mirror of https://github.com/linkerd/linkerd2.git
Run linkerd-gateway as non-root (#4543)
Container-optimized OS on GKE runs with a set of read/write rules that prevent the linkerd-gateway from starting up. These changes move the directories that nginx needs to write to /tmp and configures the error_log to write to stderr Signed-off-by: Charles Pretzer charles@buoyant.io
This commit is contained in:
parent
f01bcfe722
commit
b36544980d
|
@ -9,6 +9,8 @@ metadata:
|
||||||
namespace: {{.Values.namespace}}
|
namespace: {{.Values.namespace}}
|
||||||
data:
|
data:
|
||||||
nginx.conf: |-
|
nginx.conf: |-
|
||||||
|
error_log stderr;
|
||||||
|
pid /tmp/nginx.pid;
|
||||||
events {
|
events {
|
||||||
}
|
}
|
||||||
stream {
|
stream {
|
||||||
|
@ -18,12 +20,21 @@ data:
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
http {
|
http {
|
||||||
|
client_body_temp_path /tmp/client_temp;
|
||||||
|
proxy_temp_path /tmp/proxy_temp_path;
|
||||||
|
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||||
|
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||||
|
scgi_temp_path /tmp/scgi_temp;
|
||||||
server {
|
server {
|
||||||
listen {{.Values.gatewayProbePort}};
|
listen {{.Values.gatewayProbePort}};
|
||||||
location {{.Values.gatewayProbePath}} {
|
location = {{.Values.gatewayProbePath}} {
|
||||||
access_log off;
|
access_log off;
|
||||||
return 200 "healthy\n";
|
return 200 "healthy\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
location ~* ^/(.*)$ {
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
server {
|
server {
|
||||||
listen {{.Values.gatewayLocalProbePort}};
|
listen {{.Values.gatewayLocalProbePort}};
|
||||||
|
@ -54,7 +65,7 @@ spec:
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
{{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}}
|
{{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}}
|
||||||
linkerd.io/inject: enabled
|
linkerd.io/inject: enabled
|
||||||
config.linkerd.io/proxy-require-identity-inbound-ports: "{{.Values.gatewayProbePort}},{{.Values.gatewayPort}},4180"
|
config.linkerd.io/proxy-require-identity-inbound-ports: "{{.Values.gatewayProbePort}},{{.Values.gatewayPort}},4180"
|
||||||
config.linkerd.io/enable-gateway: "true"
|
config.linkerd.io/enable-gateway: "true"
|
||||||
|
@ -84,7 +95,9 @@ spec:
|
||||||
- name: mc-probe
|
- name: mc-probe
|
||||||
containerPort: {{.Values.gatewayProbePort}}
|
containerPort: {{.Values.gatewayProbePort}}
|
||||||
- name: local-probe
|
- name: local-probe
|
||||||
containerPort: {{.Values.gatewayLocalProbePort}}
|
containerPort: {{.Values.gatewayLocalProbePort}}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 1001
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: config
|
- name: config
|
||||||
mountPath: /etc/nginx
|
mountPath: /etc/nginx
|
||||||
|
@ -95,7 +108,7 @@ kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
name: {{.Values.gatewayName}}
|
name: {{.Values.gatewayName}}
|
||||||
namespace: {{.Values.namespace}}
|
namespace: {{.Values.namespace}}
|
||||||
annotations:
|
annotations:
|
||||||
mirror.linkerd.io/gateway-identity: {{.Values.gatewayName}}.{{.Values.namespace}}.serviceaccount.identity.{{.Values.linkerdNamespace}}.{{.Values.identityTrustDomain}}
|
mirror.linkerd.io/gateway-identity: {{.Values.gatewayName}}.{{.Values.namespace}}.serviceaccount.identity.{{.Values.linkerdNamespace}}.{{.Values.identityTrustDomain}}
|
||||||
mirror.linkerd.io/probe-period: "{{.Values.gatewayProbeSeconds}}"
|
mirror.linkerd.io/probe-period: "{{.Values.gatewayProbeSeconds}}"
|
||||||
mirror.linkerd.io/probe-path: {{.Values.gatewayProbePath}}
|
mirror.linkerd.io/probe-path: {{.Values.gatewayProbePath}}
|
||||||
|
@ -104,10 +117,10 @@ metadata:
|
||||||
spec:
|
spec:
|
||||||
ports:
|
ports:
|
||||||
- name: mc-gateway
|
- name: mc-gateway
|
||||||
port: {{.Values.gatewayPort}}
|
port: {{.Values.gatewayPort}}
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
- name: mc-probe
|
- name: mc-probe
|
||||||
port: {{.Values.gatewayProbePort}}
|
port: {{.Values.gatewayProbePort}}
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
selector:
|
selector:
|
||||||
app: {{.Values.gatewayName}}
|
app: {{.Values.gatewayName}}
|
||||||
|
|
Loading…
Reference in New Issue