Add securityContext and image registry prefix to the tutorial manifests

The securityContext parameters should be available into the manifests. Without it, testing the k8up on the MicroShift environment will raise warnings: Warning: would violate PodSecurity "restricted:latest": seccompProfile (pod or container "mariadb" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Also added the registry prefix to the images used in the tutorial, to avoid complication when the runtime environment would not choose docker.io as a default registry.
k8up-io · Oct 30, 2023 · 3da34b9 · 3da34b9
1 parent 95398eb
commit 3da34b9
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 3 deletions.
diff --git a/docs/modules/ROOT/examples/tutorial/mariadb/deployment.yaml b/docs/modules/ROOT/examples/tutorial/mariadb/deployment.yaml
@@ -19,8 +19,18 @@ spec:
       annotations:
         k8up.io/backupcommand: /bin/bash -c 'mysqldump -uroot -p"${MARIADB_ROOT_PASSWORD}" --all-databases'
     spec:
+      securityContext:
+        runAsUser: 10002
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
-      - image: mariadb:10.4
+      - image: docker.io/mariadb:10.4
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         name: mariadb
         readinessProbe:
           timeoutSeconds: 1

diff --git a/docs/modules/ROOT/examples/tutorial/minio/deployment.yaml b/docs/modules/ROOT/examples/tutorial/minio/deployment.yaml
@@ -17,12 +17,22 @@ spec:
       - name: data
         persistentVolumeClaim:
           claimName: minio-pvc
+      securityContext:
+        runAsUser: 10002
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: minio
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         volumeMounts:
         - name: data
           mountPath: "/data"
-        image: minio/minio
+        image: docker.io/minio/minio
         args:
         - server
         - /data

diff --git a/docs/modules/ROOT/examples/tutorial/wordpress/deployment.yaml b/docs/modules/ROOT/examples/tutorial/wordpress/deployment.yaml
@@ -17,8 +17,18 @@ spec:
         app: wordpress
         tier: frontend
     spec:
+      securityContext:
+        runAsUser: 10002
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
-      - image: wordpress:5.4-apache
+      - image: docker.io/wordpress:5.4-apache
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         name: wordpress
         env:
         - name: WORDPRESS_DB_HOST