From e7209029b2b47a08c9306fb97ce5f877ca7e6141 Mon Sep 17 00:00:00 2001 From: Daniel Pawlik Date: Mon, 30 Oct 2023 15:27:05 +0100 Subject: [PATCH] Improve tutorial manifests The securityContext parameters should be available into the manifests. Without it, testing the k8up on the MicroShift environment will raise warnings: Warning: would violate PodSecurity "restricted:latest": seccompProfile (pod or container "mariadb" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Also added the registry prefix to the images used in the tutorial, to avoid complication when the runtime environment would not choose docker.io as a default registry and removed namespace parameter from secrets manifests, because other manifests in the tutorial does not have such parameter (so if someone will use other namespace than 'default', services/deployments will faile because of missing secrets). --- .../ROOT/examples/tutorial/mariadb/deployment.yaml | 12 +++++++++++- .../ROOT/examples/tutorial/minio/deployment.yaml | 12 +++++++++++- .../ROOT/examples/tutorial/secrets/backup-repo.yaml | 1 - .../ROOT/examples/tutorial/secrets/mariadb-pass.yaml | 1 - .../examples/tutorial/secrets/minio-credentials.yaml | 1 - .../ROOT/examples/tutorial/wordpress/deployment.yaml | 12 +++++++++++- 6 files changed, 33 insertions(+), 6 deletions(-) diff --git a/docs/modules/ROOT/examples/tutorial/mariadb/deployment.yaml b/docs/modules/ROOT/examples/tutorial/mariadb/deployment.yaml index 68a4ca5eb..f740f9728 100644 --- a/docs/modules/ROOT/examples/tutorial/mariadb/deployment.yaml +++ b/docs/modules/ROOT/examples/tutorial/mariadb/deployment.yaml @@ -19,8 +19,18 @@ spec: annotations: k8up.io/backupcommand: /bin/bash -c 'mysqldump -uroot -p"${MARIADB_ROOT_PASSWORD}" --all-databases' spec: + securityContext: + runAsUser: 10002 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - - image: mariadb:10.4 + - image: docker.io/mariadb:10.4 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL name: mariadb readinessProbe: timeoutSeconds: 1 diff --git a/docs/modules/ROOT/examples/tutorial/minio/deployment.yaml b/docs/modules/ROOT/examples/tutorial/minio/deployment.yaml index 5df38a2af..69b4fc174 100644 --- a/docs/modules/ROOT/examples/tutorial/minio/deployment.yaml +++ b/docs/modules/ROOT/examples/tutorial/minio/deployment.yaml @@ -17,12 +17,22 @@ spec: - name: data persistentVolumeClaim: claimName: minio-pvc + securityContext: + runAsUser: 10002 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - name: minio + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL volumeMounts: - name: data mountPath: "/data" - image: minio/minio + image: docker.io/minio/minio args: - server - /data diff --git a/docs/modules/ROOT/examples/tutorial/secrets/backup-repo.yaml b/docs/modules/ROOT/examples/tutorial/secrets/backup-repo.yaml index 40d07f37f..df558e540 100644 --- a/docs/modules/ROOT/examples/tutorial/secrets/backup-repo.yaml +++ b/docs/modules/ROOT/examples/tutorial/secrets/backup-repo.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Secret metadata: name: backup-repo - namespace: default type: Opaque stringData: password: p@ssw0rd diff --git a/docs/modules/ROOT/examples/tutorial/secrets/mariadb-pass.yaml b/docs/modules/ROOT/examples/tutorial/secrets/mariadb-pass.yaml index 0f3ea6151..d9a51bcff 100644 --- a/docs/modules/ROOT/examples/tutorial/secrets/mariadb-pass.yaml +++ b/docs/modules/ROOT/examples/tutorial/secrets/mariadb-pass.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Secret metadata: name: mariadb-pass - namespace: default type: Opaque stringData: password: ola0thai0eixieCie6Yahcooz3doojee diff --git a/docs/modules/ROOT/examples/tutorial/secrets/minio-credentials.yaml b/docs/modules/ROOT/examples/tutorial/secrets/minio-credentials.yaml index ce9ca63db..4a8dc4ffb 100644 --- a/docs/modules/ROOT/examples/tutorial/secrets/minio-credentials.yaml +++ b/docs/modules/ROOT/examples/tutorial/secrets/minio-credentials.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Secret metadata: name: minio-credentials - namespace: default type: Opaque stringData: username: minio diff --git a/docs/modules/ROOT/examples/tutorial/wordpress/deployment.yaml b/docs/modules/ROOT/examples/tutorial/wordpress/deployment.yaml index 2bb475298..2c11feeb5 100644 --- a/docs/modules/ROOT/examples/tutorial/wordpress/deployment.yaml +++ b/docs/modules/ROOT/examples/tutorial/wordpress/deployment.yaml @@ -17,8 +17,18 @@ spec: app: wordpress tier: frontend spec: + securityContext: + runAsUser: 10002 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - - image: wordpress:5.4-apache + - image: docker.io/wordpress:5.4-apache + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL name: wordpress env: - name: WORDPRESS_DB_HOST