diff --git a/samples/minimum/ingress-pvc-values.cue b/samples/minimum/ingress-pvc-values.cue index 0f31884..2d03123 100644 --- a/samples/minimum/ingress-pvc-values.cue +++ b/samples/minimum/ingress-pvc-values.cue @@ -19,9 +19,6 @@ values: { storageClassName: "sc-kube-playground" } - httpPort: 80 - service: port: 80 - resources: { limits: { cpu: "1000m" @@ -29,17 +26,6 @@ values: { } } - securityContext: { - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - capabilities: - { - add: ["NET_BIND_SERVICE"] - drop: ["ALL"] - } - } - ingress: { ingressClassName: "ing-kube-playground" tls: [{ @@ -57,7 +43,7 @@ values: { service: { name: "keycloak-web" port: { - number: 80 + number: 8080 } }} }] diff --git a/templates/config.cue b/templates/config.cue index 2301ae2..3ae1bd3 100644 --- a/templates/config.cue +++ b/templates/config.cue @@ -97,7 +97,10 @@ import ( // Pod optional settings. podAnnotations?: {[string]: string} - podSecurityContext?: corev1.#PodSecurityContext + podSecurityContext: corev1.#PodSecurityContext | *{ + fsGroup: 1000 + fsGroupChangePolicy: "OnRootMismatch" + } imagePullSecrets?: [...timoniv1.ObjectReference] tolerations?: [...corev1.#Toleration] affinity?: corev1.#Affinity diff --git a/templates/deployment.cue b/templates/deployment.cue index 2071a98..a6904d4 100644 --- a/templates/deployment.cue +++ b/templates/deployment.cue @@ -144,10 +144,6 @@ import ( } } volumeMounts: [ - { - name: "tmp" - mountPath: "/tmp" - }, if #highAvailability { { name: "cache" @@ -181,12 +177,6 @@ import ( }, ] volumes: [ - { - name: "tmp" - emptyDir: { - sizeLimit: "128Mi" - } - }, if #certSecretName != _|_ { { name: "certs" diff --git a/test/certificate.yaml b/test/certificate.yaml index 67fe226..fd805fc 100644 --- a/test/certificate.yaml +++ b/test/certificate.yaml @@ -387,8 +387,6 @@ spec: initialDelaySeconds: 30 periodSeconds: 15 volumeMounts: - - mountPath: /tmp - name: tmp - mountPath: /opt/keycloak/conf name: cache readOnly: true @@ -398,11 +396,11 @@ spec: - mountPath: /jks name: jks readOnly: true + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch serviceAccountName: default volumes: - - emptyDir: - sizeLimit: 128Mi - name: tmp - name: certs secret: secretName: keycloak-cert diff --git a/test/external-secrets.yaml b/test/external-secrets.yaml index 3102977..0a10ce5 100644 --- a/test/external-secrets.yaml +++ b/test/external-secrets.yaml @@ -169,19 +169,17 @@ spec: initialDelaySeconds: 30 periodSeconds: 15 volumeMounts: - - mountPath: /tmp - name: tmp - mountPath: /certs name: certs readOnly: true - mountPath: /jks name: jks readOnly: true + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch serviceAccountName: existing-sa volumes: - - emptyDir: - sizeLimit: 128Mi - name: tmp - name: certs secret: secretName: keycloak-cert diff --git a/test/http.yaml b/test/http.yaml index 0b91413..8eb29e0 100644 --- a/test/http.yaml +++ b/test/http.yaml @@ -122,12 +122,10 @@ spec: scheme: HTTP initialDelaySeconds: 30 periodSeconds: 15 - volumeMounts: - - mountPath: /tmp - name: tmp + volumeMounts: [] + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch serviceAccountName: default - volumes: - - emptyDir: - sizeLimit: 128Mi - name: tmp + volumes: [] --- diff --git a/test/ingress-pvc.yaml b/test/ingress-pvc.yaml index 7cd43f4..93c23a0 100644 --- a/test/ingress-pvc.yaml +++ b/test/ingress-pvc.yaml @@ -17,7 +17,7 @@ spec: ports: - appProtocol: http name: http - port: 80 + port: 8080 protocol: TCP targetPort: http selector: @@ -61,7 +61,7 @@ spec: service: name: keycloak-web port: - number: 80 + number: 8080 path: / pathType: Prefix tls: @@ -103,8 +103,6 @@ spec: value: local - name: KC_DB value: dev-file - - name: KC_HTTP_PORT - value: "80" - name: KEYCLOAK_ADMIN value: admin - name: KEYCLOAK_ADMIN_PASSWORD @@ -126,7 +124,7 @@ spec: timeoutSeconds: 10 name: keycloak ports: - - containerPort: 80 + - containerPort: 8080 name: http protocol: TCP readinessProbe: @@ -148,15 +146,11 @@ spec: securityContext: allowPrivilegeEscalation: false capabilities: - add: - - NET_BIND_SERVICE drop: - ALL privileged: false readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 + runAsNonRoot: true seccompProfile: type: RuntimeDefault startupProbe: @@ -168,15 +162,13 @@ spec: initialDelaySeconds: 30 periodSeconds: 15 volumeMounts: - - mountPath: /tmp - name: tmp - mountPath: /opt/keycloak/data/h2 name: data + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch serviceAccountName: default volumes: - - emptyDir: - sizeLimit: 128Mi - name: tmp - name: data persistentVolumeClaim: claimName: keycloak diff --git a/test/ingress.yaml b/test/ingress.yaml index 3896d5f..3f74674 100644 --- a/test/ingress.yaml +++ b/test/ingress.yaml @@ -136,12 +136,10 @@ spec: scheme: HTTP initialDelaySeconds: 30 periodSeconds: 15 - volumeMounts: - - mountPath: /tmp - name: tmp + volumeMounts: [] + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch serviceAccountName: default - volumes: - - emptyDir: - sizeLimit: 128Mi - name: tmp + volumes: [] --- diff --git a/test/minimum.yaml b/test/minimum.yaml index 4d8a39d..4b2c199 100644 --- a/test/minimum.yaml +++ b/test/minimum.yaml @@ -109,12 +109,10 @@ spec: scheme: HTTP initialDelaySeconds: 30 periodSeconds: 15 - volumeMounts: - - mountPath: /tmp - name: tmp + volumeMounts: [] + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch serviceAccountName: default - volumes: - - emptyDir: - sizeLimit: 128Mi - name: tmp + volumes: [] --- diff --git a/test/networkpolicy.yaml b/test/networkpolicy.yaml index 3fe59a6..de25007 100644 --- a/test/networkpolicy.yaml +++ b/test/networkpolicy.yaml @@ -138,12 +138,10 @@ spec: scheme: HTTP initialDelaySeconds: 30 periodSeconds: 15 - volumeMounts: - - mountPath: /tmp - name: tmp + volumeMounts: [] + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch serviceAccountName: default - volumes: - - emptyDir: - sizeLimit: 128Mi - name: tmp + volumes: [] --- diff --git a/test/pdb.yaml b/test/pdb.yaml index 8d0e8aa..b5785d8 100644 --- a/test/pdb.yaml +++ b/test/pdb.yaml @@ -262,16 +262,14 @@ spec: initialDelaySeconds: 30 periodSeconds: 15 volumeMounts: - - mountPath: /tmp - name: tmp - mountPath: /opt/keycloak/conf name: cache readOnly: true + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch serviceAccountName: default volumes: - - emptyDir: - sizeLimit: 128Mi - name: tmp - configMap: items: - key: cache-ispn.xml diff --git a/test/postgres-istio.yaml b/test/postgres-istio.yaml index ffc1191..fd3efdc 100644 --- a/test/postgres-istio.yaml +++ b/test/postgres-istio.yaml @@ -405,19 +405,17 @@ spec: initialDelaySeconds: 30 periodSeconds: 15 volumeMounts: - - mountPath: /tmp - name: tmp - mountPath: /opt/keycloak/conf name: cache readOnly: true - mountPath: /jks name: jks readOnly: true + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch serviceAccountName: default volumes: - - emptyDir: - sizeLimit: 128Mi - name: tmp - name: jks secret: secretName: keycloak-jks diff --git a/test/pvc.yaml b/test/pvc.yaml index f58eb30..07605c6 100644 --- a/test/pvc.yaml +++ b/test/pvc.yaml @@ -128,15 +128,13 @@ spec: initialDelaySeconds: 30 periodSeconds: 15 volumeMounts: - - mountPath: /tmp - name: tmp - mountPath: /opt/keycloak/data/h2 name: data + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch serviceAccountName: default volumes: - - emptyDir: - sizeLimit: 128Mi - name: tmp - name: data persistentVolumeClaim: claimName: keycloak diff --git a/test/sa.yaml b/test/sa.yaml index 8823abe..308d865 100644 --- a/test/sa.yaml +++ b/test/sa.yaml @@ -121,12 +121,10 @@ spec: scheme: HTTP initialDelaySeconds: 30 periodSeconds: 15 - volumeMounts: - - mountPath: /tmp - name: tmp + volumeMounts: [] + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch serviceAccountName: custom-sa - volumes: - - emptyDir: - sizeLimit: 128Mi - name: tmp + volumes: [] --- diff --git a/test/virtualservice.yaml b/test/virtualservice.yaml index 893d3dc..01a4b4d 100644 --- a/test/virtualservice.yaml +++ b/test/virtualservice.yaml @@ -180,12 +180,10 @@ spec: scheme: HTTP initialDelaySeconds: 30 periodSeconds: 15 - volumeMounts: - - mountPath: /tmp - name: tmp + volumeMounts: [] + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch serviceAccountName: default - volumes: - - emptyDir: - sizeLimit: 128Mi - name: tmp + volumes: [] ---