From c8b1ad3059f1562e5bd9f027177f0b3852f5026b Mon Sep 17 00:00:00 2001 From: John M Flinchbaugh Date: Thu, 17 Nov 2022 11:05:22 -0500 Subject: [PATCH] INT-7432 security context for openshift (#34) OpenShift requires the red hat image (optional) and these security settings to alleviate warnings. These changes are fine for other k8s implementations like minikube using the stock container from docker hub. --- nexus-repository-manager/templates/deployment.yaml | 9 ++++++++- nexus-repository-manager/tests/deployment_test.yaml | 9 ++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/nexus-repository-manager/templates/deployment.yaml b/nexus-repository-manager/templates/deployment.yaml index d3eea71..712e726 100644 --- a/nexus-repository-manager/templates/deployment.yaml +++ b/nexus-repository-manager/templates/deployment.yaml @@ -59,7 +59,14 @@ spec: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL lifecycle: {{- if .Values.deployment.postStart.command }} postStart: diff --git a/nexus-repository-manager/tests/deployment_test.yaml b/nexus-repository-manager/tests/deployment_test.yaml index 25d6396..a6addc8 100644 --- a/nexus-repository-manager/tests/deployment_test.yaml +++ b/nexus-repository-manager/tests/deployment_test.yaml @@ -36,7 +36,14 @@ tests: pattern: sonatype/nexus3:3\.\d+\.\d+ - equal: path: spec.template.spec.containers[0].securityContext - value: null + value: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - equal: path: spec.template.spec.containers[0].imagePullPolicy value: IfNotPresent