Enhance entrypoint and deployment configurations for Kubernetes management pod
All checks were successful
Build k8s-mgmt-pod image / Build & Push (push) Successful in 44s

- Add K8S_RUNTIME_ENV_PROFILE and KUBERNETES_SECRETS_DIR variables in entrypoint.sh
- Implement service account kubeconfig installation and environment variable persistence
- Update deployment.yaml to include fsGroup and fsGroupChangePolicy in securityContext
- Modify container ports and resource limits for better management
This commit is contained in:
Michael Trip 2026-06-23 16:37:14 +02:00
parent 795d3844dc
commit 41d4b36345
2 changed files with 117 additions and 10 deletions

View file

@ -16,20 +16,24 @@ spec:
spec:
serviceAccountName: k8s-mgmt-pod
automountServiceAccountToken: true
securityContext:
seccompProfile:
type: RuntimeDefault
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
containers:
- name: k8s-mgmt-pod
image: git.alcatrash.net/michael/k8s-mgmt-pod/k8s-mgmt-pod:latest
imagePullPolicy: Always
ports:
- name: ssh
containerPort: 2222
protocol: TCP
- name: webssh
containerPort: 3000
protocol: TCP
env:
- name: ADMIN_SSH_PUBKEY
valueFrom:
@ -55,6 +59,7 @@ spec:
name: k8s-mgmt-pod-auth
key: USER_PASSWORD
optional: true
resources:
requests:
cpu: 100m
@ -62,30 +67,41 @@ spec:
limits:
cpu: 500m
memory: 512Mi
readinessProbe:
tcpSocket:
port: 2222
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 2222
initialDelaySeconds: 15
periodSeconds: 20
volumeMounts:
- name: state
mountPath: /var/lib/k8s-mgmt-pod
securityContext:
# sshd still runs as root to switch to authenticated user sessions.
# Binding uses a non-privileged port, so NET_BIND_SERVICE is not required.
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
capabilities:
drop: ["ALL"]
add: ["CHOWN", "DAC_OVERRIDE", "FOWNER", "SETGID", "SETUID", "SYS_CHROOT"]
drop:
- ALL
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
- SYS_CHROOT
volumes:
- name: state
emptyDir: {}
emptyDir: {}