Enhance entrypoint and deployment configurations for Kubernetes management pod
All checks were successful
Build k8s-mgmt-pod image / Build & Push (push) Successful in 44s
All checks were successful
Build k8s-mgmt-pod image / Build & Push (push) Successful in 44s
- Add K8S_RUNTIME_ENV_PROFILE and KUBERNETES_SECRETS_DIR variables in entrypoint.sh - Implement service account kubeconfig installation and environment variable persistence - Update deployment.yaml to include fsGroup and fsGroupChangePolicy in securityContext - Modify container ports and resource limits for better management
This commit is contained in:
parent
795d3844dc
commit
41d4b36345
2 changed files with 117 additions and 10 deletions
|
|
@ -16,20 +16,24 @@ spec:
|
|||
spec:
|
||||
serviceAccountName: k8s-mgmt-pod
|
||||
automountServiceAccountToken: true
|
||||
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
|
||||
containers:
|
||||
- name: k8s-mgmt-pod
|
||||
image: git.alcatrash.net/michael/k8s-mgmt-pod/k8s-mgmt-pod:latest
|
||||
imagePullPolicy: Always
|
||||
|
||||
ports:
|
||||
- name: ssh
|
||||
containerPort: 2222
|
||||
protocol: TCP
|
||||
- name: webssh
|
||||
containerPort: 3000
|
||||
protocol: TCP
|
||||
|
||||
env:
|
||||
- name: ADMIN_SSH_PUBKEY
|
||||
valueFrom:
|
||||
|
|
@ -55,6 +59,7 @@ spec:
|
|||
name: k8s-mgmt-pod-auth
|
||||
key: USER_PASSWORD
|
||||
optional: true
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
|
|
@ -62,30 +67,41 @@ spec:
|
|||
limits:
|
||||
cpu: 500m
|
||||
memory: 512Mi
|
||||
|
||||
readinessProbe:
|
||||
tcpSocket:
|
||||
port: 2222
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
|
||||
livenessProbe:
|
||||
tcpSocket:
|
||||
port: 2222
|
||||
initialDelaySeconds: 15
|
||||
periodSeconds: 20
|
||||
|
||||
volumeMounts:
|
||||
- name: state
|
||||
mountPath: /var/lib/k8s-mgmt-pod
|
||||
|
||||
securityContext:
|
||||
# sshd still runs as root to switch to authenticated user sessions.
|
||||
# Binding uses a non-privileged port, so NET_BIND_SERVICE is not required.
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
add: ["CHOWN", "DAC_OVERRIDE", "FOWNER", "SETGID", "SETUID", "SYS_CHROOT"]
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- AUDIT_WRITE
|
||||
- CHOWN
|
||||
- DAC_OVERRIDE
|
||||
- FOWNER
|
||||
- SETGID
|
||||
- SETUID
|
||||
- SYS_CHROOT
|
||||
|
||||
volumes:
|
||||
- name: state
|
||||
emptyDir: {}
|
||||
emptyDir: {}
|
||||
Loading…
Add table
Add a link
Reference in a new issue