From 8a699c8039bcbadc3e93c41eda373e0386135d64 Mon Sep 17 00:00:00 2001 From: Rob Watson Date: Sun, 10 Sep 2023 23:54:06 +0200 Subject: [PATCH] chore: add missing readOnlyRootFilesystem config --- deploy/base/deploy-drone-runner.yaml | 2 + deploy/base/deploy-drone.yaml | 2 + deploy/base/deploy-element.yaml | 54 ++++++++++--------- deploy/base/deploy-invidious.yaml | 6 +++ deploy/base/deploy-netflux-homepage.yaml | 2 + deploy/base/deploy-solar-toolkit-gateway.yaml | 2 + deploy/base/statefulset-gitea.yaml | 2 + deploy/base/statefulset-synapse.yaml | 2 + 8 files changed, 46 insertions(+), 26 deletions(-) diff --git a/deploy/base/deploy-drone-runner.yaml b/deploy/base/deploy-drone-runner.yaml index 4bf8338..bcacc8e 100644 --- a/deploy/base/deploy-drone-runner.yaml +++ b/deploy/base/deploy-drone-runner.yaml @@ -57,3 +57,5 @@ spec: limits: memory: 1024Mi cpu: 1500m + securityContext: + readOnlyRootFilesystem: true diff --git a/deploy/base/deploy-drone.yaml b/deploy/base/deploy-drone.yaml index 41f30ad..3b3c99c 100644 --- a/deploy/base/deploy-drone.yaml +++ b/deploy/base/deploy-drone.yaml @@ -83,6 +83,8 @@ spec: limits: memory: "128Mi" cpu: "250m" + securityContext: + readOnlyRootFilesystem: true livenessProbe: failureThreshold: 10 httpGet: diff --git a/deploy/base/deploy-element.yaml b/deploy/base/deploy-element.yaml index faed7d7..3fcc193 100644 --- a/deploy/base/deploy-element.yaml +++ b/deploy/base/deploy-element.yaml @@ -7,6 +7,8 @@ metadata: component: web app.kubernetes.io/name: element app.kubernetes.io/instance: element + annotations: + ignore-check.kube-linter.io/no-read-only-root-fs: "Element image requires write access for Nginx configuration" spec: selector: matchLabels: @@ -21,30 +23,30 @@ spec: app.kubernetes.io/instance: element spec: containers: - - name: element - image: vectorim/element-web:v1.11.40 - volumeMounts: - - name: config - mountPath: /app/config.json - subPath: config.json - ports: - - containerPort: 80 - name: http - protocol: TCP - livenessProbe: - httpGet: - path: / - port: http - initialDelaySeconds: 10 - periodSeconds: 10 - resources: - requests: - memory: "32Mi" - cpu: "50m" - limits: - memory: "64Mi" - cpu: "250m" + - name: element + image: vectorim/element-web:v1.11.40 + volumeMounts: + - name: config + mountPath: /app/config.json + subPath: config.json + ports: + - containerPort: 80 + name: http + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + resources: + requests: + memory: "32Mi" + cpu: "50m" + limits: + memory: "64Mi" + cpu: "250m" volumes: - - name: config - configMap: - name: element-config + - name: config + configMap: + name: element-config diff --git a/deploy/base/deploy-invidious.yaml b/deploy/base/deploy-invidious.yaml index 52b3f5b..6aee76c 100644 --- a/deploy/base/deploy-invidious.yaml +++ b/deploy/base/deploy-invidious.yaml @@ -37,6 +37,8 @@ spec: limits: memory: 128Mi cpu: 500m + securityContext: + readOnlyRootFilesystem: true - image: jbergknoff/postgresql-client@sha256:45e175ebb700cfd46e23a610477c3576550055ef40c394e663623946a5eced39 imagePullPolicy: IfNotPresent name: init-invidious-db @@ -83,6 +85,8 @@ spec: limits: memory: 256Mi cpu: 1000m + securityContext: + readOnlyRootFilesystem: true workingDir: /data/repo command: ["sh", "docker/init-invidious-db.sh"] containers: @@ -133,6 +137,8 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 + securityContext: + readOnlyRootFilesystem: true volumes: - name: data emptyDir: {} diff --git a/deploy/base/deploy-netflux-homepage.yaml b/deploy/base/deploy-netflux-homepage.yaml index c668806..c74b3de 100644 --- a/deploy/base/deploy-netflux-homepage.yaml +++ b/deploy/base/deploy-netflux-homepage.yaml @@ -50,3 +50,5 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 3 + securityContext: + readOnlyRootFilesystem: true diff --git a/deploy/base/deploy-solar-toolkit-gateway.yaml b/deploy/base/deploy-solar-toolkit-gateway.yaml index 5d6e717..77751c1 100644 --- a/deploy/base/deploy-solar-toolkit-gateway.yaml +++ b/deploy/base/deploy-solar-toolkit-gateway.yaml @@ -51,3 +51,5 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 3 + securityContext: + readOnlyRootFilesystem: true diff --git a/deploy/base/statefulset-gitea.yaml b/deploy/base/statefulset-gitea.yaml index 86c85b5..4fb63af 100644 --- a/deploy/base/statefulset-gitea.yaml +++ b/deploy/base/statefulset-gitea.yaml @@ -59,6 +59,8 @@ spec: - mountPath: /usr/sbin/init-directory-structure.sh subPath: init-directory-structure.sh name: scripts + securityContext: + readOnlyRootFilesystem: true - name: setup-gitea image: gitea/gitea:1.20.4-rootless imagePullPolicy: IfNotPresent diff --git a/deploy/base/statefulset-synapse.yaml b/deploy/base/statefulset-synapse.yaml index 69d7823..75cc66e 100644 --- a/deploy/base/statefulset-synapse.yaml +++ b/deploy/base/statefulset-synapse.yaml @@ -61,6 +61,8 @@ spec: limits: memory: 512Mi cpu: 2000m + securityContext: + readOnlyRootFilesystem: true livenessProbe: httpGet: path: /health