From 49cafd564b6963f4d74eb371c7de2bd992e2151b Mon Sep 17 00:00:00 2001 From: Angel Kafazov Date: Tue, 7 Jan 2025 18:10:53 +0200 Subject: [PATCH] fix (deployment): run portal container as root --- charts/portal/Chart.yaml | 2 +- charts/portal/templates/deploy.yaml | 6 +++++- charts/portal/tests/__snapshot__/deploy_test.yaml.snap | 2 +- charts/portal/tests/__snapshot__/istio_test.yaml.snap | 4 ++-- local-setup/README.md | 1 + 5 files changed, 10 insertions(+), 5 deletions(-) diff --git a/charts/portal/Chart.yaml b/charts/portal/Chart.yaml index fdb41a78f..189641aa4 100644 --- a/charts/portal/Chart.yaml +++ b/charts/portal/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: Helm Chart for the openmfp Portal name: portal -version: 0.69.219 +version: 0.69.220 appVersion: "0.283.0" dependencies: - name: common diff --git a/charts/portal/templates/deploy.yaml b/charts/portal/templates/deploy.yaml index 47f351f33..9ebd4b4d9 100644 --- a/charts/portal/templates/deploy.yaml +++ b/charts/portal/templates/deploy.yaml @@ -19,7 +19,11 @@ spec: app: {{ include "common.entity.name" . }} spec: {{- include "common.imagePullSecret" . | indent 6}} - {{ include "common.container.securityContext" . | nindent 6 }} + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault containers: - name: {{ include "common.entity.name" . }} image: {{ .Values.image.name }}:{{ .Chart.AppVersion }} diff --git a/charts/portal/tests/__snapshot__/deploy_test.yaml.snap b/charts/portal/tests/__snapshot__/deploy_test.yaml.snap index 5eda1b7c4..5c88308ee 100644 --- a/charts/portal/tests/__snapshot__/deploy_test.yaml.snap +++ b/charts/portal/tests/__snapshot__/deploy_test.yaml.snap @@ -94,6 +94,6 @@ matches the snapshot: - name: github securityContext: readOnlyRootFilesystem: true - runAsNonRoot: true + runAsNonRoot: false seccompProfile: type: RuntimeDefault diff --git a/charts/portal/tests/__snapshot__/istio_test.yaml.snap b/charts/portal/tests/__snapshot__/istio_test.yaml.snap index 817c104e0..dfc7b268a 100644 --- a/charts/portal/tests/__snapshot__/istio_test.yaml.snap +++ b/charts/portal/tests/__snapshot__/istio_test.yaml.snap @@ -94,7 +94,7 @@ matches the snapshot: - name: github securityContext: readOnlyRootFilesystem: true - runAsNonRoot: true + runAsNonRoot: false seccompProfile: type: RuntimeDefault 2: | @@ -240,7 +240,7 @@ matches the snapshot with istio disabled: - name: github securityContext: readOnlyRootFilesystem: true - runAsNonRoot: true + runAsNonRoot: false seccompProfile: type: RuntimeDefault 2: | diff --git a/local-setup/README.md b/local-setup/README.md index c1bfca7e3..24658d542 100644 --- a/local-setup/README.md +++ b/local-setup/README.md @@ -15,6 +15,7 @@ upgrade the Helm releases to their latest chart version based on semver ranges. ## Prerequisites - [Docker](https://www.docker.com) or [podman](https://podman.io): install either docker or podman in order to run the kind cluster + Resources: configure at least 10GB of memory for docker - [Kind](https://kind.sigs.k8s.io/): In order to have a local kubernetes cluster you can use kind. Kind Installation: [Kind Quick Start](https://kind.sigs.k8s.io/docs/user/quick-start/) On macOS using Homebrew: ```sh