From 72ff806b5ecab394b2363a18877b16edeb692666 Mon Sep 17 00:00:00 2001 From: David Young Date: Fri, 2 Sep 2022 22:53:14 +1200 Subject: [PATCH] Run as non-root user (#20) * Switch from port 80 to 8000 Signed-off-by: David Young * Bump chart for breaking change (port 80->8000) Signed-off-by: David Young * Add securityContext to chart Signed-off-by: David Young Signed-off-by: David Young --- Dockerfile | 3 ++- charts/k6-loadtester/Chart.yaml | 2 +- .../k6-loadtester/templates/deployment.yaml | 2 +- charts/k6-loadtester/values.yaml | 20 +++++++++---------- cmd/main.go | 2 +- example/loadtester-deployment.yml | 4 ++-- example/loadtester-service.yml | 6 +++--- 7 files changed, 20 insertions(+), 19 deletions(-) diff --git a/Dockerfile b/Dockerfile index bd2aa50..c6913bf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,4 +10,5 @@ FROM alpine:3.14 COPY --from=build /app/flagger-k6-webhook /usr/bin/flagger-k6-webhook COPY --from=loadimpact/k6 /usr/bin/k6 /usr/bin/k6 -ENTRYPOINT /usr/bin/flagger-k6-webhook \ No newline at end of file +ENTRYPOINT /usr/bin/flagger-k6-webhook +USER 65534 \ No newline at end of file diff --git a/charts/k6-loadtester/Chart.yaml b/charts/k6-loadtester/Chart.yaml index b6d4cae..9324859 100644 --- a/charts/k6-loadtester/Chart.yaml +++ b/charts/k6-loadtester/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: k6-loadtester description: Flagger webhook using k6 to do load testing of the canary before rolling out traffic type: application -version: 0.0.1 +version: 1.0.0 appVersion: "0.1.1" sources: - https://github.com/grafana/flagger-k6-webhook diff --git a/charts/k6-loadtester/templates/deployment.yaml b/charts/k6-loadtester/templates/deployment.yaml index 5579838..469d362 100644 --- a/charts/k6-loadtester/templates/deployment.yaml +++ b/charts/k6-loadtester/templates/deployment.yaml @@ -32,7 +32,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http - containerPort: 80 + containerPort: 8000 protocol: TCP readinessProbe: {{- toYaml .Values.readinessProbe | nindent 12 }} diff --git a/charts/k6-loadtester/values.yaml b/charts/k6-loadtester/values.yaml index 3d3a62b..e0905d3 100644 --- a/charts/k6-loadtester/values.yaml +++ b/charts/k6-loadtester/values.yaml @@ -15,7 +15,7 @@ logLevel: debug readinessProbe: httpGet: - port: 80 + port: 8000 path: /health serviceAccount: @@ -29,20 +29,20 @@ serviceAccount: podAnnotations: {} -podSecurityContext: {} - # fsGroup: 2000 +podSecurityContext: + fsGroup: 65534 securityContext: - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 service: type: ClusterIP - port: 80 + port: 8000 resources: {} # limits: diff --git a/cmd/main.go b/cmd/main.go index 8ca00a5..ffc9ad6 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -14,7 +14,7 @@ import ( ) const ( - defaultPort = 80 + defaultPort = 8000 flagCloudToken = "cloud-token" flagLogLevel = "log-level" diff --git a/example/loadtester-deployment.yml b/example/loadtester-deployment.yml index 9eaecda..d349937 100644 --- a/example/loadtester-deployment.yml +++ b/example/loadtester-deployment.yml @@ -30,9 +30,9 @@ spec: image: ghcr.io/grafana/flagger-k6-webhook:v0.0.4 name: k6-loadtester ports: - - containerPort: 80 + - containerPort: 8000 name: http-metrics readinessProbe: httpGet: path: /health - port: 80 \ No newline at end of file + port: 8000 \ No newline at end of file diff --git a/example/loadtester-service.yml b/example/loadtester-service.yml index 4dec2fd..cc965f2 100644 --- a/example/loadtester-service.yml +++ b/example/loadtester-service.yml @@ -5,8 +5,8 @@ metadata: namespace: flagger spec: ports: - - name: k6-loadtester-http-metrics - port: 80 - targetPort: 80 + - name: http-k6-loadtester-metrics + port: 8000 + targetPort: 8000 selector: name: k6-loadtester \ No newline at end of file