run as root

FIWARE-Ops · Mar 12, 2024 · d8a891e · d8a891e
1 parent 851c4a4
commit d8a891e
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 1 deletion.
diff --git a/aws/fiware/dome-wallet/wallet-driving/templates/deployment.yaml b/aws/fiware/dome-wallet/wallet-driving/templates/deployment.yaml
@@ -21,6 +21,7 @@ spec:
       labels:
         {{ include "wallet-driving.labels" . | nindent 8 }}
     spec:
+      serviceAccountName: wallet-driving-sa
       containers: 
         - name: {{ .Chart.Name }}
           imagePullPolicy: {{ .Values.deployment.image.pullPolicy }}
@@ -49,4 +50,7 @@ spec:
           ports:
             - containerPort: {{ .Values.service.port}}
               name: http
-              protocol: TCP
+              protocol: TCP
+          securityContext:
+            runAsRoot: true
+            runAsUser: 1001
diff --git a/aws/fiware/dome-wallet/wallet-driving/templates/role.yaml b/aws/fiware/dome-wallet/wallet-driving/templates/role.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: wallet-driving
+rules:
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - anyuid
+      - privileged
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
diff --git a/aws/fiware/dome-wallet/wallet-driving/templates/rolebinding.yaml b/aws/fiware/dome-wallet/wallet-driving/templates/rolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: wallet-driving-rb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: wallet-driving
+subjects:
+  - kind: ServiceAccount
+    name: wallet-driving-sa
+    namespace: fiware
diff --git a/aws/fiware/dome-wallet/wallet-driving/templates/serviceAccount.yaml b/aws/fiware/dome-wallet/wallet-driving/templates/serviceAccount.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: wallet-driving-sa