapRef:
|
||||||
name: shared-crawler-config
|
name: shared-crawler-config
|
||||||
@ -238,4 +241,8 @@ spec:
|
|||||||
failureThreshold: 3
|
failureThreshold: 3
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user