fix (deployment): run portal container as root

openmfp · Jan 7, 2025 · 0ba0716 · 0ba0716
1 parent 606d1ca
commit 0ba0716
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 4 deletions.
diff --git a/charts/portal/templates/deploy.yaml b/charts/portal/templates/deploy.yaml
@@ -19,7 +19,11 @@ spec:
         app: {{ include "common.entity.name" . }}
     spec:
       {{- include "common.imagePullSecret" . | indent 6}}
-      {{ include "common.container.securityContext" . | nindent 6 }}
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsNonRoot: false
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: {{ include "common.entity.name" . }}
         image: {{ .Values.image.name }}:{{ .Chart.AppVersion }}

diff --git a/charts/portal/tests/__snapshot__/deploy_test.yaml.snap b/charts/portal/tests/__snapshot__/deploy_test.yaml.snap
@@ -94,6 +94,6 @@ matches the snapshot:
             - name: github
           securityContext:
             readOnlyRootFilesystem: true
-            runAsNonRoot: true
+            runAsNonRoot: false
             seccompProfile:
               type: RuntimeDefault
diff --git a/charts/portal/tests/__snapshot__/istio_test.yaml.snap b/charts/portal/tests/__snapshot__/istio_test.yaml.snap
@@ -94,7 +94,7 @@ matches the snapshot:
             - name: github
           securityContext:
             readOnlyRootFilesystem: true
-            runAsNonRoot: true
+            runAsNonRoot: false
             seccompProfile:
               type: RuntimeDefault
   2: |
@@ -240,7 +240,7 @@ matches the snapshot with istio disabled:
             - name: github
           securityContext:
             readOnlyRootFilesystem: true
-            runAsNonRoot: true
+            runAsNonRoot: false
             seccompProfile:
               type: RuntimeDefault
   2: |

diff --git a/local-setup/README.md b/local-setup/README.md
@@ -15,6 +15,7 @@ upgrade the Helm releases to their latest chart version based on semver ranges.
 ## Prerequisites
 
 - [Docker](https://www.docker.com) or [podman](https://podman.io): install either docker or podman in order to run the kind cluster
+  Resources: configure at least 10GB of memory for docker
 - [Kind](https://kind.sigs.k8s.io/): In order to have a local kubernetes cluster you can use kind. Kind Installation: [Kind Quick Start](https://kind.sigs.k8s.io/docs/user/quick-start/)
   On macOS using Homebrew:
   ```sh