diff --git a/charts/sn-platform-slim/templates/alert-manager/alertmanager-deployment.yaml b/charts/sn-platform-slim/templates/alert-manager/alertmanager-deployment.yaml index d871946d..18459ac0 100644 --- a/charts/sn-platform-slim/templates/alert-manager/alertmanager-deployment.yaml +++ b/charts/sn-platform-slim/templates/alert-manager/alertmanager-deployment.yaml @@ -60,6 +60,9 @@ spec: {{ toYaml .Values.alert_manager.tolerations | indent 8 }} {{- end }} terminationGracePeriodSeconds: {{ .Values.alert_manager.gracePeriod }} + {{- if .Values.alert_manager.securityContext }} + securityContext: {{- toYaml .Values.alert_manager.securityContext | nindent 8 }} + {{- end }} containers: {{- if .Values.configmapReload.alertmanager.enabled }} - name: {{ template "pulsar.fullname" . }}-{{ .Values.alert_manager.component }}-{{ .Values.configmapReload.alertmanager.name }} diff --git a/charts/sn-platform-slim/templates/detector/pulsar-detector-deployment.yaml b/charts/sn-platform-slim/templates/detector/pulsar-detector-deployment.yaml index 54675d4f..6b6af2d2 100644 --- a/charts/sn-platform-slim/templates/detector/pulsar-detector-deployment.yaml +++ b/charts/sn-platform-slim/templates/detector/pulsar-detector-deployment.yaml @@ -54,6 +54,9 @@ spec: {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} {{- end }} + {{- if .Values.pulsar_detector.securityContext }} + securityContext: {{- toYaml .Values.pulsar_detector.securityContext | nindent 8 }} + {{- end }} {{- if .Values.pulsar_detector.serviceAccount.use }} serviceAccountName: {{ template "pulsar.detector.serviceAccount" . }} {{- end }} diff --git a/charts/sn-platform-slim/templates/streamnative-console/streamnative-console-statefulset.yaml b/charts/sn-platform-slim/templates/streamnative-console/streamnative-console-statefulset.yaml index fe00c83e..54c1e2ee 100644 --- a/charts/sn-platform-slim/templates/streamnative-console/streamnative-console-statefulset.yaml +++ b/charts/sn-platform-slim/templates/streamnative-console/streamnative-console-statefulset.yaml @@ -32,7 +32,7 @@ metadata: annotations: {{- with .Values.streamnative_console.annotations }} {{ toYaml . | indent 4 }} -{{- end } +{{- end }} spec: serviceName: "{{ template "pulsar.fullname" . }}-{{ .Values.streamnative_console.component }}" replicas: 1 diff --git a/charts/sn-platform-slim/templates/toolset/toolset-statefulset.yaml b/charts/sn-platform-slim/templates/toolset/toolset-statefulset.yaml index f25d5d36..817bb825 100644 --- a/charts/sn-platform-slim/templates/toolset/toolset-statefulset.yaml +++ b/charts/sn-platform-slim/templates/toolset/toolset-statefulset.yaml @@ -72,6 +72,7 @@ spec: {{ toYaml .Values.toolset.tolerations | indent 8 }} {{- end }} terminationGracePeriodSeconds: {{ .Values.toolset.gracePeriod }} + {{- if .Values.toolset.installBusybox }} initContainers: - name: busybox image: "{{ .Values.images.toolset.busybox.repository }}:{{ .Values.images.toolset.busybox.tag }}" @@ -83,13 +84,22 @@ spec: command: ["sh", "-c"] args: - | + set -ex + cd /home mkdir binaries; busybox --install -s binaries; cp binaries/* /tmp/binaries; cp /bin/busybox /tmp/binaries; + cp binaries/* tmp/binaries; + cp /bin/busybox tmp/binaries; + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + runAsNonRoot: true volumeMounts: - name: binaries - mountPath: /tmp/binaries + mountPath: /home/tmp/binaries + {{- end }} containers: - name: "pulsar" {{- include "pulsar.toolset.image" . | nindent 8 }} @@ -116,12 +126,14 @@ spec: {{ toYaml . | indent 8 }} {{- end }} volumeMounts: + {{- if .Values.toolset.installBusybox }} - name: binaries mountPath: /bin/busybox subPath: busybox - name: binaries mountPath: /bin/vi subPath: vi + {{- end }} {{- include "pulsar.toolset.certs.volumeMounts" . | nindent 8 }} {{- include "pulsar.toolset.token.volumeMounts" . | nindent 8 }} {{- include "pulsar.toolset.log.volumeMounts" . | nindent 8 }} @@ -130,8 +142,10 @@ spec: {{ toYaml . | indent 8 }} {{- end }} volumes: + {{- if .Values.toolset.installBusybox }} - name: binaries emptyDir: {} + {{- end }} {{- include "pulsar.toolset.certs.volumes" . | nindent 6 }} {{- include "pulsar.toolset.token.volumes" . | nindent 6 }} {{- include "pulsar.toolset.log.volumes" . | nindent 6 }} diff --git a/charts/sn-platform-slim/values.yaml b/charts/sn-platform-slim/values.yaml index 2c458e2d..a071afec 100644 --- a/charts/sn-platform-slim/values.yaml +++ b/charts/sn-platform-slim/values.yaml @@ -1337,6 +1337,8 @@ pulsar_detector: # nodeSelector: # cloud.google.com/gke-nodepool: default-pool # tolerations: [] + securityContext: + runAsNonRoot: true # Definition of the serviceAccount used to run brokers. serviceAccount: # Specifies whether to use a service account to run this component @@ -1483,6 +1485,7 @@ proxy: toolset: component: toolset useProxy: false + installBusybox: true replicaCount: 1 # nodeSelector: # cloud.google.com/gke-nodepool: default-pool