chore: run pods as non-root user
This commit is contained in:
Rob Watson
parent
8a699c8039
commit
cf06fcf2c5
|
|
@ -7,6 +7,8 @@ metadata:
|
||||||
component: runner
|
component: runner
|
||||||
app.kubernetes.io/name: drone-runner
|
app.kubernetes.io/name: drone-runner
|
||||||
app.kubernetes.io/instance: drone-runner
|
app.kubernetes.io/instance: drone-runner
|
||||||
|
annotations:
|
||||||
|
ignore-check.kube-linter.io/run-as-non-root: "Not yet implemented"
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,8 @@ metadata:
|
||||||
component: web
|
component: web
|
||||||
app.kubernetes.io/name: drone
|
app.kubernetes.io/name: drone
|
||||||
app.kubernetes.io/instance: drone
|
app.kubernetes.io/instance: drone
|
||||||
|
annotations:
|
||||||
|
ignore-check.kube-linter.io/run-as-non-root: "Not yet implemented"
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,7 @@ metadata:
|
||||||
app.kubernetes.io/instance: element
|
app.kubernetes.io/instance: element
|
||||||
annotations:
|
annotations:
|
||||||
ignore-check.kube-linter.io/no-read-only-root-fs: "Element image requires write access for Nginx configuration"
|
ignore-check.kube-linter.io/no-read-only-root-fs: "Element image requires write access for Nginx configuration"
|
||||||
|
ignore-check.kube-linter.io/run-as-non-root: "Not yet implemented"
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,10 @@ spec:
|
||||||
app.kubernetes.io/name: invidious
|
app.kubernetes.io/name: invidious
|
||||||
app.kubernetes.io/instance: invidious
|
app.kubernetes.io/instance: invidious
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 1000
|
||||||
|
runAsGroup: 1000
|
||||||
|
runAsNonRoot: true
|
||||||
initContainers:
|
initContainers:
|
||||||
- image: alpine/git:2.40.1
|
- image: alpine/git:2.40.1
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,8 @@ metadata:
|
||||||
component: web
|
component: web
|
||||||
app.kubernetes.io/name: netflux-homepage
|
app.kubernetes.io/name: netflux-homepage
|
||||||
app.kubernetes.io/instance: netflux-homepage
|
app.kubernetes.io/instance: netflux-homepage
|
||||||
|
annotations:
|
||||||
|
ignore-check.kube-linter.io/run-as-non-root: "Not yet implemented"
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,8 @@ metadata:
|
||||||
component: web
|
component: web
|
||||||
app.kubernetes.io/name: solar-toolkit-gateway
|
app.kubernetes.io/name: solar-toolkit-gateway
|
||||||
app.kubernetes.io/instance: solar-toolkit-gateway
|
app.kubernetes.io/instance: solar-toolkit-gateway
|
||||||
|
annotations:
|
||||||
|
ignore-check.kube-linter.io/run-as-non-root: "Not yet implemented"
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
|
|
|
||||||
|
|
@ -21,6 +21,10 @@ spec:
|
||||||
app.kubernetes.io/name: radicale
|
app.kubernetes.io/name: radicale
|
||||||
app.kubernetes.io/instance: radicale
|
app.kubernetes.io/instance: radicale
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 2999
|
||||||
|
runAsGroup: 2999
|
||||||
|
runAsNonRoot: true
|
||||||
containers:
|
containers:
|
||||||
- name: radicale
|
- name: radicale
|
||||||
image: tomsquest/docker-radicale:3.1.8.3
|
image: tomsquest/docker-radicale:3.1.8.3
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue