Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
k8s-ingress
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
3
Merge Requests
3
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
uplex-varnish
k8s-ingress
Commits
c33e68a6
Commit
c33e68a6
authored
Oct 02, 2020
by
Geoff Simmons
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Test running viking-service Pods as non-root using helm.
Addresses #38
parent
276d6f1a
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
66 additions
and
12 deletions
+66
-12
values.yaml
charts/viking-service/values.yaml
+10
-0
Makefile
examples/varnish_pod_template/Makefile
+30
-12
values-nonroot-varnish.yaml
examples/varnish_pod_template/values-nonroot-varnish.yaml
+26
-0
No files found.
charts/viking-service/values.yaml
View file @
c33e68a6
...
...
@@ -68,6 +68,16 @@ vikingService:
# The varnish and haproxy users belong to this group.
fsGroup
:
998
# Set runAsUser:102 to start containers in the varnish/haproxy Pod
# as nonroot. This capability is provided for deployments where
# policy dictates it, but it is *not* advisable. Both of varnish
# and haproxy in master/worker mode run with adequate privilege
# separation. haproxy as nonroot is *less* secure, because chroot
# is impossible. varnish as nonroot is unable to do some things
# that should be preferred, such as mlock shared memory.
# runAsUser: 102
## Annotations to be added to the controller deployment
##
annotations
:
{}
...
...
examples/varnish_pod_template/Makefile
View file @
c33e68a6
...
...
@@ -82,6 +82,10 @@ endif
all
:
deploy
deploy-cafe-helm
:
@
helm
install
viking-ingress-cafe
$(CHARTDIR)
/viking-test-app
\
--values
values.yaml
deploy-cli-args-helm
:
@
helm
install
viking-service-cli-args
$(CHARTDIR)
/viking-service
\
--values
values-cli-args-varnish.yaml
\
...
...
@@ -91,8 +95,7 @@ deploy-cli-args-helm:
--set
vikingService.varnish.image.tag
=
$(VARNISH_TAG)
\
--set
vikingService.haproxy.image.repository
=
$(HAPROXY_IMAGE)
\
--set
vikingService.haproxy.image.tag
=
$(HAPROXY_TAG)
@
helm
install
viking-ingress-cli-args
$(CHARTDIR)
/viking-test-app
\
--values
values.yaml
$(MAKE)
deploy-cafe-helm
deploy-proxy-helm
:
@
helm
install
viking-service-proxy
$(CHARTDIR)
/viking-service
\
...
...
@@ -103,8 +106,7 @@ deploy-proxy-helm:
--set
vikingService.varnish.image.tag
=
$(VARNISH_TAG)
\
--set
vikingService.haproxy.image.repository
=
$(HAPROXY_IMAGE)
\
--set
vikingService.haproxy.image.tag
=
$(HAPROXY_TAG)
@
helm
install
viking-ingress-proxy
$(CHARTDIR)
/viking-test-app
\
--values
values.yaml
$(MAKE)
deploy-cafe-helm
deploy-env-helm
:
@
helm
install
viking-service-env
$(CHARTDIR)
/viking-service
\
...
...
@@ -115,8 +117,18 @@ deploy-env-helm:
--set
vikingService.varnish.image.tag
=
$(VARNISH_TAG)
\
--set
vikingService.haproxy.image.repository
=
$(HAPROXY_IMAGE)
\
--set
vikingService.haproxy.image.tag
=
$(HAPROXY_TAG)
@
helm
install
viking-ingress-env
$(CHARTDIR)
/viking-test-app
\
--values
values.yaml
$(MAKE)
deploy-cafe-helm
deploy-nonroot-helm
:
@
helm
install
viking-service-nonroot
$(CHARTDIR)
/viking-service
\
--values
values-nonroot-varnish.yaml
\
--set
vikingService.secrets.admin
=
$(
shell
$(GEN_SECRET))
\
--set
vikingService.secrets.dataplaneapi
=
$(
shell
$(GEN_SECRET))
\
--set
vikingService.varnish.image.repository
=
$(VARNISH_IMAGE)
\
--set
vikingService.varnish.image.tag
=
$(VARNISH_TAG)
\
--set
vikingService.haproxy.image.repository
=
$(HAPROXY_IMAGE)
\
--set
vikingService.haproxy.image.tag
=
$(HAPROXY_TAG)
$(MAKE)
deploy-cafe-helm
deploy-cafe-kubectl
:
@
kubectl apply
-f
../hello/cafe.yaml
...
...
@@ -171,21 +183,25 @@ undeploy-nonroot-kubectl:
$(MAKE)
undeploy-cafe-kubectl
$(TESTDIR)
/wait_delete.sh
app
=
varnish-ingress,example
=
nonroot
undeploy-cli-args-helm
:
@
helm uninstall viking-ingress-cli-args
undeploy-cafe-helm
:
@
helm uninstall viking-ingress-cafe
undeploy-cli-args-helm
:
undeploy-cafe-helm
@
helm uninstall viking-service-cli-args
$(TESTDIR)
/wait_delete.sh
app
=
varnish-ingress,example
=
cli-args
undeploy-proxy-helm
:
@
helm uninstall viking-ingress-proxy
undeploy-proxy-helm
:
undeploy-cafe-helm
@
helm uninstall viking-service-proxy
$(TESTDIR)
/wait_delete.sh
app
=
varnish-ingress,example
=
proxy
undeploy-env-helm
:
@
helm uninstall viking-ingress-env
undeploy-env-helm
:
undeploy-cafe-helm
@
helm uninstall viking-service-env
$(TESTDIR)
/wait_delete.sh
app
=
varnish-ingress,example
=
env
undeploy-nonroot-helm
:
undeploy-cafe-helm
@
helm uninstall viking-service-nonroot
$(TESTDIR)
/wait_delete.sh
app
=
varnish-ingress,example
=
nonroot
ifeq
($(DEPLOY),kubectl)
deploy-cli-args
:
deploy-cli-args-kubectl
deploy-proxy
:
deploy-proxy-kubectl
...
...
@@ -199,9 +215,11 @@ else
deploy-cli-args
:
deploy-cli-args-helm
deploy-proxy
:
deploy-proxy-helm
deploy-env
:
deploy-env-helm
deploy-nonroot
:
deploy-nonroot-helm
undeploy-cli-args
:
undeploy-cli-args-helm
undeploy-proxy
:
undeploy-proxy-helm
undeploy-env
:
undeploy-env-helm
undeploy-nonroot
:
undeploy-nonroot-helm
endif
deploy verify undeploy
:
...
...
examples/varnish_pod_template/values-nonroot-varnish.yaml
0 → 100644
View file @
c33e68a6
nameOverride
:
pod-template-examples
fullnameOverride
:
pod-template-examples
vikingService
:
varnish
:
extraEnvs
:
-
name
:
HTTP_PORT
value
:
"
8888"
podSecurityContext
:
fsGroup
:
998
runAsUser
:
102
service
:
ports
:
http
:
80
httpTarget
:
8888
## Name of the ingress class to route through this controller
##
ingressClass
:
varnish
replicaCount
:
1
# labels to add to the pod container metadata
podLabels
:
app
:
varnish-ingress
example
:
nonroot
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment