ivampiresp/longhorn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

webhook: set securityContext

Browse Source 
To follow the least privilege principle, the conversion and admission webhooks
are run with a non-root user (uid = 2000).

Longhorn 3701

Signed-off-by: Derek Su <derek.su@suse.com>
This commit is contained in:
Derek Su 2022-03-09 13:37:42 +08:00 committed by David Ko
parent 9a36732ebd
commit 1b8111495a
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
chart/templates/deployment-webhook.yaml
View File

@ -31,6 +31,8 @@ spec:
- name: longhorn-conversion-webhook - name: longhorn-conversion-webhook
image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }} image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }}
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 2000
command: command:
- longhorn-manager - longhorn-manager
- conversion-webhook - conversion-webhook
@ -97,10 +99,15 @@ spec:
- name: wait-longhorn-conversion-webhook - name: wait-longhorn-conversion-webhook
image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }} image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }}
command: ['sh', '-c', 'while [ $(curl -m 1 -s -o /dev/null -w "%{http_code}" -k https://longhorn-conversion-webhook:9443/v1/healthz) != "200" ]; do echo waiting; sleep 2; done'] command: ['sh', '-c', 'while [ $(curl -m 1 -s -o /dev/null -w "%{http_code}" -k https://longhorn-conversion-webhook:9443/v1/healthz) != "200" ]; do echo waiting; sleep 2; done']
imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 2000
containers: containers:
- name: longhorn-admission-webhook - name: longhorn-admission-webhook
image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }} image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }}
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 2000
command: command:
- longhorn-manager - longhorn-manager
- admission-webhook - admission-webhook