Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

[apm-server] run as non root user #996

Merged
merged 3 commits into from
Jan 6, 2021
Merged

[apm-server] run as non root user #996

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
441ddc4
[apm-server] run as non root user
jmlrt Dec 23, 2020
369e3ca
Merge remote-tracking branch 'origin/master' into apm-run-as-non-root
jmlrt Jan 5, 2021
e2827bd
add a pod security context
jmlrt Jan 5, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions apm-server/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,10 @@ spec:
configChecksum: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum | trunc 63 }}
{{- end }}
spec:
{{- if .Values.podSecurityContext }}
securityContext:
{{ toYaml .Values.podSecurityContext | indent 10 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
Expand Down Expand Up @@ -84,9 +88,9 @@ spec:
envFrom:
{{ toYaml .Values.envFrom | indent 10 }}
{{- end }}
{{- if .Values.podSecurityContext }}
{{- if .Values.securityContext }}
securityContext:
{{ toYaml .Values.podSecurityContext | indent 10 }}
{{ toYaml .Values.securityContext | indent 10 }}
{{- end }}
livenessProbe:
{{ toYaml .Values.livenessProbe | indent 10 }}
Expand Down
16 changes: 13 additions & 3 deletions apm-server/tests/apmserver_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,16 +146,26 @@ def test_self_managing_rbac_resources():
assert "clusterrolebinding" not in r


def test_setting_container_security_context():
config = """
securityContext:
runAsUser: 1001
privileged: true
"""
r = helm_template(config)
c = r["deployment"][name]["spec"]["template"]["spec"]["containers"][0]
assert c["securityContext"]["runAsUser"] == 1001
assert c["securityContext"]["privileged"] is True


def test_setting_pod_security_context():
config = """
podSecurityContext:
runAsUser: 1001
privileged: false
"""
r = helm_template(config)
c = r["deployment"][name]["spec"]["template"]["spec"]["containers"][0]
c = r["deployment"][name]["spec"]["template"]["spec"]
assert c["securityContext"]["runAsUser"] == 1001
assert c["securityContext"]["privileged"] is False


def test_adding_in_apm_config():
Expand Down
9 changes: 8 additions & 1 deletion apm-server/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,15 @@ podAnnotations: {}
labels: {}

podSecurityContext:
runAsUser: 0
fsGroup: 1000
runAsUser: 1000
runAsGroup: 0

securityContext:
privileged: false
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0

livenessProbe:
httpGet:
Expand Down