Run linkerd-gateway as non-root (#4543)

Container-optimized OS on GKE runs with a set of read/write rules that prevent the linkerd-gateway from starting up. These changes move the directories that nginx needs to write to /tmp and configures the error_log to write to stderr Signed-off-by: Charles Pretzer charles@buoyant.io
2020-06-05 13:14:36 -07:00 · 2020-06-05 13:14:36 -07:00 · b36544980d
parent f01bcfe722
commit b36544980d
1 changed files with 19 additions and 6 deletions
--- a/charts/linkerd2-multicluster/templates/gateway.yaml
+++ b/charts/linkerd2-multicluster/templates/gateway.yaml
@ -9,6 +9,8 @@ metadata:
  namespace: {{.Values.namespace}}
 data:
  nginx.conf: |-
+    error_log stderr;
+    pid /tmp/nginx.pid;
    events {
    }
    stream {
@ -18,12 +20,21 @@ data:
       }
    }
    http {
+      client_body_temp_path /tmp/client_temp;
+      proxy_temp_path       /tmp/proxy_temp_path;
+      fastcgi_temp_path     /tmp/fastcgi_temp;
+      uwsgi_temp_path       /tmp/uwsgi_temp;
+      scgi_temp_path        /tmp/scgi_temp;
      server {
          listen     {{.Values.gatewayProbePort}};
-          location {{.Values.gatewayProbePath}} {
+          location = {{.Values.gatewayProbePath}} {
            access_log off;
            return 200 "healthy\n";
          }
+
+          location ~* ^/(.*)$ {
+            deny all;
+          }
      }
      server {
          listen     {{.Values.gatewayLocalProbePort}};
@ -85,6 +96,8 @@ spec:
              containerPort: {{.Values.gatewayProbePort}}
            - name: local-probe
              containerPort: {{.Values.gatewayLocalProbePort}}
+          securityContext:
+            runAsUser: 1001
          volumeMounts:
            - name: config
              mountPath: /etc/nginx