ci: non-root user for scout containers

2024-04-25 17:44:38 -03:00 · 2024-04-25 17:44:38 -03:00 · 70c32254a9
parent c8ee43da95
commit 70c32254a9
2 changed files with 8 additions and 0 deletions
--- a/helm/templates/deployments/celery.yaml
+++ b/helm/templates/deployments/celery.yaml
@ -37,6 +37,10 @@ spec:
                - "sh"
                - "-c"
                - "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
+          securityContext:
+            readOnlyRootFilesystem: {{ default true .Values.scoutapm.readOnlyRootFilesystem }}
+            runAsUser: {{ default 65534 .Values.scoutapm.runAsUser }} # "nobody" user by default
+            runAsGroup: {{ default 65534 .Values.scoutapm.runAsGroup }} # "nogroup" group by default
        {{- end }}
        - name: {{ .Chart.Name }}
          securityContext:
--- a/helm/templates/deployments/datatracker.yaml
+++ b/helm/templates/deployments/datatracker.yaml
@ -37,6 +37,10 @@ spec:
                - "sh"
                - "-c"
                - "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
+          securityContext:
+            readOnlyRootFilesystem: {{ default true .Values.scoutapm.readOnlyRootFilesystem }}
+            runAsUser: {{ default 65534 .Values.scoutapm.runAsUser }} # "nobody" user by default
+            runAsGroup: {{ default 65534 .Values.scoutapm.runAsGroup }} # "nogroup" group by default
        {{- end }}
        - name: {{ .Chart.Name }}
          securityContext: