chore: add missing readOnlyRootFilesystem config
This commit is contained in:
Rob Watson
parent
f0803654c1
commit
8a699c8039
|
|
@ -57,3 +57,5 @@ spec:
|
||||||
limits:
|
limits:
|
||||||
memory: 1024Mi
|
memory: 1024Mi
|
||||||
cpu: 1500m
|
cpu: 1500m
|
||||||
|
securityContext:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
|
|
||||||
|
|
@ -83,6 +83,8 @@ spec:
|
||||||
limits:
|
limits:
|
||||||
memory: "128Mi"
|
memory: "128Mi"
|
||||||
cpu: "250m"
|
cpu: "250m"
|
||||||
|
securityContext:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
failureThreshold: 10
|
failureThreshold: 10
|
||||||
httpGet:
|
httpGet:
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,8 @@ metadata:
|
||||||
component: web
|
component: web
|
||||||
app.kubernetes.io/name: element
|
app.kubernetes.io/name: element
|
||||||
app.kubernetes.io/instance: element
|
app.kubernetes.io/instance: element
|
||||||
|
annotations:
|
||||||
|
ignore-check.kube-linter.io/no-read-only-root-fs: "Element image requires write access for Nginx configuration"
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
|
|
@ -21,30 +23,30 @@ spec:
|
||||||
app.kubernetes.io/instance: element
|
app.kubernetes.io/instance: element
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: element
|
- name: element
|
||||||
image: vectorim/element-web:v1.11.40
|
image: vectorim/element-web:v1.11.40
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: config
|
- name: config
|
||||||
mountPath: /app/config.json
|
mountPath: /app/config.json
|
||||||
subPath: config.json
|
subPath: config.json
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 80
|
- containerPort: 80
|
||||||
name: http
|
name: http
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
path: /
|
path: /
|
||||||
port: http
|
port: http
|
||||||
initialDelaySeconds: 10
|
initialDelaySeconds: 10
|
||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
memory: "32Mi"
|
memory: "32Mi"
|
||||||
cpu: "50m"
|
cpu: "50m"
|
||||||
limits:
|
limits:
|
||||||
memory: "64Mi"
|
memory: "64Mi"
|
||||||
cpu: "250m"
|
cpu: "250m"
|
||||||
volumes:
|
volumes:
|
||||||
- name: config
|
- name: config
|
||||||
configMap:
|
configMap:
|
||||||
name: element-config
|
name: element-config
|
||||||
|
|
|
||||||
|
|
@ -37,6 +37,8 @@ spec:
|
||||||
limits:
|
limits:
|
||||||
memory: 128Mi
|
memory: 128Mi
|
||||||
cpu: 500m
|
cpu: 500m
|
||||||
|
securityContext:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
- image: jbergknoff/postgresql-client@sha256:45e175ebb700cfd46e23a610477c3576550055ef40c394e663623946a5eced39
|
- image: jbergknoff/postgresql-client@sha256:45e175ebb700cfd46e23a610477c3576550055ef40c394e663623946a5eced39
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
name: init-invidious-db
|
name: init-invidious-db
|
||||||
|
|
@ -83,6 +85,8 @@ spec:
|
||||||
limits:
|
limits:
|
||||||
memory: 256Mi
|
memory: 256Mi
|
||||||
cpu: 1000m
|
cpu: 1000m
|
||||||
|
securityContext:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
workingDir: /data/repo
|
workingDir: /data/repo
|
||||||
command: ["sh", "docker/init-invidious-db.sh"]
|
command: ["sh", "docker/init-invidious-db.sh"]
|
||||||
containers:
|
containers:
|
||||||
|
|
@ -133,6 +137,8 @@ spec:
|
||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
successThreshold: 1
|
successThreshold: 1
|
||||||
timeoutSeconds: 10
|
timeoutSeconds: 10
|
||||||
|
securityContext:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
volumes:
|
volumes:
|
||||||
- name: data
|
- name: data
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
|
|
||||||
|
|
@ -50,3 +50,5 @@ spec:
|
||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
successThreshold: 1
|
successThreshold: 1
|
||||||
timeoutSeconds: 3
|
timeoutSeconds: 3
|
||||||
|
securityContext:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
|
|
||||||
|
|
@ -51,3 +51,5 @@ spec:
|
||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
successThreshold: 1
|
successThreshold: 1
|
||||||
timeoutSeconds: 3
|
timeoutSeconds: 3
|
||||||
|
securityContext:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
|
|
||||||
|
|
@ -59,6 +59,8 @@ spec:
|
||||||
- mountPath: /usr/sbin/init-directory-structure.sh
|
- mountPath: /usr/sbin/init-directory-structure.sh
|
||||||
subPath: init-directory-structure.sh
|
subPath: init-directory-structure.sh
|
||||||
name: scripts
|
name: scripts
|
||||||
|
securityContext:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
- name: setup-gitea
|
- name: setup-gitea
|
||||||
image: gitea/gitea:1.20.4-rootless
|
image: gitea/gitea:1.20.4-rootless
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
|
|
|
||||||
|
|
@ -61,6 +61,8 @@ spec:
|
||||||
limits:
|
limits:
|
||||||
memory: 512Mi
|
memory: 512Mi
|
||||||
cpu: 2000m
|
cpu: 2000m
|
||||||
|
securityContext:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
path: /health
|
path: /health
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue