[COMMON] Make mongo run as non-root
Use our helper template and k8s features to make mongodb run as a
non-root user as per Guiling requirements.
Issue-ID: DCAEGEN2-2424
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I44bc079a2cc49dc1b0f1da88e220290098e909d5
diff --git a/kubernetes/common/mongo/templates/statefulset.yaml b/kubernetes/common/mongo/templates/statefulset.yaml
index 111bc80..abc71b3 100644
--- a/kubernetes/common/mongo/templates/statefulset.yaml
+++ b/kubernetes/common/mongo/templates/statefulset.yaml
@@ -36,10 +36,15 @@
app: {{ include "common.name" . }}
release: {{ include "common.release" . }}
spec:
+{{ include "common.podSecurityContext" . | indent 6 }}
containers:
- name: {{ include "common.name" . }}
image: "{{ .Values.dockerHubRepository }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ command:
+ - docker-entrypoint.sh
+ args:
+ - --nounixsocket
env:
- name: MONGO_INITDB_DATABASE
value: "{{ .Values.config.dbName }}"
@@ -68,6 +73,7 @@
mountPath: /var/lib/mongo
resources:
{{ include "common.resources" . | indent 12 }}
+{{ include "common.containerSecurityContext" . | indent 10 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 10 }}
diff --git a/kubernetes/common/mongo/values.yaml b/kubernetes/common/mongo/values.yaml
index d272f70..d8988c3 100644
--- a/kubernetes/common/mongo/values.yaml
+++ b/kubernetes/common/mongo/values.yaml
@@ -83,6 +83,10 @@
rpcbindPort: 111
rpcbindUdpPort: 111
+securityContext:
+ user_id: 999
+ group_id: 999
+
ingress:
enabled: false