From: Krzysztof Opasiak <k.opasiak@samsung.com>
Date: Wed, 9 Sep 2020 19:23:32 +0000 (+0200)
Subject: [COMMON] Make mongo run as non-root
X-Git-Tag: 7.0.0~257
X-Git-Url: https://gerrit.onap.org/r/gitweb?p=oom.git;a=commitdiff_plain;h=86a28cdb200f482bc9a2e1f281ec1c51938f6c2c

[COMMON] Make mongo run as non-root

Use our helper template and k8s features to make mongodb run as a
non-root user as per Guiling requirements.

Issue-ID: DCAEGEN2-2424
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I44bc079a2cc49dc1b0f1da88e220290098e909d5
---

diff --git a/kubernetes/common/mongo/templates/statefulset.yaml b/kubernetes/common/mongo/templates/statefulset.yaml
index 111bc80586..abc71b3133 100644
--- a/kubernetes/common/mongo/templates/statefulset.yaml
+++ b/kubernetes/common/mongo/templates/statefulset.yaml
@@ -36,10 +36,15 @@ spec:
         app: {{ include "common.name" . }}
         release: {{ include "common.release" . }}
     spec:
+{{ include "common.podSecurityContext" . | indent 6 }}
       containers:
         - name: {{ include "common.name" . }}
           image: "{{ .Values.dockerHubRepository }}/{{ .Values.image }}"
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          command:
+          - docker-entrypoint.sh
+          args:
+          - --nounixsocket
           env:
             - name: MONGO_INITDB_DATABASE
               value: "{{ .Values.config.dbName }}"
@@ -68,6 +73,7 @@ spec:
             mountPath: /var/lib/mongo
           resources:
 {{ include "common.resources" . | indent 12 }}
+{{ include "common.containerSecurityContext" . | indent 10 }}
         {{- if .Values.nodeSelector }}
         nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 10 }}
diff --git a/kubernetes/common/mongo/values.yaml b/kubernetes/common/mongo/values.yaml
index d272f706ea..d8988c3ae7 100644
--- a/kubernetes/common/mongo/values.yaml
+++ b/kubernetes/common/mongo/values.yaml
@@ -83,6 +83,10 @@ service:
   rpcbindPort: 111
   rpcbindUdpPort: 111
 
+securityContext:
+  user_id: 999
+  group_id: 999
+
 ingress:
   enabled: false