Skip to content

Commit

Permalink
Run WordPress operator as non-root user
Browse files Browse the repository at this point in the history
  • Loading branch information
@calind
calind committed Dec 22, 2021
1 parent de7b8e1 commit e841404
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 5 deletions.
4 changes: 2 additions & 2 deletions deploy/charts/wordpress-operator/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: wordpress-operator
description: Bitpoke WordPress Operator Helm Chart
appVersion: master
appVersion: latest
kubeVersion: ">= 1.19.0-0"
keywords:
- wordpress
Expand All @@ -12,7 +12,7 @@ keywords:
- http
- web
- application
version: 0.1.0+master
version: 0.0.0
home: https://www.bitpoke.io/
sources:
- https://github.com/bitpoke/wordpress-operator.git
Expand Down
6 changes: 6 additions & 0 deletions deploy/charts/wordpress-operator/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,16 @@ The following table contains the configuration parameters for wordpress-operator
| `image.pullPolicy` | Controller image pull policy | `IfNotPresent` |
| `image.tag ` | Controller image tag | `latest` |
| `imagePullSecrets` | Controller image pull secret | |
| `podAnnotations` | Extra pod annotations | `{}` |
| `podSecurityContext` | The pod security context. `65532` is the UID/GID for the nonroot user in the official images | `{runAsNonRoot: true, runAsUser: 65532, runAsGroup: 65532, fsGroup: 65532}` |
| `securityContext` | Security context for the WordPress Operator container | `{}` |
| `resources` | Controller container resources limits and requests | `{}` |
| `nodeSelector` | Controller pod nodeSelector | `{}` |
| `tolerations` | Controller pod tolerations | `{}` |
| `affinity` | Controller pod node affinity | `{}` |
| `extraArgs` | Args that are passed to controller, check controller command line flags | `[]` |
| `extraEnv` | Extra environment vars that are passed to controller, check controller command line flags | `{}` |
| `rbac.create` | Whether or not to create rbac service account, role and roleBinding | `true` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `empty` |
8 changes: 6 additions & 2 deletions deploy/charts/wordpress-operator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,12 @@ serviceAccount:

podAnnotations: {}

podSecurityContext: {}
# fsGroup: 2000
podSecurityContext:
runAsNonRoot: true
# 65532 is the UID for nonroot user from distroless image
runAsUser: 65532
runAsGroup: 65532
fsGroup: 65532

securityContext: {}
# capabilities:
Expand Down
1 change: 0 additions & 1 deletion images/wordpress-operator/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,5 @@
FROM gcr.io/distroless/static-debian10@sha256:50115802102da4a7dbc74f5399028347682361ebf0792b7a11b088e648e69ac2

COPY rootfs /
USER nonroot
ENTRYPOINT ["/wordpress-operator"]
CMD ["help"]

0 comments on commit e841404

Please sign in to comment.