Skip to content

Commit

Permalink
fix: set fsGroup for correct mount group
Browse files Browse the repository at this point in the history
  • Loading branch information
@joshiste
joshiste committed Feb 6, 2024
1 parent 36cf5af commit e2d5851
Show file tree
Hide file tree
Showing 5 changed files with 91 additions and 55 deletions.
16 changes: 10 additions & 6 deletions charts/steadybit-agent/tests/__snapshot__/statefulset_auth_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,14 +107,16 @@ using oauth2 with mtls from containerPath and token uri:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-agent
name: steadybit-agent-state
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -247,9 +249,6 @@ using oauth2 with mtls from secrets:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-agent
name: steadybit-agent-state
Expand All @@ -261,6 +260,11 @@ using oauth2 with mtls from secrets:
- mountPath: /opt/steadybit/agent/etc/oauth2/server
name: oauth2-tls-server
readOnly: true
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down
56 changes: 35 additions & 21 deletions charts/steadybit-agent/tests/__snapshot__/statefulset_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,14 +112,16 @@ manifest should match snapshot:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-agent
name: steadybit-agent-state
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -252,14 +254,16 @@ should add aws account id from values:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-agent
name: steadybit-agent-state
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -406,14 +410,16 @@ should add match labels:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-agent
name: steadybit-agent-state
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -545,14 +551,16 @@ should apply extra pod labels:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-agent
name: steadybit-agent-state
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -699,14 +707,16 @@ using extensions with mtls from containerpath:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-agent
name: steadybit-agent-state
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -848,9 +858,6 @@ using extensions with mtls from secrets:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-agent
name: steadybit-agent-state
Expand All @@ -864,6 +871,11 @@ using extensions with mtls from secrets:
readOnly: true
- mountPath: /opt/steadybit/agent/etc/extra-certs
name: extra-certs
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -997,16 +1009,18 @@ using image pull secrets with debug json log:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-agent
name: steadybit-agent-state
- mountPath: /tmp
name: tmp-dir
imagePullSecrets:
- name: test-pull-secret
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down
2 changes: 1 addition & 1 deletion charts/steadybit-outpost/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: steadybit-outpost
description: steadybit outpost Helm chart for Kubernetes.
version: 1.2.13:
version: 1.2.13
appVersion: 1.0.108
home: https://www.steadybit.com/
icon: https://steadybit-website-assets.s3.amazonaws.com/logo-symbol-transparent.png
Expand Down
16 changes: 10 additions & 6 deletions charts/steadybit-outpost/tests/__snapshot__/statefulset_auth_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,14 +107,16 @@ using oauth2 with mtls from containerPath and token uri:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-outpost
name: steadybit-outpost-state
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-outpost
volumes:
- emptyDir:
Expand Down Expand Up @@ -247,9 +249,6 @@ using oauth2 with mtls from secrets:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-outpost
name: steadybit-outpost-state
Expand All @@ -261,6 +260,11 @@ using oauth2 with mtls from secrets:
- mountPath: /opt/steadybit/agent/etc/oauth2/server
name: oauth2-tls-server
readOnly: true
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-outpost
volumes:
- emptyDir:
Expand Down
56 changes: 35 additions & 21 deletions charts/steadybit-outpost/tests/__snapshot__/statefulset_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,14 +112,16 @@ manifest should match snapshot:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-outpost
name: steadybit-outpost-state
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-outpost
volumes:
- emptyDir:
Expand Down Expand Up @@ -252,14 +254,16 @@ should add aws account id from values:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-outpost
name: steadybit-outpost-state
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-outpost
volumes:
- emptyDir:
Expand Down Expand Up @@ -406,14 +410,16 @@ should add match labels:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-outpost
name: steadybit-outpost-state
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-outpost
volumes:
- emptyDir:
Expand Down Expand Up @@ -545,14 +551,16 @@ should apply extra pod labels:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-outpost
name: steadybit-outpost-state
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-outpost
volumes:
- emptyDir:
Expand Down Expand Up @@ -699,14 +707,16 @@ using extensions with mtls from containerpath:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-outpost
name: steadybit-outpost-state
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-outpost
volumes:
- emptyDir:
Expand Down Expand Up @@ -848,9 +858,6 @@ using extensions with mtls from secrets:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-outpost
name: steadybit-outpost-state
Expand All @@ -864,6 +871,11 @@ using extensions with mtls from secrets:
readOnly: true
- mountPath: /opt/steadybit/outpost/etc/extra-certs
name: extra-certs
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-outpost
volumes:
- emptyDir:
Expand Down Expand Up @@ -997,16 +1009,18 @@ using image pull secrets with debug json log:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/lib/steadybit-outpost
name: steadybit-outpost-state
- mountPath: /tmp
name: tmp-dir
imagePullSecrets:
- name: test-pull-secret
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: steadybit-outpost
volumes:
- emptyDir:
Expand Down

0 comments on commit e2d5851

Please sign in to comment.