chore(snips): configure security context
All checks were successful
Renovate / renovate (push) Successful in 23s
All checks were successful
Renovate / renovate (push) Successful in 23s
This commit is contained in:
parent
d596657472
commit
5ef7b74a33
2 changed files with 30 additions and 7 deletions
|
@ -9,7 +9,7 @@ images:
|
||||||
newTag: v0.3.2
|
newTag: v0.3.2
|
||||||
- name: litestream
|
- name: litestream
|
||||||
newName: litestream/litestream
|
newName: litestream/litestream
|
||||||
newTag: "0.3"
|
newTag: "0.3.13"
|
||||||
|
|
||||||
labels:
|
labels:
|
||||||
- includeSelectors: true
|
- includeSelectors: true
|
||||||
|
|
|
@ -18,12 +18,6 @@ spec:
|
||||||
- name: init-litestream
|
- name: init-litestream
|
||||||
image: litestream
|
image: litestream
|
||||||
args: ['restore', '-if-db-not-exists', '-if-replica-exists', '/data/snips.db']
|
args: ['restore', '-if-db-not-exists', '-if-replica-exists', '/data/snips.db']
|
||||||
volumeMounts:
|
|
||||||
- name: data
|
|
||||||
mountPath: /data
|
|
||||||
- name: litestream-config
|
|
||||||
mountPath: /etc/litestream.yml
|
|
||||||
subPath: litestream.yml
|
|
||||||
env:
|
env:
|
||||||
- name: LITESTREAM_ACCESS_KEY_ID
|
- name: LITESTREAM_ACCESS_KEY_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
|
@ -35,6 +29,18 @@ spec:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: snips-secrets
|
name: snips-secrets
|
||||||
key: garage-secret-key
|
key: garage-secret-key
|
||||||
|
volumeMounts:
|
||||||
|
- name: data
|
||||||
|
mountPath: /data
|
||||||
|
- name: litestream-config
|
||||||
|
mountPath: /etc/litestream.yml
|
||||||
|
subPath: litestream.yml
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
containers:
|
containers:
|
||||||
- name: snips
|
- name: snips
|
||||||
image: snips
|
image: snips
|
||||||
|
@ -77,6 +83,12 @@ spec:
|
||||||
mountPath: /etc/snips
|
mountPath: /etc/snips
|
||||||
- name: data
|
- name: data
|
||||||
mountPath: /data
|
mountPath: /data
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
- name: litestream
|
- name: litestream
|
||||||
image: litestream
|
image: litestream
|
||||||
args: ['replicate']
|
args: ['replicate']
|
||||||
|
@ -112,6 +124,17 @@ spec:
|
||||||
ports:
|
ports:
|
||||||
- name: metrics
|
- name: metrics
|
||||||
containerPort: 9090
|
containerPort: 9090
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 1000
|
||||||
|
runAsGroup: 1000
|
||||||
|
fsGroup: 1000
|
||||||
|
runAsNonRoot: true
|
||||||
affinity:
|
affinity:
|
||||||
podAntiAffinity:
|
podAntiAffinity:
|
||||||
preferredDuringSchedulingIgnoredDuringExecution:
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
|
Loading…
Reference in a new issue