Run linkerd-gateway as non-root (#4543)

Container-optimized OS on GKE runs with a set of read/write rules that prevent the linkerd-gateway from starting up.

These changes move the directories that nginx needs to write to /tmp and configures the error_log to write to stderr

Signed-off-by: Charles Pretzer charles@buoyant.io

charts/linkerd2-multicluster/templates/gateway.yaml

@@ -9,6 +9,8 @@ metadata:
   namespace: {{.Values.namespace}}
 data:
   nginx.conf: |-
+    error_log stderr;
+    pid /tmp/nginx.pid;
     events {
     }
     stream {
@@ -18,12 +20,21 @@ data:
        }
     }
     http {
+      client_body_temp_path /tmp/client_temp;
+      proxy_temp_path       /tmp/proxy_temp_path;
+      fastcgi_temp_path     /tmp/fastcgi_temp;
+      uwsgi_temp_path       /tmp/uwsgi_temp;
+      scgi_temp_path        /tmp/scgi_temp;
       server {
           listen     {{.Values.gatewayProbePort}};
-          location {{.Values.gatewayProbePath}} {
+          location = {{.Values.gatewayProbePath}} {
             access_log off;
             return 200 "healthy\n";
           }
+
+          location ~* ^/(.*)$ {
+            deny all;
+          }
       }
       server {
           listen     {{.Values.gatewayLocalProbePort}};
@@ -85,6 +96,8 @@ spec:
               containerPort: {{.Values.gatewayProbePort}}
             - name: local-probe
               containerPort: {{.Values.gatewayLocalProbePort}}
+          securityContext:
+            runAsUser: 1001
           volumeMounts:
             - name: config
               mountPath: /etc/nginx