chore(snips): configure security context
All checks were successful
Renovate / renovate (push) Successful in 23s
All checks were successful
Renovate / renovate (push) Successful in 23s
This commit is contained in:
parent
d596657472
commit
5ef7b74a33
2 changed files with 30 additions and 7 deletions
|
@ -9,7 +9,7 @@ images:
|
|||
newTag: v0.3.2
|
||||
- name: litestream
|
||||
newName: litestream/litestream
|
||||
newTag: "0.3"
|
||||
newTag: "0.3.13"
|
||||
|
||||
labels:
|
||||
- includeSelectors: true
|
||||
|
|
|
@ -18,12 +18,6 @@ spec:
|
|||
- name: init-litestream
|
||||
image: litestream
|
||||
args: ['restore', '-if-db-not-exists', '-if-replica-exists', '/data/snips.db']
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /data
|
||||
- name: litestream-config
|
||||
mountPath: /etc/litestream.yml
|
||||
subPath: litestream.yml
|
||||
env:
|
||||
- name: LITESTREAM_ACCESS_KEY_ID
|
||||
valueFrom:
|
||||
|
@ -35,6 +29,18 @@ spec:
|
|||
secretKeyRef:
|
||||
name: snips-secrets
|
||||
key: garage-secret-key
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /data
|
||||
- name: litestream-config
|
||||
mountPath: /etc/litestream.yml
|
||||
subPath: litestream.yml
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
containers:
|
||||
- name: snips
|
||||
image: snips
|
||||
|
@ -77,6 +83,12 @@ spec:
|
|||
mountPath: /etc/snips
|
||||
- name: data
|
||||
mountPath: /data
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
- name: litestream
|
||||
image: litestream
|
||||
args: ['replicate']
|
||||
|
@ -112,6 +124,17 @@ spec:
|
|||
ports:
|
||||
- name: metrics
|
||||
containerPort: 9090
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
securityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
|
|
Loading…
Reference in a new issue