From d8a891e9273a8491fa1af3ee853af5d3bbb9cfa8 Mon Sep 17 00:00:00 2001 From: Stefan Wiedemann Date: Tue, 12 Mar 2024 12:59:58 +0100 Subject: [PATCH] run as root --- .../wallet-driving/templates/deployment.yaml | 6 +++++- .../dome-wallet/wallet-driving/templates/role.yaml | 14 ++++++++++++++ .../wallet-driving/templates/rolebinding.yaml | 12 ++++++++++++ .../wallet-driving/templates/serviceAccount.yaml | 4 ++++ 4 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 aws/fiware/dome-wallet/wallet-driving/templates/role.yaml create mode 100644 aws/fiware/dome-wallet/wallet-driving/templates/rolebinding.yaml create mode 100644 aws/fiware/dome-wallet/wallet-driving/templates/serviceAccount.yaml diff --git a/aws/fiware/dome-wallet/wallet-driving/templates/deployment.yaml b/aws/fiware/dome-wallet/wallet-driving/templates/deployment.yaml index a188c8e8..c243b2ed 100644 --- a/aws/fiware/dome-wallet/wallet-driving/templates/deployment.yaml +++ b/aws/fiware/dome-wallet/wallet-driving/templates/deployment.yaml @@ -21,6 +21,7 @@ spec: labels: {{ include "wallet-driving.labels" . | nindent 8 }} spec: + serviceAccountName: wallet-driving-sa containers: - name: {{ .Chart.Name }} imagePullPolicy: {{ .Values.deployment.image.pullPolicy }} @@ -49,4 +50,7 @@ spec: ports: - containerPort: {{ .Values.service.port}} name: http - protocol: TCP \ No newline at end of file + protocol: TCP + securityContext: + runAsRoot: true + runAsUser: 1001 \ No newline at end of file diff --git a/aws/fiware/dome-wallet/wallet-driving/templates/role.yaml b/aws/fiware/dome-wallet/wallet-driving/templates/role.yaml new file mode 100644 index 00000000..d237f4aa --- /dev/null +++ b/aws/fiware/dome-wallet/wallet-driving/templates/role.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: wallet-driving +rules: + - apiGroups: + - security.openshift.io + resourceNames: + - anyuid + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/aws/fiware/dome-wallet/wallet-driving/templates/rolebinding.yaml b/aws/fiware/dome-wallet/wallet-driving/templates/rolebinding.yaml new file mode 100644 index 00000000..30c39d7f --- /dev/null +++ b/aws/fiware/dome-wallet/wallet-driving/templates/rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: wallet-driving-rb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: wallet-driving +subjects: + - kind: ServiceAccount + name: wallet-driving-sa + namespace: fiware \ No newline at end of file diff --git a/aws/fiware/dome-wallet/wallet-driving/templates/serviceAccount.yaml b/aws/fiware/dome-wallet/wallet-driving/templates/serviceAccount.yaml new file mode 100644 index 00000000..931cf22f --- /dev/null +++ b/aws/fiware/dome-wallet/wallet-driving/templates/serviceAccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: wallet-driving-sa \ No newline at end of file