Skip to content

Commit

Permalink
BC-7676 Updated k8s jobs to run as non-root users (#5109)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Loki-Afro
Loki-Afro committed Jul 17, 2024
1 parent 324b9e6 commit b750b8d
Show file tree
Hide file tree
Showing 7 changed files with 35 additions and 0 deletions.
5 changes: 5 additions & 0 deletions ansible/roles/h5p-library-management/templates/api-h5p-library-management-cronjob.yml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,11 @@ spec:
git.branch: {{ SCHULCLOUD_SERVER_BRANCH_NAME }}
git.repo: {{ SCHULCLOUD_SERVER_REPO_NAME }}
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
runAsNonRoot: true
volumes:
- name: libraries-list
configMap:
Expand Down
5 changes: 5 additions & 0 deletions ansible/roles/schulcloud-server-core/templates/api-delete-s3-files-cronjob.yml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,11 @@ spec:
spec:
template:
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
runAsNonRoot: true
containers:
- name: delete-s3-files-cronjob
image: {{ SCHULCLOUD_SERVER_IMAGE }}:{{ SCHULCLOUD_SERVER_IMAGE_TAG }}
Expand Down
5 changes: 5 additions & 0 deletions ansible/roles/schulcloud-server-core/templates/data-deletion-trigger-cronjob.yml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ spec:
spec:
template:
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
runAsNonRoot: true
containers:
- name: data-deletion-trigger-cronjob
image: {{ SCHULCLOUD_SERVER_IMAGE }}:{{ SCHULCLOUD_SERVER_IMAGE_TAG }}
Expand Down
5 changes: 5 additions & 0 deletions ansible/roles/schulcloud-server-core/templates/migration-job.yml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,11 @@ spec:
labels:
app: api-migration
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
runAsNonRoot: true
containers:
- name: api-migration-job
image: {{ SCHULCLOUD_SERVER_IMAGE }}:{{ SCHULCLOUD_SERVER_IMAGE_TAG }}
Expand Down
5 changes: 5 additions & 0 deletions ansible/roles/schulcloud-server-core/templates/tldraw-delete-files-cronjob.yml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,11 @@ spec:
spec:
template:
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
runAsNonRoot: true
containers:
- name: tldraw-delete-files-cronjob
image: {{ SCHULCLOUD_SERVER_IMAGE }}:{{ SCHULCLOUD_SERVER_IMAGE_TAG }}
Expand Down