From 86a28cdb200f482bc9a2e1f281ec1c51938f6c2c Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak Date: Wed, 9 Sep 2020 21:23:32 +0200 Subject: [PATCH] [COMMON] Make mongo run as non-root Use our helper template and k8s features to make mongodb run as a non-root user as per Guiling requirements. Issue-ID: DCAEGEN2-2424 Signed-off-by: Krzysztof Opasiak Change-Id: I44bc079a2cc49dc1b0f1da88e220290098e909d5 --- kubernetes/common/mongo/templates/statefulset.yaml | 6 ++++++ kubernetes/common/mongo/values.yaml | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/kubernetes/common/mongo/templates/statefulset.yaml b/kubernetes/common/mongo/templates/statefulset.yaml index 111bc80586..abc71b3133 100644 --- a/kubernetes/common/mongo/templates/statefulset.yaml +++ b/kubernetes/common/mongo/templates/statefulset.yaml @@ -36,10 +36,15 @@ spec: app: {{ include "common.name" . }} release: {{ include "common.release" . }} spec: +{{ include "common.podSecurityContext" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: "{{ .Values.dockerHubRepository }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - docker-entrypoint.sh + args: + - --nounixsocket env: - name: MONGO_INITDB_DATABASE value: "{{ .Values.config.dbName }}" @@ -68,6 +73,7 @@ spec: mountPath: /var/lib/mongo resources: {{ include "common.resources" . | indent 12 }} +{{ include "common.containerSecurityContext" . | indent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} diff --git a/kubernetes/common/mongo/values.yaml b/kubernetes/common/mongo/values.yaml index d272f706ea..d8988c3ae7 100644 --- a/kubernetes/common/mongo/values.yaml +++ b/kubernetes/common/mongo/values.yaml @@ -83,6 +83,10 @@ service: rpcbindPort: 111 rpcbindUdpPort: 111 +securityContext: + user_id: 999 + group_id: 999 + ingress: enabled: false -- 2.16.6