fix: allow running as non-root

fbuchmeier · Oct 1, 2022 · 4988cfe · 4988cfe
1 parent d90aca1
commit 4988cfe
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
@@ -67,7 +67,7 @@ spec:
         {{- if (include "rsyncEnabled" .) }}
         - name: rsyncd
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- toYaml .Values.rsync.securityContext | nindent 12 }}
           image: "{{ .Values.rsync.image.repository }}:{{ .Values.rsync.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.rsync.image.pullPolicy }}
           env:

diff --git a/values.yaml b/values.yaml
@@ -215,6 +215,18 @@ rsync:
   #   cpu: 50m
   #   memory: 128Mi
 
+  securityContext:
+    capabilities:
+      drop:
+        - ALL
+      add:
+        # rsync: [Receiver] chroot /arma3 failed: Operation not permitted (1)
+        - SYS_CHROOT
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 431
+    runAsGroup: 433
+
 missions:
   antistasi:
     version: 2.5.5