Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

Commit

Permalink
Run as 1000
Browse files Browse the repository at this point in the history 
Signed-off-by: Naseem <[email protected]>
  • Loading branch information
@naseemkullah
naseemkullah committed Jun 21, 2019
1 parent 4cef518 commit 73ccb0b
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 7 deletions.
3 changes: 2 additions & 1 deletion kibana/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,8 @@ helm install --name kibana elastic/kibana --version 7.1.1 --set imageTag=7.1.1
| `protocol` | The protocol that will be used for the readinessProbe. Change this to `https` if you have `server.ssl.enabled: true` set | `http` |
| `healthCheckPath` | The path used for the readinessProbe to check that Kibana is ready | `/app/kibana` |
| `kibanaConfig` | Allows you to add any config files in `/usr/share/kibana/config/` such as `kibana.yml`. See [values.yaml](./values.yaml) for an example of the formatting. | `{}` |
| `podSecurityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `{}` |
| `podSecurityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for the pod | `fsGroup: 2000` |
| `securityContext` | Allows you to set the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the container | `capabilities.drop:[ALL]`<br>`runAsNonRoot: true`<br>`runAsUser: 1000` |
| `serviceAccount` | Allows you to overwrite the "default" [serviceAccount](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) for the pod | `[]` |
| `priorityClassName` | The [name of the PriorityClass](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). No default is supplied as the PriorityClass must be created first. | `` |
| `antiAffinityTopologyKey` | The [anti-affinity topology key](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). By default this will prevent multiple Kibana instances from running on the same Kubernetes node | `kubernetes.io/hostname` |
Expand Down
8 changes: 4 additions & 4 deletions kibana/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,8 @@ spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- if .Values.podSecurityContext }}
securityContext:
{{ toYaml .Values.podSecurityContext | indent 8 }}
{{- end }}
{{- if .Values.serviceAccount }}
serviceAccount: {{ .Values.serviceAccount }}
{{- end }}
Expand Down Expand Up @@ -63,6 +61,8 @@ spec:
{{- end }}
containers:
- name: kibana
securityContext:
{{ toYaml .Values.securityContext | indent 10 }}
image: "{{ .Values.image }}:{{ .Values.imageTag }}"
env:
{{- if .Values.elasticsearchURL }}
Expand All @@ -78,7 +78,7 @@ spec:
readinessProbe:
{{ toYaml .Values.readinessProbe | indent 10 }}
exec:
command:
command:
- sh
- -c
- |
Expand All @@ -93,7 +93,7 @@ spec:
curl -k "$@" "{{ .Values.protocol }}://localhost:{{ .Values.httpPort }}${path}"
}
http "{{ .Values.healthCheckPath }}"
ports:
- containerPort: {{ .Values.httpPort }}
Expand Down
13 changes: 11 additions & 2 deletions kibana/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,17 @@ kibanaConfig: {}
# nestedkey: value

# If Pod Security Policy in use it may be required to specify security context as well as service account
podSecurityContext: {}
#runAsUser: "place the user id here"

podSecurityContext:
fsGroup: 1000

securityContext:
capabilities:
drop:
- ALL
# readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000

serviceAccount: ""

Expand Down

0 comments on commit 73ccb0b

Please sign in to comment.