fix

2024-05-27 18:46:25 +02:00
parent 8026666e32
commit 5f7e4245c3
3 changed files with 103 additions and 88 deletions
--- a/apps/taiga/taiga_workload.tf
+++ b/apps/taiga/taiga_workload.tf
@@ -17,11 +17,12 @@ resource "kubectl_manifest" "Deployment_taiga-events" {
        metadata:
          labels: ${jsonencode(local.event_labels)}
        spec:
+          securityContext:
+            fsGroup: 99
          containers:
          - name: taiga-events
            image: "${var.images.events.registry}/${var.images.events.repository}:${var.images.events.tag}"
            imagePullPolicy: ${var.images.events.pull_policy}
-            command: ["/bin/start.sh"]
            envFrom:
            - secretRef:
                name: ${kubectl_manifest.secret.name}
@@ -61,21 +62,20 @@ resource "kubectl_manifest" "Deployment_taiga-events" {
              timeoutSeconds: 1
              successThreshold: 1
              failureThreshold: 3
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+              runAsGroup: 99
+              runAsNonRoot: true
+              runAsUser: 99
+              seccompProfile:
+                type: RuntimeDefault
            volumeMounts:
            - name: files
              mountPath: /var/lib/env.template
              subPath: env.template
-            - name: scripts
-              mountPath: /bin/start.sh
-              subPath: start.sh
          volumes:
-          - name: scripts
-            configMap:
-              name: ${kubectl_manifest.cm_events.name}
-              defaultMode: 0755
-              items:
-              - key: start.sh
-                path: start.sh
          - name: files
            configMap:
              name: ${kubectl_manifest.cm_events.name}
@@ -105,6 +105,8 @@ resource "kubectl_manifest" "Deployment_taiga-front" {
        metadata:
          labels: ${jsonencode(local.front_labels)}
        spec:
+          securityContext:
+            fsGroup: 0
          containers:
          - name: taiga-front
            image: "${var.images.front.registry}/${var.images.front.repository}:${var.images.front.tag}"
@@ -134,6 +136,13 @@ resource "kubectl_manifest" "Deployment_taiga-front" {
                port: http
              initialDelaySeconds: 3
              periodSeconds: 3
+            securityContext:
+              allowPrivilegeEscalation: true
+              runAsGroup: 0
+              runAsNonRoot: false
+              runAsUser: 0
+              seccompProfile:
+                type: RuntimeDefault
 EOF
 }

@@ -155,6 +164,8 @@ resource "kubectl_manifest" "Deployment_taiga-protected" {
        metadata:
          labels: ${jsonencode(local.protected_labels)}
        spec:
+          securityContext:
+            fsGroup: 999
          containers:
          - name: taiga-protected
            image: "${var.images.protected.registry}/${var.images.protected.repository}:${var.images.protected.tag}"
@@ -174,6 +185,15 @@ resource "kubectl_manifest" "Deployment_taiga-protected" {
              initialDelaySeconds: 10
              exec:
                command: ["/bin/sh", "-c", "pidof -x gunicorn"]
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+              runAsGroup: 999
+              runAsNonRoot: true
+              runAsUser: 999
+              seccompProfile:
+                type: RuntimeDefault
 EOF
 }

@@ -196,11 +216,12 @@ resource "kubectl_manifest" "Deployment_taiga-back" {
        metadata:
          labels: ${jsonencode(local.back_labels)}
        spec:
+          securityContext:
+            fsGroup: 999
          containers:
          - name: taiga-back
            image: "${var.images.back.registry}/${var.images.back.repository}:${var.images.back.tag}"
            imagePullPolicy: ${var.images.back.pull_policy}
-            command: ["/bin/back_entrypoint.sh"]
            env:
            - name: TAIGA_EVENTS_RABBITMQ_HOST
              value: ${kubectl_manifest.rabbit.name}
@@ -241,8 +262,8 @@ resource "kubectl_manifest" "Deployment_taiga-back" {
              containerPort: 8000
            volumeMounts:
            - name: scripts
-              mountPath: /bin/back_entrypoint.sh
-              subPath: back_entrypoint.sh
+              mountPath: /docker-entrypoint.d/certs.sh
+              subPath: certs.sh
            - name: data
              mountPath: /taiga-back/static
              subPath: static
@@ -270,10 +291,19 @@ resource "kubectl_manifest" "Deployment_taiga-back" {
              timeoutSeconds: 1
              successThreshold: 1
              failureThreshold: 3
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+              runAsGroup: 999
+              runAsNonRoot: true
+              runAsUser: 999
+              seccompProfile:
+                type: RuntimeDefault
          - name: taiga-async
            image: "${var.images.back.registry}/${var.images.back.repository}:${var.images.back.tag}"
            imagePullPolicy: ${var.images.back.pull_policy}
-            command: ["/bin/async_entrypoint.sh"]
+            command: ["/usr/local/bin/async_entrypoint.sh"]
            env:
            - name: RABBITMQ_USER
              valueFrom:
@@ -297,8 +327,8 @@ resource "kubectl_manifest" "Deployment_taiga-back" {
                name: ${kubectl_manifest.cm_env_back.name}
            volumeMounts:
            - name: scripts
-              mountPath: /bin/async_entrypoint.sh
-              subPath: async_entrypoint.sh
+              mountPath: /docker-entrypoint.d/certs.sh
+              subPath: certs.sh
            - name: data
              mountPath: /taiga-back/static
              subPath: static
@@ -307,6 +337,15 @@ resource "kubectl_manifest" "Deployment_taiga-back" {
              subPath: media
            - name: certs
              mountPath: /opt/certs
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+              runAsGroup: 999
+              runAsNonRoot: true
+              runAsUser: 999
+              seccompProfile:
+                type: RuntimeDefault
          - name: nginx
            image: "${var.images.nginx.registry}/${var.images.nginx.repository}:${var.images.nginx.tag}"
            imagePullPolicy: ${var.images.nginx.pull_policy}
@@ -322,6 +361,13 @@ resource "kubectl_manifest" "Deployment_taiga-back" {
              subPath: media
            - name: taiga-conf
              mountPath: /etc/nginx/conf.d/
+            securityContext:
+              allowPrivilegeEscalation: true
+              runAsGroup: 0
+              runAsNonRoot: false
+              runAsUser: 0
+              seccompProfile:
+                type: RuntimeDefault
          volumes:
          - name: certs
            secret:
@@ -332,10 +378,8 @@ resource "kubectl_manifest" "Deployment_taiga-back" {
              name: ${kubectl_manifest.cm_scripts.name}
              defaultMode: 0755
              items:
-              - key: back_entrypoint.sh
-                path: back_entrypoint.sh
-              - key: async_entrypoint.sh
-                path: async_entrypoint.sh
+              - key: certs.sh
+                path: certs.sh
          - name: data
            persistentVolumeClaim:
              claimName: ${kubectl_manifest.pvc.name}