Merge pull request #7 from lcsnetworks/non_root_containers

Switch to non-root containers
This commit is contained in:
Dan 2022-02-01 21:40:45 -08:00 committed by GitHub
commit 2a02e408de
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 40 additions and 27 deletions

View File

@ -21,9 +21,12 @@ spec:
network/proxy: "true"
service: tactical-backend
spec:
securityContext:
runAsUser: 1000
fsGroup: 1000
containers:
- name: trmm-backend
image: tacticalrmm/tactical:0.10.5-dev
image: tacticalrmm/tactical:0.11.4-dev
args:
- tactical-backend
resources: {}
@ -57,10 +60,10 @@ metadata:
spec:
ports:
- name: "http"
port: 80
targetPort: 80
port: 8080
targetPort: 8080
- name: "https"
port: 443
targetPort: 443
port: 4443
targetPort: 4443
selector:
service: tactical-backend

View File

@ -25,7 +25,7 @@ spec:
fsGroup: 1000
containers:
- name: trmm-celery
image: tacticalrmm/tactical:0.10.5-dev
image: tacticalrmm/tactical:0.11.4-dev
args:
- tactical-celery
resources: {}
@ -67,7 +67,7 @@ spec:
spec:
containers:
- name: trmm-celerybeat
image: tacticalrmm/tactical:latest
image: tacticalrmm/tactical:0.11.4-dev
args:
- tactical-celerybeat
resources: {}

View File

@ -17,9 +17,12 @@ spec:
labels:
service: tactical-frontend
spec:
securityContext:
runAsUser: 1000
fsGroup: 1000
containers:
- name: trmm-frontend
image: tacticalrmm/tactical-frontend:latest
image: tacticalrmm/tactical-frontend:0.11.4-dev
resources: {}
env:
- name: API_HOST
@ -37,10 +40,7 @@ metadata:
spec:
ports:
- name: "http"
port: 80
targetPort: 80
- name: "https"
port: 443
targetPort: 443
port: 8080
targetPort: 8080
selector:
service: tactical-frontend

View File

@ -12,7 +12,7 @@ spec:
containers:
- args:
- tactical-init
image: tacticalrmm/tactical:0.10.5-dev
image: tacticalrmm/tactical:0.11.4-dev
name: trmm-init
env:
- name: API_HOST
@ -22,7 +22,7 @@ spec:
- name: MESH_HOST
value: mesh.rmm.mydomain.com
- name: MESH_WS_URL
value: ws://tactical-meshcentral:443
value: ws://tactical-meshcentral:4443
- name: MESH_USER
value: meshuser
- name: POSTGRES_HOST

View File

@ -20,9 +20,12 @@ spec:
network/proxy: "true"
service: tactical-meshcentral
spec:
securityContext:
runAsUser: 1000
fsGroup: 1000
containers:
- name: trmm-meshcentral
image: tacticalrmm/tactical-meshcentral:0.10.5-dev
image: tacticalrmm/tactical-meshcentral:0.11.4-dev
resources: {}
env:
- name: MESH_HOST
@ -45,6 +48,8 @@ spec:
key: mongodb-password
- name: NGINX_HOST_IP # Point to NGINX service
value: tactical-nlb
- name: NGINX_HOST_PORT # Should match the EXTERNAL port of the NGINX service
value: "443"
- name: WS_MASK_OVERRIDE # Enable for Traefik compatibility
value: "0"
- name: SMTP_HOST
@ -87,10 +92,10 @@ metadata:
spec:
ports:
- name: "http"
port: 80
targetPort: 80
port: 8080
targetPort: 8080
- name: "https"
port: 443
targetPort: 443
port: 4443
targetPort: 4443
selector:
service: tactical-meshcentral

View File

@ -20,8 +20,8 @@ spec:
service: tactical-mongodb
spec:
securityContext:
runAsUser: 2000
fsGroup: 2000
runAsUser: 1000
fsGroup: 1000
containers:
- name: trmm-mongodb
image: mongo:4.4

View File

@ -19,9 +19,12 @@ spec:
network/proxy: "true"
service: tactical-nlb
spec:
securityContext:
runAsUser: 1000
fsGroup: 1000
containers:
- name: nginx
image: tacticalrmm/tactical-nginx:0.10.5-dev
image: tacticalrmm/tactical-nginx:0.11.4-dev
resources: {}
env:
- name: API_HOST
@ -45,19 +48,21 @@ spec:
- name: CERT_PRIV_PATH
value: /etc/ssl/certs/custom/tls.key
ports:
- containerPort: 80
- containerPort: 443
- containerPort: 8080
- containerPort: 4443
volumeMounts:
- mountPath: /opt/tactical
name: tactical-data
- mountPath: /etc/ssl/certs/custom
name: tactical-certs
- name: trmm-nats
image: tacticalrmm/tactical-nats:latest
image: tacticalrmm/tactical-nats:0.11.4-dev
resources: {}
env:
- name: API_HOST
value: api.rmm.mydomain.com
- name: NATS_CONFIG_CHECK_INTERVAL
value: "10"
ports:
- containerPort: 4222
volumeMounts:

View File

@ -26,7 +26,7 @@ spec:
fsGroup: 1000
containers:
- name: trmm-websockets
image: tacticalrmm/tactical:latest
image: tacticalrmm/tactical:0.11.4-dev
args:
- tactical-websockets
resources: {}