From a502a2eb98a75bd101fb5e90af33d1d7abc50342 Mon Sep 17 00:00:00 2001 From: Christian Kotzbauer Date: Tue, 26 Apr 2022 08:24:20 +0200 Subject: [PATCH] chore: split deploy-manifests Signed-off-by: Christian Kotzbauer --- deploy/job-image/deployment.yaml | 74 +++++++++++++++++++++++++++ deploy/job-image/rbac.yaml | 59 +++++++++++++++++++++ deploy/{ => standard}/deployment.yaml | 2 + deploy/{ => standard}/rbac.yaml | 0 4 files changed, 135 insertions(+) create mode 100644 deploy/job-image/deployment.yaml create mode 100644 deploy/job-image/rbac.yaml rename deploy/{ => standard}/deployment.yaml (97%) rename deploy/{ => standard}/rbac.yaml (100%) diff --git a/deploy/job-image/deployment.yaml b/deploy/job-image/deployment.yaml new file mode 100644 index 00000000..b4895076 --- /dev/null +++ b/deploy/job-image/deployment.yaml @@ -0,0 +1,74 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: sbom-operator + name: sbom-operator + namespace: default +spec: + selector: + matchLabels: + app.kubernetes.io/name: sbom-operator + template: + metadata: + labels: + app.kubernetes.io/name: sbom-operator + spec: + containers: + - image: ghcr.io/ckotzbauer/sbom-operator:latest + name: operator + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + # Free account + - name: SBOM_JOB_CAS_API_KEY + value: "" + args: + # example values + - --cron="0 6 * * * *" + - --job-image=ghcr.io/ckotzbauer/sbom-operator/cas:0.10.0 + - --pod-label-selector=sbom-operator\=true + ports: + - containerPort: 8080 + name: http + protocol: TCP + securityContext: + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + resources: + limits: + cpu: 500m + memory: 500Mi + requests: + cpu: 100m + memory: 100Mi + livenessProbe: + timeoutSeconds: 3 + httpGet: + path: "/health" + port: 8080 + readinessProbe: + timeoutSeconds: 3 + httpGet: + path: "/health" + port: 8080 + securityContext: + fsGroup: 101 + serviceAccountName: sbom-operator diff --git a/deploy/job-image/rbac.yaml b/deploy/job-image/rbac.yaml new file mode 100644 index 00000000..eb6a111b --- /dev/null +++ b/deploy/job-image/rbac.yaml @@ -0,0 +1,59 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sbom-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: sbom-operator +rules: +- apiGroups: + - "" + resources: + - pods + - namespaces + verbs: + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - delete +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - create + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: sbom-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: sbom-operator +subjects: +- kind: ServiceAccount + name: sbom-operator + namespace: default diff --git a/deploy/deployment.yaml b/deploy/standard/deployment.yaml similarity index 97% rename from deploy/deployment.yaml rename to deploy/standard/deployment.yaml index ded24371..173f8f3a 100644 --- a/deploy/deployment.yaml +++ b/deploy/standard/deployment.yaml @@ -43,6 +43,8 @@ spec: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 101 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /work name: work diff --git a/deploy/rbac.yaml b/deploy/standard/rbac.yaml similarity index 100% rename from deploy/rbac.yaml rename to deploy/standard/rbac.yaml