From d4ef2772165432f8316cabc5c8739bd2159dc32c Mon Sep 17 00:00:00 2001 From: Aviram Hassan Date: Tue, 10 Dec 2024 20:49:00 +0200 Subject: [PATCH] fix readOnlyRootFilesystem location (#135) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fix readOnlyRootFilesystem location and make the security context fix…ed even if port is higher than 1024 --- mirrord-operator/Chart.yaml | 2 +- mirrord-operator/templates/deployment.yaml | 13 +++++++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/mirrord-operator/Chart.yaml b/mirrord-operator/Chart.yaml index 8263593..a8d5bea 100644 --- a/mirrord-operator/Chart.yaml +++ b/mirrord-operator/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.13.1 +version: 1.13.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/mirrord-operator/templates/deployment.yaml b/mirrord-operator/templates/deployment.yaml index ddb6e3b..2423055 100644 --- a/mirrord-operator/templates/deployment.yaml +++ b/mirrord-operator/templates/deployment.yaml @@ -33,16 +33,15 @@ spec: - {{ toYaml . }} {{- end }} {{- end }} - {{/* Allow low port using ip_unprivileged_port_start */}} - {{- if lt (int .Values.operator.port) 1024 -}} securityContext: - readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 + {{/* Allow low port using ip_unprivileged_port_start */}} + {{- if lt (int .Values.operator.port) 1024 -}} sysctls: - name: net.ipv4.ip_unprivileged_port_start value: {{ .Values.operator.port | quote}} - {{- end }} + {{- end }} {{- if .Values.operator.tolerations }} tolerations: {{- toYaml .Values.operator.tolerations | nindent 8 }} @@ -145,6 +144,7 @@ spec: securityContext: allowPrivilegeEscalation: false privileged: false + readOnlyRootFilesystem: true volumeMounts: {{- if or (index .Values.tls.data "tls.key") .Values.tls.certManager.enabled }} - mountPath: /tls @@ -156,6 +156,9 @@ spec: - mountPath: /license name: license-volume {{- end }} + # needed for the operator to download and use CA + - mountPath: /tmp + name: tmp serviceAccountName: {{ .Values.sa.name }} volumes: - name: mirrord-config-volume @@ -176,3 +179,5 @@ spec: secret: secretName: {{ .Values.license.pemRef }} {{- end }} + - emptyDir: {} + name: tmp