chore(snips): configure security context
All checks were successful
Renovate / renovate (push) Successful in 23s

This commit is contained in:
Peter 2024-05-07 16:07:29 +02:00
parent d596657472
commit 5ef7b74a33
Signed by: prskr
GPG key ID: F56BED6903BC5E37
2 changed files with 30 additions and 7 deletions

View file

@ -9,7 +9,7 @@ images:
newTag: v0.3.2 newTag: v0.3.2
- name: litestream - name: litestream
newName: litestream/litestream newName: litestream/litestream
newTag: "0.3" newTag: "0.3.13"
labels: labels:
- includeSelectors: true - includeSelectors: true

View file

@ -18,12 +18,6 @@ spec:
- name: init-litestream - name: init-litestream
image: litestream image: litestream
args: ['restore', '-if-db-not-exists', '-if-replica-exists', '/data/snips.db'] args: ['restore', '-if-db-not-exists', '-if-replica-exists', '/data/snips.db']
volumeMounts:
- name: data
mountPath: /data
- name: litestream-config
mountPath: /etc/litestream.yml
subPath: litestream.yml
env: env:
- name: LITESTREAM_ACCESS_KEY_ID - name: LITESTREAM_ACCESS_KEY_ID
valueFrom: valueFrom:
@ -35,6 +29,18 @@ spec:
secretKeyRef: secretKeyRef:
name: snips-secrets name: snips-secrets
key: garage-secret-key key: garage-secret-key
volumeMounts:
- name: data
mountPath: /data
- name: litestream-config
mountPath: /etc/litestream.yml
subPath: litestream.yml
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
containers: containers:
- name: snips - name: snips
image: snips image: snips
@ -77,6 +83,12 @@ spec:
mountPath: /etc/snips mountPath: /etc/snips
- name: data - name: data
mountPath: /data mountPath: /data
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
- name: litestream - name: litestream
image: litestream image: litestream
args: ['replicate'] args: ['replicate']
@ -112,6 +124,17 @@ spec:
ports: ports:
- name: metrics - name: metrics
containerPort: 9090 containerPort: 9090
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
runAsNonRoot: true
affinity: affinity:
podAntiAffinity: podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution: preferredDuringSchedulingIgnoredDuringExecution: